Android/BadMirror.A!tr is a malware which targets Android mobile devices.
It creates a pop up notification bubble with additional APKs for users to download and sends private information of the user's phone to a remote server. ( device board, brand, cpu, imei, imsi, mac, model, etc )
It may also execute commands from the server like downloading an app or viewing a URL.
The malware comes packaged as mobi.upgk1.kcjx.
A pop up notification bubble will appear once the malware parses the JSON object from the server for the APKs that can be downloaded.
In the background, the malware first checks if there is an update to the app. Then it pushes the phone's information to the server. The information includes:
The malware has the potential to execute commands based on the JSON object response from the server like downloading an APK or viewing a URL.
- when a "apk" command is received: "Buffer setted"
- when a SETP command is received: "Number setted". The SMS also contains the phone's IMEI and model.
The malware installs the following files on the device:
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.