Android/DrdLight.A!tr
Analysis
Android/DrdLight.A!tr targets Android phone users.
The malware consists in a malicious addition to legitimate applications, then
re-packaged and distributed on the Android Market. So, it is a trojan horse.
The malicious packages were removed from the Android Market. So, Android end-users
are only at risk if they downloaded one of the trojaned applications before they
were removed from the market. Those are applications from (fake) developers
Magic Photo Studio, Mango Studio, E. T. Tean, BeeGoo, DroidPlus and GluMobi.
The trojaned application connects to remote web sites and sends them
personal information such as the IMSI, IMEI, language, phone model.
Technical Details
The malicious parts are located in a path such as com.passionteam.lightdd. When the phone's state changes (i.e phone receiving a call), the malware starts a new service named CoreService.
This service copies a file named prefer.dat in
/data/data/PACKAGENAME/files/prefer.datThis file is encrypted using DES. The decryption key is hard-coded and is
DDH#XundefinedLTThe malware retrieves personal information such as the user's country, language, IMSI, IMEI, phone model etc and makes an XML file out of this information:
<?xml version="1.0" encoding="UTF-8" ?> <Request> <Protocol>2.0</Protocol> <Command>2</Command> <MobileInfo> <Model></Model> <Language>DEVICE LANGUAGE</Language> <Country>DEVICE COUNTRY</Country> <IMEI>IMEI</IMEI> <IMSI>IMSI</IMSI> </MobileInfo> <ClientInfo> <PlatformID>5</PlatformID> <OSVersion>DEVICE SDK</OSVersion> <Edition>Malware version</Edition> <ProductID>1105406</ProductID> <SubCoopID>1100800101</SubCoopID> <PackageName>Malware package name</PackageName> </ClientInfo> <InstalledProductInfo> ... </InstalledProductInfo> </Request>The malware sends this information to remote website whose name figure in the decrypted prefer.dat:
http://[REMOVED]/zpmq.jsp http://[REMOVED]/owxnf.jsp http://[REMOVED]/bksy.jsp
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |