Virus

Riskware/InnerSnail!Android

Analysis

Riskware/InnerSnail!Android is a riskware which leaks IMEI and IMSI to a remote web server.
The leak is hidden in an inner executable of the application.


Technical Details


The risky behaviour is not in the main package itself, but in a hidden application the riskware hides in the assets:
assets/snail/a4.b2 
This file is copied in /data/data/com.xcdfw.ftsdgeal/files/.snail_data/.a4.b2.zip and is loaded using DexClassLoader.
This inner DEX contacts live.updates.com.cn and posts both IMEI and IMSI, encoded in base64:
Authorization header: MzEwMjYwMDAwMDAwMDAwOjg3NzY5OTk3ODYzMzc4OQ== 
The header decoded with base64: 310260000000000:877699978633789 The malware comes packaged as com.xcdfw.ftsdgeal. The riskware uses XXTEA for its communication with the remote server.
The malware installs the following files on the device:
  • ./assets/feiwo_recommend_check_false.png
  • ./assets/feiwo_interstitial_close.png
  • ./assets/feiwo_recommend_da_details_line.png
  • ./assets/snail/a4.b2
  • ./assets/feiwo_recommend_check_true.png
  • ./assets/feiwo_la_da_horizontal_line.png
  • ./assets/feiwo_recommend_rloding_1.png
  • ./assets/feiwo_interstitial_dl_pressed.png
  • ./assets/qzres.bin
  • ./assets/feiwo_recommend_rloding_4.png
  • ./assets/feiwo_simg.jar
  • ./assets/close_btn.png
  • ./assets/feiwo_interstitial_dl_normal.png
  • ./assets/feiwo_recommend_rloding_2.png
  • ./assets/feiwo_recommend_surprise.png
  • ./assets/feiwo_recommend_loadfaild_icon.png
  • ./assets/feiwo_recommend_right_arrow.png
  • ./assets/feiwo_recommend_rloding_3.png
  • ./assets/feiwo_recommend_safety_certification.png
  • ./assets/feiwo_la_title_back.png
  • ./AndroidManifest.xml
  • ./resources.arsc
  • ./META-INF/CERT.RSA
  • ./META-INF/MANIFEST.MF
  • ./META-INF/CERT.SF
  • ./classes.dex
  • ./res/layout/info_pay.xml
  • ./res/layout/vfw_dialog.xml
  • ./res/layout/vfw_show_box.xml
  • ./res/layout/vfw_widget_layout.xml
  • ./res/layout/overlay.xml
  • ./res/layout/vfw_show_box_item.xml
  • ./res/layout/custom_notification.xml
  • ./res/layout/info_pay_amazon.xml
  • ./res/layout/info_free.xml
  • ./res/layout/activity_main.xml
  • ./res/layout/info_free_amazon.xml
  • ./res/anim/vfw_alpha_action.xml
  • ./res/drawable/vfw_fine_bt.xml
  • ...
It uses external SDKs, such as:
  • Android Support v4 (not malicious)
  • Feiwo: known for aggressive advertisement
The malware asks for the following permissions:
  • Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
  • CHANGE_WIFI_STATE
  • ACCESS_WIFI_STATE
  • INTERNET
  • VIBRATE

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.