Android/YzhcSms.A!tr
Analysis
Android/YzhcSms.A!tr targets mobile phones running Android.
It has been available on the Android Market for some time, and then removed,
as a chinese application for the social network, PPXiu.
The malware may still be found on unofficial markets.
In background, the malware connects to several remote web sites, download
files from remote web sites, sends SMS and MMS to phone numbers, hides
its activity by deleting specific SMS messages.
Technical Details
Once the malware is installed and after a system reboot or pressing the Home button, the malware starts its activity:
- it sends pending MMS if there are some. Those MMS are send by default to the phone number of a Chinese Service Provider.
- it deletes any incoming SMS which carries a body with the word 'Monthly' (in Chinese) and comes from that Service Provider.
http://[REMOVED]love.cn:8080/Wukong/android/android.dbug.php?action=heartIt also provides as parameter to this URL:
- imei: the phone's IMEI
- mdpsw: password MD5 hash result
- version: hard coded to 101
- channe: hard coded to 101011101
- yeah: set to 1.
- domreg
- reduce
- mdpassword: password MD5 hash result
- upgrade: 0 if upgrade not needed
- address
- time
- timetype
- widget: this tag describes the various icons the application will display (see Figure 1) and their expected action. The action consists of a URL to contact (possibly downloading a file), and phone numbers to send SMS to, and their text.
There are several widgets. Example:1004,Chinese text,0,http://[REMOVED].51widgets.com/ss/attachments/files/URLshorter.apk,100,2011061022,10086
Figure 1. Home screen of PPxiu with different widgets.
The malware also sends SMS messages to a Chinese Service Provider with the body:
YZHC + IMEI + USER VALUE
It posts to remote web sites such as http://[REMOVED]love.cn:8080 various information such as:
- code: the phone's IMEI
- imsi: the victim's IMSI
- cpu: the phone's device model (Build.DEVICE)
- rom: the phone's board (Build.BOARD)
- res: screen resolution, 320X480 by default
- tel: the victim's phone number
- version: hard coded to 101
- channe: presumably a channel identifier. Hard coded to 101011101
Figure 2. Default PPxiu the malware logs on to
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-03-06 | 91.01181 |