VirusRiskware/SneakFont!Android
Analysis
Riskware/SneakFont!Android is an Android font manager which presents a few risks for the end-user:
- It sends the end-user's IMEI, IMSI and MAC address in clear text to its servers. The IMSI is used by operators to identify subscribers - this includes billing. The IMEI is used to identify a given phone and in particular to ban stolen phones from the network. The MAC address identifies your network card address. For those reasons, they should not be sent in clear text, nor abused. Additionally, all 3 uniquely identify the end-user and may consequently pose a privacy threat (user's activity being tracked).
- It downloads fonts preview and fonts to install them on the phone. The fonts are copied on the phone using root permissions. Consequently, there is a risk of downloading and installing infected fonts on the phone.
Technical Details
The riskware comes packaged as com.xinmei365.font. Newer instances of the package are available on Google Play and may present some or all of the security issues mentioned here.
The main activity is com.xinmei365.font.LauncherActivity.
The riskware defines 2 receivers: u'com.xinmei365.font.receiver.InstallFontApkReceiver', u'com.xinmei365.font.receiver.DownloadFontReceiver'.
The riskware defines 1 services: u'com.umeng.common.net.DownloadingService'.
The riskware retrieves the IMEI, IMSI and MAC address of the phone. That information is obviously used as a client identifier in the form of :
IMEI_IMSI_MACand posted to hxxp://XXXXXXinmei365.com/Fonts/fontservlet:
POST /Fonts/fontservlet HTTP/1.1 Accept-Encoding: gzip Content-Length: 263 Content-Type: application/x-www-form-urlencoded Host: XXXXXXinmei365.com Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) param=%7B%22package%22%3A%22com.xinmei365.font %22%2C%22type%22%3A%22apk%22%2C%22channel %22%3A%226f4937b0-9ffc-4ac7-bff1-845e8800dc6b-font %22%2C%22manufacturer%22%3A%22unknown%22%2C %22clientId%22%3A%22000000000000000_310260000000000_null %22%2C%22version%22%3A37Depending on user actions, other URLs are also contacted and may contain the information above:
- hxxp://XXXXXXinmei365.com/Fonts/plug
- hxxp://XXXXXXinmei365.com/Fonts/software
- hxxp://XXXXXXinmei365.com/Fonts/fontservlet
- hxxp://XXXXXXinmei365.com:9990/push-api/Recommend?packageName=
- hxxp://XXXXXXinmei365.com:9080/operate/ttf/software.txt
- hxxp://XXXXXXi.com/redirect.php?do=dlapk&puid=645
- hxxp://XXXXXXpk.com/Download.aspx?aid=209&sc=1
Software Id, Software name, Software Package Name, Software's Main ActivityThose pieces of software may be downloaded by the application if required, and thus, may put the phone at risk.
The riskware installs the following files on the device:
- ./pinyindb/unicode_to_hanyu_pinyin.txt
- ./pinyindb/pinyin_gwoyeu_mapping.xml
- ./pinyindb/pinyin_mapping.xml
- ./AndroidManifest.xml
- several resources
- ./lib/armeabi/libdatacenter.so
- ./assets/software_ko.txt
- ./assets/software.txt
- ./assets/plugin
- ./assets/ads_en.txt
- ./assets/software_ja.txt
- ./assets/ads_ja.txt
- ./assets/software_en.txt
- ./assets/ads.txt
- ./assets/ads_ko.txt
- ./assets/zh2Hans.properties
- ./assets/zh2Hant.properties
- ./assets/html/help.html
- ./assets/html/help_ja.html
- ./assets/html/help_tw.html
- ./assets/html/help_ko.html
- ./assets/html/help_zh.html
- ./classes.dex
- ./META-INF/CERT.SF
- ./META-INF/CERT.RSA
- ./META-INF/MANIFEST.MF
- ./resources.arsc
- Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
- ACCESS_WIFI_STATE
- INTERNET
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
