{
	"id": "b6b2a196-bf3b-4a4d-947b-505441f6ef90",
	"created_at": "2026-04-06T00:06:15.200693Z",
	"updated_at": "2026-04-10T03:20:47.856319Z",
	"deleted_at": null,
	"sha1_hash": "7e04a86f83e668ef02173595c7917a587615da21",
	"title": "ANDROIDOS_ANSERVER.A - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104187,
	"plain_text": "ANDROIDOS_ANSERVER.A - Threat Encyclopedia | Trend\r\nMicro (US)\r\nBy Analysis by: Karl Dominguez\r\nArchived: 2026-04-05 14:48:23 UTC\r\nThis is the first known Android malware that reads blog posts and interprets these as commands. It can also\r\ndownload and install additional applications, therefore further compromising the affected device.\r\nTo get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown\r\nbelow.\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A\r\nPage 1 of 3\n\nThis malware gathers specific information from the infected device.\r\nIt connects to a malicious URL to send the gathered information and get an XML configuration file.\r\nThis backdoor may be unknowingly downloaded by a user while visiting malicious websites. It may be manually\r\ninstalled by a user.\r\nArrival Details\r\nThis backdoor may be unknowingly downloaded by a user while visiting malicious websites.\r\nIt may be manually installed by a user.\r\nNOTES:\r\nThis malware request the following permissions which it could use to perform malicious routines:\r\nAccess network settings\r\nAccess the Internet\r\nControl the vibrator\r\nDisable Keylock\r\nMake a Call\r\nRead low-level log files\r\nRead, and write contacts\r\nRestart applications\r\nWake the device\r\nWrite, read, receive, and send SMS\r\nIt gathers the following device information:\r\nBuild version\r\nIMEI\r\nIMSI\r\nManufacturer\r\nModel\r\nOS version\r\nPackage name of legitimate application\r\nSDK version\r\nIt connects to the following URL to send the gathered information and retrieves an XML configuration file:\r\nhttp://b4.{BLOCKED}r.co.cc:8080/jk.action={information}\r\nThe configuration file contains settings of the malware, the package name to be downloaded, and download URL.\r\nAs of this writing the package that is installed is \"com.sec.android.touchScreen.server\" and downloaded from the\r\nblog post in http://blog.{BLOCKED}.com.cn/s/blog_8440ab780100t0nf.html.\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A\r\nPage 2 of 3\n\nThe blog post contains encrypted messages that the malware interprets as its commands. It can also download\r\nother malicious applications from this blog post.\r\nNOTES:\r\nTrend Micro Mobile Security Solution\r\nTrend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and\r\nTrojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are\r\ndownloaded, while SmartSurfing blocks malicious websites using your device's Android browser.\r\nDownload and install the Trend Micro Mobile Security App via the Android Market.\r\nRemove unwanted apps on your Android mobile device\r\nTo remove unwanted apps on your mobile device:\r\n1. Go to Settings \u003e Applications \u003e Manage Applications.\r\n2. Locate the app to be removed.\r\n3. Scroll and highlight the app to be removed, then choose Uninstall.\r\nDid this description help? Tell us how we did.\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
	],
	"report_names": [
		"ANDROIDOS_ANSERVER.A"
	],
	"threat_actors": [],
	"ts_created_at": 1775433975,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e04a86f83e668ef02173595c7917a587615da21.pdf",
		"text": "https://archive.orkl.eu/7e04a86f83e668ef02173595c7917a587615da21.txt",
		"img": "https://archive.orkl.eu/7e04a86f83e668ef02173595c7917a587615da21.jpg"
	}
}