Android/Loozfon.A!tr
Analysis
Android/Loozfon.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a pornographic video viewing software, however, leaks information about the victim's phone such as the phone number, IMEI and contacts to a specific web location
Technical Details
The trojan comes in form of a Japanese application (refer Fig1) in a package called fa.lin.ero
Fig1 : The trojan application with name 'Order without plating' (literal translation from Japanese)
Upon clicking on the application,StartActivity is launched. This activity is responsible for launching the visible activities of the application and also performs the malicious functions in the background.
Its functionality is explained in detail below: Upon launch, Android/Loozfon.A!tr creates the view as shown in Fig2.
Fig2 : Upon application launch
- If the user clicks on the lower button, that corresponds to the user being under 18, the application exits
- If the user clicks on the upper button, that corresponds to the user being over 18, it launches the activity ViewActivity described further below
- Next, in the background it gathers contact information from the phone and sends this information in a POST request to "http://[CENSORED]/appli/addressBookRegist" with the following parameter-value pairs:
- "individualNo" - IMEI
- "appliId" - "3"
- "telNo" - MSISDN/phone number
- "addressBook" - contact name + "##addressName##" + phone number + "##telNo##" + email id + "##mailAddress##" + "##paramPartDivide##" + next contact and so on..
The activity ViewActivity creates the view of the pornographic application. Depending on what the user clicks, it launches MovieActivity that plays adult videos.
Permissions required by the application:
- CALL_PHONE
- INTERNET
- READ_PHONE_STATE
- READ_CONTACTS
- ACCESS_NETWORK_STATE
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |