Android/Basebridge.A!tr

description-logoAnalysis

Android/Basebridge.A!tr is a trojan which targets mobile phones running Android. It exploits a vulnerability which affects unpatched Android phones prior to version 2.3 and which helps the malware silently install another malicious payload.
The malicious payload connects to a remote server, sends personal information to that server (IMSI, device and OS information), sends SMS and removes specific SMS from the inbox.
Various samples are infected with Android/Basebridge.A!tr. We advise particular caution if you happen to have installed one of the following applications:

  • QQ_tencent.qqgame.lord
  • ophone8
  • com.wuzla.game.ScooterHero
  • com.keji.unclear
  • com.keji.sendere
  • com.droidhen.falldown
  • com.droidhen.duck


Technical Details


The technical details vary from one sample to another, but the basic idea is the same: the initial malware tries to run the so-called rageagainstthecage exploit, and then install subsequent malicious payload, stored as a raw resource.
The following details a malicious com.keji.sendere sample.
At first start, the base activity Start (com.keji.sendere.Start) is created and started. In turn, this launches a new shell (/system/bin/sh) from which the malware opens the raw resource "rageagainstthecage", reads it and copies it to the device.
Then, the malware issues a chmod 777 command on the file, to make it accessible and executable by any user.
The idea behind this is to silently install another malicious application (payload).
Whenever an SMS is received, the SMS receiver (com.keji.sendere.sms.SMSreceiver) retrieves the SMS PDU, and reads it. It retrieves the phone number of the sender, and in particular, checks the body for a URL from which to download a file.
The malware also has the capability to upload a file and send an SMS with a link to the uploaded file.
The malicious payload installed by Android/Basebridge.A!tr uses code obfuscation (variables and strings are obfuscated) to make it more difficult to analyze. Example:
q.a("HAufrgadvwtXHvAfHJRKKwseeNdzZNhl", i);
It also uses AES encryption.
It has the capability:
  • read the victim's IMSI (personal) and other information such as the device model, manufacturer etc.
  • to process incoming SMS messages and send other SMS messages.
  • to call a given phone number

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-03-06 91.01181
2023-01-18 90.09765
2022-05-18 90.02410
2022-04-13 90.01362
2021-06-30 87.00285
2021-05-18 86.00267
2021-05-18 86.00266
2021-04-21 85.00617
2021-02-10 83.93700
2020-06-29 78.51600