Android/JSmsHider.A!tr
Analysis
Android/JSmsHider.A!tr is a trojan for Android mobile phones.
It has been seen on unofficial application repositories and particularly
targets phones which use a custom ROM.
It tries to silently install a malicious payload. This payload communicates
with a remote C&C server and can issue commands to have the phone send
SMS to given phone numbers with given contents.
The malicious payload is also able to process incoming and outgoing SMS messages
and removes some legitimate SMS messages coming from the victim's operator.
This helps the malware hide itself on the phone.
Technical Details
First, the malware tests whether the malicious payload (testnew.apk) is already installed or not. If not, it tries to install it silently by requesting the permission to install a package (android.permission.INSTALL_PACKAGES).
The malware actually requests the INSTALL_PACKAGES permission in its Android Manifest, but the INSTALL_PACKAGES permission is specific and can only be obtained by system applications (i.e preinstalled on the device's firmware or signed with the platform key).
In the case the victim's phone uses a custom ROM, the customized image is typically signed by publicly available private keys for the Android Open Source Project. As this malware is also signed by those keys, it can hence be successfully granted the INSTALL_PACKAGES permission.
If the victim's phone does not use a custom ROM, the trick won't work, and then, the phone will try to get the permission by becoming root with a su command:
$ su -vOnce the malware has the appropriate permission, it loads the embedded resource, testnew.apk, and silently installs it on the phone.
The malicious payload (Android/JSmsHider.B!tr) starts several services and receivers. In particular, it will:
- download and install a file named LcLottery.apk.
- process incoming or outgoing SMS messages. If it receives an SMS with a phone number starting with 106 (this corresponds to SMS of Chinese operators), it automatically replies to the SMS and discards it. If there is a SMS for a 106 number in the outbox, it deletes it too. This functionality is assumed to help the malware stay stealthy.
- configure the phone to use the WAP gateway of a Chinese operator (if necessary)
- set the update rate
- set the phone number for SMS
- try to install a package
- update a package
- sends an SMS to a given phone number with given content
- same, but depending on cases, two different contents are provided
- add the APN for the Chinese operator
- modify the URLs to contact
http://[REMOVED]mstsv.com/Test/ http://[REMOVED - DIFFERENT from above]mstsv.com/Update
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |