Adware/Feiwo!Android

Analysis

Adware/Feiwo!Android is an aggressive adware for Android mobile devices, which posts to its servers the victim's phone number, IMEI and list of installed applications.
This is a typically unwanted SDK and should generally be removed from devices.
Additionally, the adware implements several techniques to complexify its analysis.

Technical Details

The adware SDK comes bundled with various other applications. The name path for the adware is typically something like com/fw/xxx, where xxx varies (e.g "toth"). From a developer's point of view, the SDK is initialized as below:

FwBManager.init(((Context)this), "XXX");
FwIManager.init(((Context)this), "XXX");
FwFSManager.init(((Context)this), "XXX");
FwBManager.loadBannerAD(((Context)this), this.getLayoutInflater().inflate(...));

Quite typically too, the developer specifies his/her identifier to get revenue for the ads which were viewed:

v0.putExtra("feiwo_appkey", "THEKEY");

The adware collects numerous information that it stores in its database (see disassembled code in com/fw/XXXX/db/dao). The database is named feiwo_bai-db and contains the following tables:

sqlite> .tables
ACTION_INFO          CREDITS_WALL_AD      HOT_APP_AD_INFO    
AD_HINGE             CUSTOM_AD            INSTALLED_APP      
APPEND_DATA          DELAY_ACTION         MY_DOWNLOAD_INFO   
APP_INFO             DEVICE_INFO          PUSH_AD            
APP_WALL_AD          FAILURE_ACTION_INFO  PUSH_SETTING       
BANNER_AD            FULL_COVER_AD        SETTING            
COVER_AD             FULL_SCREEN_AD       android_metadata   

In particular, the DEVICE_INFO table contains the IMEI, phone number, SIM serial number. For example, this is the device information which corresponds to a standard emulator:

> .schema DEVICE_INFO
CREATE TABLE 'DEVICE_INFO' ('_id' INTEGER PRIMARY KEY AUTOINCREMENT ,'IMEI' TEXT,'SDK_VERSION' TEXT,'BRAND' TEXT,'MODEL' TEXT,'RESOLUTION' TEXT,'NETWORK' TEXT,'APP_KEY' TEXT,'SIM_SERIAL_NUM' 
TEXT,'PHONE_NUMBER' TEXT,'OPERATOR' TEXT,'SYSTEM_VERSION' TEXT,'MOBILE_SYSTEM' TEXT,'DEV_APP_PACKAGE' TEXT); 
> SELECT * FROM DEVICE_INFO;
0|000000000000000|2.2.0|unknown|Android SDK built for x86|480*800|3G|1E238HP6n8HUqyEfnQVL90p8|89014103211118510720|
15555215554|260|5.1|android|com.wyj.anzhi.hd100

The INSTALLED_APP table also keeps track of all installed applications:

1|com.android.smoketest|com.android.smoketest
2|com.example.android.livecubes|Example Wallpapers
3|com.android.providers.telephony|Phone/Messaging Storage
4|com.android.providers.calendar|Calendar Storage
5|com.android.providers.media|Media Storage
[.....]
74|com.android.providers.contacts|Contacts Storage
75|com.android.captiveportallogin|CaptivePortalLogin
76|com.android.widgetpreview|Widget Preview

The MY_DOWNLOAD_INFO table keeps track of each advertised application the victim downloads: download URL, success or not, package name, application name, retries etc.
The adware communicates with its remote servers via HTTP. The URLs generally have the following form: hxxp://client.adfeiwo.com:9110/terminal/ad/COMMAND.do?params... For example:

hxxp://client.adfeiwo.com:9110/terminal/ad/getAdInfo.do?t=...

The communication with the remote servers is encrypted using DES-ECB and a hard-coded password. For example, we decrypted the data which is posted to the remote servers below:

{
  "ad": {
    "adType": 2,
    "category": 0,
    "lastAdId": 0
  },
  "device": {
    "appKey": "XXX"
    "appList": [
      {
        "appName": "Sound Recorder",
        "packageName": "com.android.soundrecorder"
      },
      {
        "appName": "com.android.sdksetup",
        "packageName": "com.android.sdksetup"
      },

    ...

   "brand": "unknown",
    "devAppPackage": "org.vv.mathhandbook",
    "imei": "123456789112000",
    "mobileSystem": "android",
    "model": "sdk",
    "network": "3G",
    "operator": "260",
    "phoneNumber": "15555215554",
    "resolution": "768*1184",
    "sdkVersion": "2.1.3",
    "simSerialNum": "89014103211118510720",
    "systemVersion": "4.4.4"

Note the JSON record contains:

• The developer's app key
• The list of applications on the device
• Various device information such as IMEI (fake above), phone number (fake above too), SIM serial number

The hard-coded password used to decrypt the JSON data above is itself obfuscated using DES-ECB and another key (the key is different for each package).

a.y = h.a("D0206CB050220CEA4F1F9BDABB2F8EA4D80089D0A4C2718A9F6EE1EFA6575A469A5B604F13F3CE599FDC5E21C23E29B803CE7C515880C3DF");
a.z = h.a("D0206CB050220CEA4F1F9BDABB2F8EA4D80089D0A4C2718A9F6EE1EFA6575A461CDA8540F539A533F0E00352D7C3DB7A");
a.A = h.a("CB2AF10CBF6C0C268DF02204ECC6A59E");
a.B = h.a("C6B4536A231A14F6");

The adware detects it runs on an emulator. For that, it detects dummy IMEIs or SDK versions.

public static boolean a(android.content.Context p4)
    {
        v2 = 1;
        v0 = p4.getSystemService("phone").getDeviceId();
        if ((v0 == 0) || (v0.equals("000000000000000") == 0)) {
            if ((android.os.Build.MODEL.equals("sdk") == 0) && (android.os.Build.MODEL.equals("google_sdk") == 0)) {
                v0 = 0;
            } else {
                v0 = 1;
            }
            v2 = v0;
        }
        return v2;
    }

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.