Mobile Virus

Android/Vdloader.A!tr

Analysis

Android/Vdloader.A!tr is a piece of malware targetting Android mobile phones.
The malware comes disguised as a wallpaper application. After installation, the application can't be seen in the main phone menu, however, it can be seen on the list of installed applications in the Settings menu (refer Fig1)
Fig1. Wallpaper application seen in the Settings menu
In background, the application sends out information about the victim's phone to a specific URL and depending upon the response received, can display notifications, send out SMS messages, download and install packages on the phone without the knowledge of the victim.

Technical Details


The wallpaper application comes in the package "waterfall3dLive.boa.liveWPcube" with the name "3D waterfall wallpaper" in Chinese.
The malicious functionality of the application is contained in the package android.system
The malicious package contains the following classes:
  • android.system.ActionReceiver: The receiver listens for the intent "android.intent.action.SIG_STR" and is launched everytime there is a change in the phone's signal strength. When launched, the receiver performs the following actions:
    • Creates a JSONObject of the format
      {"ve":"8.0","nct":"0","ict":"0","cus":["http://CENSOREDdee.com:8080/p.jsp"],"si":"201","ci":"1"}
      The value of "ci" is updated from the file 'system.txt' present in the package assets
    • Reads phone information such as
      IMEI, IMSI, phone number, Android SDK version, Network type (i.e. GPRS/EDGE/CDMA etc), phone type, phone model name and network operator name
    • Sets a repeating alarm to launch the MainService, described below, every 5000 secs.
  • android.system.MainService: When started, it sends out an HTTP request to the URL "http://CENSOREDdee.com:8080/p.jsp" with the phone information mentioned above. Depending upon the value of a flag in the response received, the following functions are carried out:
    • Flag=0 => A specific URL is opened in the phone browser, also allowing the malware to download packages to the victim's phone
    • Flag=1 => SMS messages are sent out from the victim's phone
    • Flag=2 => The CoreService, described below, is launched
  • android.system.CoreService: This service is responsible for displaying notifications to the user and the installation of a package specified on the phone

Permissions required by the application:
  • WRITE_EXTERNAL_STORAGE
  • INTERNET
  • ACCESS_NETWORK_STATE
  • READ_PHONE_STATE

Many of the strings in the package, including the URL contacted, are encrypted.
Mainly aimed at Chinese users.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.