Android/AdSms.A!tr

description-logoAnalysis

Android/AdSms.A!tr is a Trojan horse for mobile phones running Android 2.1 or greater. It registers to service provider phone numbers and sends SMS to those phone numbers. Those tasks are done without consent of the victim.
The malicious package often disguises itself as a mobile phone update package. Its name may for instance be: htc.apk.


Technical Details


Once installed, the package does not create any icon. The malware can only be seen in the Application list, or running on the device:
# ps
...
app_35    210   33    105520 15436 ffffffff afd0eb08 S com.andiord
The malware is triggered when the device reboots or when it receives SMS. First, it tries to "register", meaning that:
  • it kills some applications (e.g QQ instant messaging applications) such as:
    com.qihoo360.mobilesafe
    com.tencent.qqpimsecure
    com.anguanjia.safe
    
  • sends an SMS (without consent) to 13539xxxxx, with the victim's IMEI as body. This is assumed to register the phone to a particular service.
  • contacts a remote web server to download an XML configuration file:
    http://adsms.[CENSORED].cn/Submit.aspx?ver=1.4&sys=SDKLEVEL
      &imei=IMEI&ua=PHONEMODEL&pro=100,1000 
    
    where ver is the malware's software version, sys is the API level on the victim's phone (for example 8), imei is the phone's IMEI, ua is the phone's model (actually not the User Agent).
    There are several different URLs from which the malware can expect to download the configuration file. Only the host names differ, not the URL parameters.
    The configuration is downloaded on the phone's SD card in /Tencent/smsConfig.xml.
The configuration file is an XML file, with tags as below:
<cmdsystem>
	<mobile>PHONE NUMBER</mobile>
	<regport>PHONE NUMBER TO REGISTER</regport>
	<actport>PHONE NUMBERS</actport>
	<mode>time</mode>
	<pbsendport>1062, 1065, 1066</pbsendport>
	<killprocess>APP TO KILL</killprocess>
	<killinstall>APPLICATION IDs</killinstall>
	<killuninst>APPLICATION IDs</killuninst>
</cmdsystem>
<cmdupdate>
  <version></version>
  <verurl>URL TO DOWNLOAD UPDATE</verurl>
</cmdupdate>
<channel>
	<spid></spid>
	<sptype>SMS or MMS</sptype>
	<spdir>BODY of SMS to send to SPPORT</spdir>
	<spport>PHONE NUMBER</spport>
	<spredir>PHONE NUMBER</spredir>
	<sptimes>INTEGER</sptimes>
	<rekeyword></rekeyword>
	<report></report>
</channel>
<cmdpush>
	<pushmode></pushmode>
	<pushlist>COMMA SEPARATED LIST</pushlist>
	<pushurl></pushurl>
	<pushbody></pushbody>
</cmdpush>
<cmdSepCnl>
	<keyword></keyword>
	<length></length>
	<kfconfirm>PHONE NUMBER to SEND SMS CONFIRMATION</kfconfirm>
	<spid></spid>
</cmdSepCnl>
There are several cases where the malware sends SMS:
  • registering to a new service provider. This corresponds to the phone numbers in the regport field.
  • channel messages. SMS are sent to the phone number in the spport field, with body as in the spdir field. Note that if field sptype is set to "MMS", the malware sends the SMS in binary format, to port 9201. If the sptype is set to "SMS", the malware sends a standard SMS.
    We do not know in details what information those channel messages are meant to convey.
  • confirmation messages. SMS are sent to the phone number specified in kfconfirm with a body with the following format:
    MOBILE, ok.
    
    where MOBILE is the phone number specified in the mobile XML field of the configuration file.
The malware also checks if it needs to be updated. If so, it downloads an update from http://adsms.[CENSORED].cn/1.apk. The file is written on the SD card as /Tencent/qqtlive.apk. The malware updates the last update time in its own database, and gets a new smsConfig.xml file.
The malware uses several SQlite databases:
  • ChangeAddress: with columns updatetime, isSended
  • configUpdate: updatetime, isSended, PbDateTime, iSSepChannelSended
  • StopTable: updatime, isSended
  • MonthAmount: Month, Amount
Whenever a SMS is received, the malware filters it if it comes from a phone number starting with one of the numbers listed in pbsendport field.
The malware logs information on the SD card in /Tencent/v1.log:
2011-07-22 09:54:46: StartDevice---->-------->DeviceInfo 
 [imei=000000000000000, telNum=, phModel=sdk, sysSdk=8, RELEASE=2.2]

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-03-06 91.01181
2021-04-21 85.00617
2021-04-14 85.00448
2020-04-20 76.83400
2020-04-13 76.68500
2020-04-13 76.68200
2018-12-07 64.71500