Cuba has been described as the least connected country in the Western Hemisphere. With trade embargoes limiting the import of new technologies and tight restrictions controlling the usage of the Internet, Cuba nonetheless shares one in common Internet trait with other countries: It is not immune to malware.
McAfee Mobile Research has identified a new mobile Trojan embedded into copies of a popular underground app in Cuba called EstecsaDroyd, which is an unauthorized copy of the telephone directory from the Cuban phone company ETECSA. The directory contains the names, identity card number, and even the home address of each subscriber. Although this information should be protected from public use, every year a new updated version is released.
After installation, the Trojan silently takes over priority handling for any incoming SMS messages and waits to be remotely activated. On receiving the word cola, the Trojan looks for all MP3 files on the SD card and overwrites them with a sound file.
Although at first it may seem that the destructive nature of this Trojan is its sole purpose, there is more at work than meets the eye. The Trojan is coded to take the last remaining audio file and replace the content of the file with an encrypted list of contacts retrieved from the infected device. We believe that this is the true intention of the attacker.
What remains a mystery is the absence of a retrieval method for the encrypted contact info. The Trojan on its own cannot transmit any of the stolen contact info over the wire, which leads us to speculate on the possibility of a second app that may be assisting with transmitting the data–possibly under the guise of recovering the damaged audio files.
McAfee Mobile detects this Trojan as Android/Cola.