Android/FakeInst.B!tr

description-logoAnalysis

Android/FakeInst.B!tr is a piece of malware targetting Android mobile phones. It usually poses as an installer for well-known applications such as Opera Mini, ICQ, Skype:

Figure 1. Installer for the Opera Mini browser.
The malware may try to look like a legitimate downloader and display an agreement message:

Figure 2. The user is shown the message "Do you agree with loading BatteryOptimizer" with the choice to click on one of two buttons named "Agree" and "Agreement".
If the user clicks on the first option ("Agree"), a list of links is displayed which may lead to downloading further packages.

Figure 3. Links from where to download packages
However, in background, the malware gets commands from a remote server. These commands can ask the malware to send over the list of contacts, send SMS messages, delete given SMS messages, update itself etc.

Technical Details


Permissions required by the application:
  • READ_PHONE_STATE
  • ACCESS_NETWORK_STATE
  • SEND_SMS
  • RECEIVE_SMS
  • INTERNET
  • WRITE_EXTERNAL_STORAGE
  • INSTALL_PACKAGES
  • DELETE_PACKAGES
  • READ_CONTACTS
  • RECEIVE_BOOT_COMPLETED
The malware is mainly contained by the classes MainService, SmsReciver (typo in the code), MainActivity and UpdateActivity.
When the malware is launched, it loads configuration settings present in raw resources. In particular, it reads and decrypts SMS settings from /res/raw/sms.xml. The encrypted file has the following format:
  • a first byte for the length of the XOR key
  • the XOR key
  • the ciphertext
When decrypted, such settings can be read:
<?xml version="1.0" encoding="UTF-8" ?>
<sms url="http://[CENSORED]">
<operator name="default" code="XXX">
<item number="3170" text="99[CENSORED] 612 Android (425)  2012-02-22 11:30:05 ope[CENSORED] y" />
</operator>
<operator name="megafon" code="25002">
<item number="3150" text="99[CENSORED] 612 Android (425)  2012-02-22 11:30:05 ope[CENSORED]" />
</operator>
<operator name="megafonx" code="7920,7921,[CENSORED]">
<item number="3170" text="99[CENSORED] 612 Android (425)  2012-02-22 11:30:05 ope[CENSORED]" />
</operator></sms>
The malware populates internal lists from the settings it reads.
There is a list of SMS numbers with a short code (number) and a text (message body). Those are the potential SMS messages the malware sends.
There is a list of operators. That list contains a list to the list of SMS (above) to send for that operator, the name of the operator and a list of codes (separated by a comma in the XML configuration). So, the SMS messages the malware may send depends on the operator the phone uses.
The malware also maintains other lists:
  • delete list: if the malware receives a SMS from a number in that list, it deletes the SMS.
  • catch list: if the malware receives a SMS from a number in that list, it notifies a remote server by HTTP
The malware contacts a remote server whose URL is contained within the raw resource /res/raw/start.xml.
It gets commands from this server. Those commands are sent using the XML format:
  • catch number=xyz: adds a number to the catch list
  • delete number=xyz: adds a number to the delete list
  • command name=removeAllSmsFilter: this will clear the delete list
  • command name=sendContactList: dumps the list of contacts of the phone in XML format and sends it to the remote server.
  • command name=removeCurrentCatchFilter: clears the catch list
  • wait seconds
  • http url=URL method=GET or POST: sends a HTTP GET or POST
  • param name=xyz: when sending HTTP message, specify this HTTP parameter in the packet.
  • update: update the malware to a given URL
  • screen: customize the update screen with a given screen text and button.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2020-12-03 82.27800
2019-05-13 68.49800
2019-04-24 68.02600
2018-12-26 65.18000