Android/BondPath.A!tr.spy
Analysis
Android/BondPath.A!tr.spy is an advanced spyware for Android mobile devices. It sends to the remote C&C server an extensive set of information on the device:
- device model
- contacts
- SMS ingoing and outgoing
- Call logs
- GPS location
- Audio recording
- Files on the phone
- WhatsApp, Skype, Twitter, Viber, Facebook, BBM chats
- Installed applications
- Emails (Gmail, Hotmail)
- Browser history
- Battery level report
This malware is still active in July 2018.
The malware is typically packaged as com.path.call. Its main activity is com.path.call.MainActivity.
If this is the first launch, the application registers the device to its remote panel and creates a dedicated account with a fake email e.g 153181416xxxx@movi333.com. For that it posts an HTTP message to hxxp://www.movi333.com/backup/collector/backup.php with:
- type: reguser
- data: information which is AES encrypted and Base64 encoded
- hash: a MD5 hash of data
{"email":"15318141xxx@movi333.com","imei":"358240051xxxx","cmd":"reguser"}The server answers back with a password for this account. Then, regularly, the malware posts an "appconfig" packet:
send req=appconfig;data={"email":"1531xxxx@movi333.com","imei":"358240051xxxxx","pass":"xxxx"}and occasionally also posts various information such as installed packages, SMS list, contacts etc. From the remote C&C panel, the malware author can request retrieval of specific logs such as WhatsApps, Facebook chats:
backup : response:{"list":[{"sesid":"32243","cmd":"PULLREQUEST_whatsapplog","data":null}]} backup : config from server:{"list":[{"sesid":"32243","cmd":"PULLREQUEST_whatsapplog","data":null}]}The malware runs in background and does not interact with the victim. Therefore, the victim is unlikely to know his/her device is infected. ps however shows the process is running:
u0_a79 3951 73 939736 38424 sys_epoll_ 00000000 S com.path.call u0_a79 3977 73 934496 34116 sys_epoll_ 00000000 S com.path.call:system
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |