Android/FakeJob.A!tr

Analysis

Android/FakeJob.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an application for playing Hindi & Bollywood music called "Saavn".
However, the package contains an activity that displays a fake job offer letter from a well known company each time the phone is switched on.

Technical details:
The main application is called "Saavn" and comes in the package "com.saavn.android"
The malicious activity comes in a part of the package called "com.biggboss6"
After installation of the application, each time the phone is switched on, the victim is shown an alert dialog as seen in Fig1

Fig1 : Fake Job Offer Alert Dialog
If the user clicks on "Yes", the malware opens the URL

http://[REMOVED]/files/4TcQx7Z/0/blob/x675

on the victim's phone.
The URL leads to a fake job offer letter (ref Fig2) from a well-known company asking the victim to deposit a certain amount of money and asking for a scan of the bank deposit slip to be sent to an fraud email id

tata@companyhrdonline.com

Fig2 : Fake Job Offer Letter
Permissions required by the application:

• INTERNET
• VIBRATE
• ACCESS_NETWORK_STATE
• READ_PHONE_STATE
• WAKE_LOCK
• GET_ACCOUNTS
• RECEIVE_BOOT_COMPLETED
• WRITE_SMS
• ACCESS_FINE_LOCATION

Aimed at Indian users
Certificate information:

• Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
• Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
• Serial number: a2ef26b9685c2c75
• Valid from: Fri Feb 08 06:10:23 CET 2013 until: Mon Jun 25 07:10:23 CEST 2040

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.