Android/Loozfon.A!tr

description-logoAnalysis

Android/Loozfon.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a pornographic video viewing software, however, leaks information about the victim's phone such as the phone number, IMEI and contacts to a specific web location

Technical Details


The trojan comes in form of a Japanese application (refer Fig1) in a package called fa.lin.ero
Fig1 : The trojan application with name 'Order without plating' (literal translation from Japanese)
Upon clicking on the application,StartActivity is launched. This activity is responsible for launching the visible activities of the application and also performs the malicious functions in the background.
Its functionality is explained in detail below: Upon launch, Android/Loozfon.A!tr creates the view as shown in Fig2.

Fig2 : Upon application launch
  • If the user clicks on the lower button, that corresponds to the user being under 18, the application exits
  • If the user clicks on the upper button, that corresponds to the user being over 18, it launches the activity ViewActivity described further below
  • Next, in the background it gathers contact information from the phone and sends this information in a POST request to "http://[CENSORED]/appli/addressBookRegist" with the following parameter-value pairs:
    • "individualNo" - IMEI
    • "appliId" - "3"
    • "telNo" - MSISDN/phone number
    • "addressBook" - contact name + "##addressName##" + phone number + "##telNo##" + email id + "##mailAddress##" + "##paramPartDivide##" + next contact and so on..

The activity ViewActivity creates the view of the pornographic application. Depending on what the user clicks, it launches MovieActivity that plays adult videos.
Permissions required by the application:
  • CALL_PHONE
  • INTERNET
  • READ_PHONE_STATE
  • READ_CONTACTS
  • ACCESS_NETWORK_STATE
Mainly aimed at Japanese users

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2022-09-14 90.05983
2022-09-07 90.05771
2022-07-13 90.04122
2022-06-01 90.02827
2022-05-18 90.02410
2022-04-06 90.01152
2022-02-16 89.09683
2021-12-29 89.08213
2021-12-01 89.07373
2021-11-24 89.07163