Virus

Android/Ztorg.A!tr

Analysis

Android/Ztorg.A!tr is a piece of malware targetting Android mobile phones.
It is contained in the encrypted form within the Android/Shedun.I!tr malware and when launched, further installs an adware on the victim's phone.
It makes use of Device Administrator Privileges to make uninstallation difficult.
It kills running processes on the device and is also capable of creating shortcuts on the infected phone.
It also decrypts and loads an Adware on the device.

This malware is generally present in encrypted form as the package 'protect.apk' within Android/Shedun.I!tr After being loaded by Android/Shedun.I!tr, it performs the following functions :

  • Upon the first launch, a new user registration is sent to the website
    hxxp://XXX.hdyfhpoi.com/[REMOVED]/download/app
    in the form of a POST request containing parameters such as Android version, Appid, IMSI, IMEI, CPU info like name & # of cores, Package Name, WiFi Connection State, MAC Address, SDCard size, Internal Memory size, Phone Screen Resolution etc.
  • It also requests DeviceAdministrator Privileges from the user thereby making its uninstallation difficult.
  • Next, it kills processes associated with certain packages (except for those mentioned on a 'keepApps' list in the malware). It also creates application shortcuts on the infected phones.
  • Finally, it (XOR) decrypts the file 'import.apk' (an Adware) from it's dropper package's assets and saves it at the SDCard on the device.
  • The decrypted package is then loaded using Android's DexClassLoader API.

Permissions required by the application:
It takes on the permissions that are granted to the dropper application.
  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE
  • INTERNET
  • ACCESS_NETWORK_STATE
  • ACCESS_WIFI_STATE
  • WAKE_LOCK
  • CHANGE_WIFI_STATE
  • READ_PHONE_STATE
  • ACCESS_COARSE_LOCATION
  • CAMERA
  • ACCESS_MTK_MMHW
  • ACCESS_FINE_LOCATION
  • RECEIVE_BOOT_COMPLETED
  • SYSTEM_ALERT_WINDOW
  • SYSTEM_OVERLAY_WINDOW
  • GET_PACKAGE_SIZE
  • UNINSTALL_SHORTCUT
  • ACCESS_DOWNLOAD_MANAGER
  • MOUNT_UNMOUNT_FILESYSTEMS
  • READ_OWNER_DATA
  • GET_TASKS
  • GET_ACCOUNTS
  • RECEIVE_BOOT_COMPLETED

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.