This application requires Javascript for optimal performance.

Spy/TheftAware!Android - Released Jul 20, 2010 - Last Updated Jul 26, 2010

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Depending on situations, the victim's phone may experience:
  • High bill due to SMS sending
  • A loud alarm sound is played
  • The phone is locked

Detailed Analysis

This application, named Theft Aware, aims at securing one's mobile phone against loss or stealing. To do so, for instance, it plays a loud alarm sound if the SIM card is replaced by an unauthorized one.
Although it can be used as a legitimate tool, this application may also be used against the phone's owner by attackers in various scenarios.

In particular, there are several potential dangerous scenarios if the application is installed on a victim's phone without his full consent (e.g phone left unlocked in a location where the attacker has physical access to it, or victim tricked by some social engineering to install it) .

In such cases, the attack may geographically trace the victim, lock the phone remotely, retrieve all contacts or important SMS on his phone, or even have the victim's phone silently call the attack so he can listen to the surrounding conversations.

The application is designed to be difficult to spot for the victim. On Android phones, it is listed under a configurable name in the Application List. This name is typically chosen so as not to alarm the victim (see Figure 1).


Figure 1. Choosing a non suspicious name for TheftAware.



Technical Details


The setup package is typically found on the Android Market, and contains the following files:
  • res/drawable/icon.png
  • res/drawable/icon_main.png
  • res/drawable/theftaware.png
  • res/layout/choosename.xml
  • res/layout/description.xml
  • res/layout/download.xml
  • res/layout/main.xml
  • AndroidManifest.xml
  • resources.arsc
  • classes.dex
  • META-INF/MANIFEST.MF
  • META-INF/CERT.SF
  • META-INF/CERT.RSA
The end-user must then accept to download the real application from an "unknown location" (not the Android Market) - see Figure 2.

Figure 2. Installing the TheftAware agent on the Android phone

Finally, the attacker can configure the application (see Figure 3) and erase the setup application from the phone.

Figure 3. Configuring TheftAware
virus.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1951776