VirusRiskware/InnerSnail!Android
Analysis
Riskware/InnerSnail!Android is a riskware which leaks IMEI and IMSI to a remote web server.
The leak is hidden in an inner executable of the application.
Technical Details
The risky behaviour is not in the main package itself, but in a hidden application the riskware hides in the assets:
assets/snail/a4.b2This file is copied in /data/data/com.xcdfw.ftsdgeal/files/.snail_data/.a4.b2.zip and is loaded using DexClassLoader.
This inner DEX contacts live.updates.com.cn and posts both IMEI and IMSI, encoded in base64:
Authorization header: MzEwMjYwMDAwMDAwMDAwOjg3NzY5OTk3ODYzMzc4OQ==The header decoded with base64: 310260000000000:877699978633789 The malware comes packaged as com.xcdfw.ftsdgeal. The riskware uses XXTEA for its communication with the remote server.
The malware installs the following files on the device:
- ./assets/feiwo_recommend_check_false.png
- ./assets/feiwo_interstitial_close.png
- ./assets/feiwo_recommend_da_details_line.png
- ./assets/snail/a4.b2
- ./assets/feiwo_recommend_check_true.png
- ./assets/feiwo_la_da_horizontal_line.png
- ./assets/feiwo_recommend_rloding_1.png
- ./assets/feiwo_interstitial_dl_pressed.png
- ./assets/qzres.bin
- ./assets/feiwo_recommend_rloding_4.png
- ./assets/feiwo_simg.jar
- ./assets/close_btn.png
- ./assets/feiwo_interstitial_dl_normal.png
- ./assets/feiwo_recommend_rloding_2.png
- ./assets/feiwo_recommend_surprise.png
- ./assets/feiwo_recommend_loadfaild_icon.png
- ./assets/feiwo_recommend_right_arrow.png
- ./assets/feiwo_recommend_rloding_3.png
- ./assets/feiwo_recommend_safety_certification.png
- ./assets/feiwo_la_title_back.png
- ./AndroidManifest.xml
- ./resources.arsc
- ./META-INF/CERT.RSA
- ./META-INF/MANIFEST.MF
- ./META-INF/CERT.SF
- ./classes.dex
- ./res/layout/info_pay.xml
- ./res/layout/vfw_dialog.xml
- ./res/layout/vfw_show_box.xml
- ./res/layout/vfw_widget_layout.xml
- ./res/layout/overlay.xml
- ./res/layout/vfw_show_box_item.xml
- ./res/layout/custom_notification.xml
- ./res/layout/info_pay_amazon.xml
- ./res/layout/info_free.xml
- ./res/layout/activity_main.xml
- ./res/layout/info_free_amazon.xml
- ./res/anim/vfw_alpha_action.xml
- ./res/drawable/vfw_fine_bt.xml
- ...
- Android Support v4 (not malicious)
- Feiwo: known for aggressive advertisement
- Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
- CHANGE_WIFI_STATE
- ACCESS_WIFI_STATE
- INTERNET
- VIBRATE
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
