Virus

Riskware/SneakFont!Android

Analysis

Riskware/SneakFont!Android is an Android font manager which presents a few risks for the end-user:

  • It sends the end-user's IMEI, IMSI and MAC address in clear text to its servers. The IMSI is used by operators to identify subscribers - this includes billing. The IMEI is used to identify a given phone and in particular to ban stolen phones from the network. The MAC address identifies your network card address. For those reasons, they should not be sent in clear text, nor abused. Additionally, all 3 uniquely identify the end-user and may consequently pose a privacy threat (user's activity being tracked).
  • It downloads fonts preview and fonts to install them on the phone. The fonts are copied on the phone using root permissions. Consequently, there is a risk of downloading and installing infected fonts on the phone.


Technical Details


The riskware comes packaged as com.xinmei365.font. Newer instances of the package are available on Google Play and may present some or all of the security issues mentioned here.
The main activity is com.xinmei365.font.LauncherActivity.
The riskware defines 2 receivers: u'com.xinmei365.font.receiver.InstallFontApkReceiver', u'com.xinmei365.font.receiver.DownloadFontReceiver'.
The riskware defines 1 services: u'com.umeng.common.net.DownloadingService'.
The riskware retrieves the IMEI, IMSI and MAC address of the phone. That information is obviously used as a client identifier in the form of :
IMEI_IMSI_MAC
and posted to hxxp://XXXXXXinmei365.com/Fonts/fontservlet:
POST /Fonts/fontservlet HTTP/1.1
Accept-Encoding: gzip
Content-Length: 263
Content-Type: application/x-www-form-urlencoded
Host: XXXXXXinmei365.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

param=undefined7Bundefined22packageundefined22undefined3Aundefined22com.xinmei365.font
undefined22undefined2Cundefined22typeundefined22undefined3Aundefined22apkundefined22undefined2Cundefined22channel
undefined22undefined3Aundefined226f4937b0-9ffc-4ac7-bff1-845e8800dc6b-font
undefined22undefined2Cundefined22manufacturerundefined22undefined3Aundefined22unknownundefined22undefined2C
undefined22clientIdundefined22undefined3Aundefined22000000000000000_310260000000000_null
undefined22undefined2Cundefined22versionundefined22undefined3A37
Depending on user actions, other URLs are also contacted and may contain the information above:
  • hxxp://XXXXXXinmei365.com/Fonts/plug
  • hxxp://XXXXXXinmei365.com/Fonts/software
  • hxxp://XXXXXXinmei365.com/Fonts/fontservlet
  • hxxp://XXXXXXinmei365.com:9990/push-api/Recommend?packageName=
  • hxxp://XXXXXXinmei365.com:9080/operate/ttf/software.txt
  • hxxp://XXXXXXi.com/redirect.php?do=dlapk&puid=645
  • hxxp://XXXXXXpk.com/Download.aspx?aid=209&sc=1
The application also reads from its assets a 'software.txt' file (the file is localized, so depending on user's language, the app may be reading software_en.txt or other). This file contains software the app is interested by with the format:
Software Id, Software name, Software Package Name, Software's Main Activity
Those pieces of software may be downloaded by the application if required, and thus, may put the phone at risk.
The riskware installs the following files on the device:
  • ./pinyindb/unicode_to_hanyu_pinyin.txt
  • ./pinyindb/pinyin_gwoyeu_mapping.xml
  • ./pinyindb/pinyin_mapping.xml
  • ./AndroidManifest.xml
  • several resources
  • ./lib/armeabi/libdatacenter.so
  • ./assets/software_ko.txt
  • ./assets/software.txt
  • ./assets/plugin
  • ./assets/ads_en.txt
  • ./assets/software_ja.txt
  • ./assets/ads_ja.txt
  • ./assets/software_en.txt
  • ./assets/ads.txt
  • ./assets/ads_ko.txt
  • ./assets/zh2Hans.properties
  • ./assets/zh2Hant.properties
  • ./assets/html/help.html
  • ./assets/html/help_ja.html
  • ./assets/html/help_tw.html
  • ./assets/html/help_ko.html
  • ./assets/html/help_zh.html
  • ./classes.dex
  • ./META-INF/CERT.SF
  • ./META-INF/CERT.RSA
  • ./META-INF/MANIFEST.MF
  • ./resources.arsc
The applications uses the external SDK Umeng. Note this SDK sends the phone's IMEI, country, device model, timezone, SDK type, carrier, language and latitude. The riskware asks for the following permissions:
  • Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
  • ACCESS_WIFI_STATE
  • INTERNET

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.