Android/FakeJob.A!tr
Analysis
Android/FakeJob.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an application for playing Hindi & Bollywood music called "Saavn".
However, the package contains an activity that displays a fake job offer letter from a well known company each time the phone is switched on.
Technical details:
The main application is called "Saavn" and comes in the package "com.saavn.android"
The malicious activity comes in a part of the package called "com.biggboss6"
After installation of the application, each time the phone is switched on, the victim is shown an alert dialog as seen in Fig1
Fig1 : Fake Job Offer Alert Dialog
If the user clicks on "Yes", the malware opens the URL
http://[REMOVED]/files/4TcQx7Z/0/blob/x675on the victim's phone.
The URL leads to a fake job offer letter (ref Fig2) from a well-known company asking the victim to deposit a certain amount of money and asking for a scan of the bank deposit slip to be sent to an fraud email id
tata@companyhrdonline.com
Fig2 : Fake Job Offer Letter
Permissions required by the application:
- INTERNET
- VIBRATE
- ACCESS_NETWORK_STATE
- READ_PHONE_STATE
- WAKE_LOCK
- GET_ACCOUNTS
- RECEIVE_BOOT_COMPLETED
- WRITE_SMS
- ACCESS_FINE_LOCATION
Aimed at Indian users
Certificate information:
- Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
- Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
- Serial number: a2ef26b9685c2c75
- Valid from: Fri Feb 08 06:10:23 CET 2013 until: Mon Jun 25 07:10:23 CEST 2040
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |