Android/Hongtoutou.A!tr

description-logoAnalysis

Android/Hongtoutou.A!tr is a Trojan for Android platforms >= 2.1.
The trojan is packaged with a live wallpaper for Android mobile phones. This is particularly convenient for malware authors because wallpapers are not listed on the phone's application panel, so the victim will more difficulties detecting his/her mobile phone is infected.
It retrieves the phone's IMEI and IMSI, posts the information to a remote web site and downloads from those web site a list of URLs to visit.

Technical Details


The malicious Android package contains a classes.dex (standard Android Dalvik bytecode) with the malicious classes located in com.xxx.yyy.
The main part of the trojan is contained within the class MyService and will be activated every 13 hour. It retrieves the IMEI and the IMSI of the infected device, and will then post this information to a malicious remote server:
http://[REMOVED]uan.net/index.aspx?im=[ENCRYPTED STRING]
Precisely, the information which is posted consists of the following parameters:
  1. IMSI: infected device's IMSI
  2. IMEI: infected device's IMEI
  3. netway: this integer defines how the mobile connects to Internet. 1 means WAP, 2 means WIFI.
  4. iversion: internal version of the malware. For example, 6.
Each of those parameters are separated by a '&', and the resulting string is encrypted using the DES algorithm with CBC chaining.
The encryption key is hard-coded in the malware (see the qzl class). The Initialization Vector (IV) is equal to the key.
The remote website is contacted using a hard-coded mobile agent string: J2ME/UCWEB7.4.0.57
The trojan also contacts another malicious URL:
http://[REMOVED]xiab.com/pic.aspx?im=[ENCRYPTED STRING]
This remote server returns a DES encrypted list parameters and URLs to visit. The parameters are separated by hashes (#) or pipes (|). URLs to visit are for example:
http://[REMOVED].105/g/g.ashx?w=963a_w1
http://[REMOVED].105/g/g.ashx?w=979a_w1
When visited, those URLs return a string to search for on wap.baidu.com (Chinese search engine - legitimate):
http://wap.baidu.com/s?word=undefinede6undefined88undefined91undefinede6undefined95undefined85undefinede6undefined84undefined8f&vit=uni&from=780b_w1

The trojan is re-started when the phone reboots (see MyBoolService class).
It also shows the ability to update itself. The new update shall be located on the SD card at /sdcard/uc/myupdate.apk.
It requests the following permission to run:
android.permission.ACCESS_WIFI_STATE
android.permission.READ_CONTACTS
android.permission.WRITE_APN_SETTINGS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_PHONE_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.MODIFY_PHONE_STATE
This malware targets Chinese end-users in particular.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-03-06 91.01181
2022-09-12 90.05931
2022-09-12 90.05925
2022-05-18 90.02410
2022-05-11 90.02197
2022-03-09 90.00313
2021-12-01 89.07373
2021-05-18 86.00263
2021-05-05 85.00953
2021-05-05 85.00951