Android/Hongtoutou.A!tr
Analysis
Android/Hongtoutou.A!tr is a Trojan for Android platforms >= 2.1.
The trojan is packaged with a live wallpaper for Android mobile phones.
This is particularly convenient for malware authors because wallpapers are not listed
on the phone's application panel, so the victim will more difficulties detecting
his/her mobile phone is infected.
It retrieves the phone's IMEI and IMSI, posts the information to a remote web site
and downloads from those web site a list of URLs to visit.
Technical Details
The malicious Android package contains a classes.dex (standard Android Dalvik bytecode) with the malicious classes located in com.xxx.yyy.
The main part of the trojan is contained within the class MyService and will be activated every 13 hour. It retrieves the IMEI and the IMSI of the infected device, and will then post this information to a malicious remote server:
http://[REMOVED]uan.net/index.aspx?im=[ENCRYPTED STRING]Precisely, the information which is posted consists of the following parameters:
- IMSI: infected device's IMSI
- IMEI: infected device's IMEI
- netway: this integer defines how the mobile connects to Internet. 1 means WAP, 2 means WIFI.
- iversion: internal version of the malware. For example, 6.
The encryption key is hard-coded in the malware (see the qzl class). The Initialization Vector (IV) is equal to the key.
The remote website is contacted using a hard-coded mobile agent string: J2ME/UCWEB7.4.0.57
The trojan also contacts another malicious URL:
http://[REMOVED]xiab.com/pic.aspx?im=[ENCRYPTED STRING]This remote server returns a DES encrypted list parameters and URLs to visit. The parameters are separated by hashes (#) or pipes (|). URLs to visit are for example:
http://[REMOVED].105/g/g.ashx?w=963a_w1 http://[REMOVED].105/g/g.ashx?w=979a_w1When visited, those URLs return a string to search for on wap.baidu.com (Chinese search engine - legitimate):
http://wap.baidu.com/s?word=undefinede6undefined88undefined91undefinede6undefined95undefined85undefinede6undefined84undefined8f&vit=uni&from=780b_w1
The trojan is re-started when the phone reboots (see MyBoolService class).
It also shows the ability to update itself. The new update shall be located on the SD card at /sdcard/uc/myupdate.apk.
It requests the following permission to run:
android.permission.ACCESS_WIFI_STATE android.permission.READ_CONTACTS android.permission.WRITE_APN_SETTINGS android.permission.RECEIVE_BOOT_COMPLETED android.permission.ACCESS_NETWORK_STATE android.permission.READ_PHONE_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.INTERNET android.permission.MODIFY_PHONE_STATEThis malware targets Chinese end-users in particular.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |