Virus

Android/BondPath.A!tr.spy

Analysis

Android/BondPath.A!tr.spy is an advanced spyware for Android mobile devices. It sends to the remote C&C server an extensive set of information on the device:

  • device model
  • contacts
  • SMS ingoing and outgoing
  • Call logs
  • GPS location
  • Audio recording
  • Files on the phone
  • WhatsApp, Skype, Twitter, Viber, Facebook, BBM chats
  • Installed applications
  • Emails (Gmail, Hotmail)
  • Browser history
  • Battery level report
The malware poses as a Google Play Services application. When the user clicks on the application's icon, the malware launches and removes the icon, just as if the application uninstalled. In reality, the application is running in background and regularly posting information over HTTP.
This malware is still active in July 2018.
The malware is typically packaged as com.path.call. Its main activity is com.path.call.MainActivity.
If this is the first launch, the application registers the device to its remote panel and creates a dedicated account with a fake email e.g 153181416xxxx@movi333.com. For that it posts an HTTP message to hxxp://www.movi333.com/backup/collector/backup.php with:
  • type: reguser
  • data: information which is AES encrypted and Base64 encoded
  • hash: a MD5 hash of data
In the case of registration, the data is a JSON object such as follows:
{"email":"15318141xxx@movi333.com","imei":"358240051xxxx","cmd":"reguser"}
The server answers back with a password for this account. Then, regularly, the malware posts an "appconfig" packet:
send req=appconfig;data={"email":"1531xxxx@movi333.com","imei":"358240051xxxxx","pass":"xxxx"}
and occasionally also posts various information such as installed packages, SMS list, contacts etc. From the remote C&C panel, the malware author can request retrieval of specific logs such as WhatsApps, Facebook chats:
backup  : response:{"list":[{"sesid":"32243","cmd":"PULLREQUEST_whatsapplog","data":null}]}
backup  : config from server:{"list":[{"sesid":"32243","cmd":"PULLREQUEST_whatsapplog","data":null}]}
The malware runs in background and does not interact with the victim. Therefore, the victim is unlikely to know his/her device is infected. ps however shows the process is running:
u0_a79    3951  73    939736 38424 sys_epoll_ 00000000 S com.path.call
u0_a79    3977  73    934496 34116 sys_epoll_ 00000000 S com.path.call:system

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.