Android/AdSms.A!tr
Analysis
Android/AdSms.A!tr is a Trojan horse for mobile phones running Android 2.1
or greater. It registers to service provider phone numbers and sends SMS to those
phone numbers. Those tasks are done without consent of the victim.
The malicious package often disguises itself as a mobile phone update package. Its
name may for instance be: htc.apk.
Technical Details
Once installed, the package does not create any icon. The malware can only be seen in the Application list, or running on the device:
# ps ... app_35 210 33 105520 15436 ffffffff afd0eb08 S com.andiordThe malware is triggered when the device reboots or when it receives SMS. First, it tries to "register", meaning that:
- it kills some applications (e.g QQ instant messaging applications) such as:
com.qihoo360.mobilesafe com.tencent.qqpimsecure com.anguanjia.safe
- sends an SMS (without consent) to 13539xxxxx, with the victim's IMEI as body. This is assumed to register the phone to a particular service.
- contacts a remote web server to download an XML configuration file:
http://adsms.[CENSORED].cn/Submit.aspx?ver=1.4&sys=SDKLEVEL &imei=IMEI&ua=PHONEMODEL&pro=100,1000
where ver is the malware's software version, sys is the API level on the victim's phone (for example 8), imei is the phone's IMEI, ua is the phone's model (actually not the User Agent).
There are several different URLs from which the malware can expect to download the configuration file. Only the host names differ, not the URL parameters.
The configuration is downloaded on the phone's SD card in /Tencent/smsConfig.xml.
<cmdsystem> <mobile>PHONE NUMBER</mobile> <regport>PHONE NUMBER TO REGISTER</regport> <actport>PHONE NUMBERS</actport> <mode>time</mode> <pbsendport>1062, 1065, 1066</pbsendport> <killprocess>APP TO KILL</killprocess> <killinstall>APPLICATION IDs</killinstall> <killuninst>APPLICATION IDs</killuninst> </cmdsystem> <cmdupdate> <version></version> <verurl>URL TO DOWNLOAD UPDATE</verurl> </cmdupdate> <channel> <spid></spid> <sptype>SMS or MMS</sptype> <spdir>BODY of SMS to send to SPPORT</spdir> <spport>PHONE NUMBER</spport> <spredir>PHONE NUMBER</spredir> <sptimes>INTEGER</sptimes> <rekeyword></rekeyword> <report></report> </channel> <cmdpush> <pushmode></pushmode> <pushlist>COMMA SEPARATED LIST</pushlist> <pushurl></pushurl> <pushbody></pushbody> </cmdpush> <cmdSepCnl> <keyword></keyword> <length></length> <kfconfirm>PHONE NUMBER to SEND SMS CONFIRMATION</kfconfirm> <spid></spid> </cmdSepCnl>There are several cases where the malware sends SMS:
- registering to a new service provider. This corresponds to the phone numbers in the regport field.
- channel messages. SMS are sent to the phone number in the spport field, with
body as in the spdir field. Note that if field sptype is set to "MMS", the malware
sends the SMS in binary format, to port 9201. If the sptype is set to "SMS", the
malware sends a standard SMS.
We do not know in details what information those channel messages are meant to convey. - confirmation messages. SMS are sent to the phone number specified in kfconfirm
with a body with the following format:
MOBILE, ok.
where MOBILE is the phone number specified in the mobile XML field of the configuration file.
The malware uses several SQlite databases:
- ChangeAddress: with columns updatetime, isSended
- configUpdate: updatetime, isSended, PbDateTime, iSSepChannelSended
- StopTable: updatime, isSended
- MonthAmount: Month, Amount
The malware logs information on the SD card in /Tencent/v1.log:
2011-07-22 09:54:46: StartDevice---->-------->DeviceInfo [imei=000000000000000, telNum=, phModel=sdk, sysSdk=8, RELEASE=2.2]
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |