Android/Ozotshielder.A!tr
Analysis
Android/Ozotshielder.A!tr poses as a dynamic wallpaper application.
In background, this malware contacts a remote server from which it returns
SMS phone numbers and bodies.
Additionally, the malware sends private information (victim's IMSI) and
shows the capability of updating, downloading and installing further packages.
Once installed, the malware creates a log file:
/mnt/sdcard/jxlog/jxlog.txtThen, it decrypts the asset file config.dat which contains 4 parameters:
- ownerid (e.g 2903)
- pid (e.g 427957)
- name: application's name (e.g Bezier curve wallpapers)
- files
Then, it registers the various receivers and starts the AndroidThemeService service.
The AndroidThemeService registers receivers for SMS and MMS messages. Then, it retrieves the victim's IMSI.
After that, basically, the malware is designed to send SMS messages to affiliate entities, called channels. The SMS message is sent to a channel number (ChlNumber) and the body is a channel command (ChlCommand).
Channel numbers and commands are queued in a channel information queue.
The malware processes the channel information queue and sends SMS messages to each channel in the queue. Each time a SMS message is sent, a counter, CostNumberSend, is incremented.
When the queue is empty, the malware posts a report via HTTP
http://[CENSORED]/Service.aspx?ac=successinstall&num=X&imsi=IMSIwhere X corresponds to the number of SMS message sent (CostNumberSend) and IMSI corresponds to the victim's IMSI.
The malware uses a special User Agent, Android-Mms/2.0.
If necessary, the malware configures the phone's access points to receive MMS and SMS.
When the malware receives a first SMS message, it contacts a remote server:
http://[CENSORED]/AndroidService.aspx?imsi=IMSI&mobile=PHONENUMBER$s&pid=PID&ownerid=OWNDERID&testchlid=0&returnkey=1&busid=19&pidlist=LIST&ver=VERSION&pt=2&androidver=MODEL-RELEASE-SDKand expects in return some DES-encrypted information (key and IV set to "1a2b3c4d"). The encrypted information contains channel numbers and commands and cost parameters.
The malware also maintains a settings file in which it stores various information such as:
- RunSmsReceiver: if the SMS receiver has been started
- sharesmsc: SMS Center
- shareimsi: victim's IMSI
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |