Android/JSmsHider.A!tr

Analysis

Android/JSmsHider.A!tr is a trojan for Android mobile phones. It has been seen on unofficial application repositories and particularly targets phones which use a custom ROM.
It tries to silently install a malicious payload. This payload communicates with a remote C&C server and can issue commands to have the phone send SMS to given phone numbers with given contents.
The malicious payload is also able to process incoming and outgoing SMS messages and removes some legitimate SMS messages coming from the victim's operator. This helps the malware hide itself on the phone.

Technical Details

First, the malware tests whether the malicious payload (testnew.apk) is already installed or not. If not, it tries to install it silently by requesting the permission to install a package (android.permission.INSTALL_PACKAGES).
The malware actually requests the INSTALL_PACKAGES permission in its Android Manifest, but the INSTALL_PACKAGES permission is specific and can only be obtained by system applications (i.e preinstalled on the device's firmware or signed with the platform key).
In the case the victim's phone uses a custom ROM, the customized image is typically signed by publicly available private keys for the Android Open Source Project. As this malware is also signed by those keys, it can hence be successfully granted the INSTALL_PACKAGES permission.
If the victim's phone does not use a custom ROM, the trick won't work, and then, the phone will try to get the permission by becoming root with a su command:

$ su -v

Once the malware has the appropriate permission, it loads the embedded resource, testnew.apk, and silently installs it on the phone.
The malicious payload (Android/JSmsHider.B!tr) starts several services and receivers. In particular, it will:

• download and install a file named LcLottery.apk.
• process incoming or outgoing SMS messages. If it receives an SMS with a phone number starting with 106 (this corresponds to SMS of Chinese operators), it automatically replies to the SMS and discards it. If there is a SMS for a 106 number in the outbox, it deletes it too. This functionality is assumed to help the malware stay stealthy.
• configure the phone to use the WAP gateway of a Chinese operator (if necessary)

It also implements a small communication protocol with a remote C&C server. Some of the information is encrypted with DES. The protocol supports 8 different packets:

1. set the update rate
2. set the phone number for SMS
3. try to install a package
4. update a package
5. sends an SMS to a given phone number with given content
6. same, but depending on cases, two different contents are provided
7. add the APN for the Chinese operator
8. modify the URLs to contact

The malware contacts the following hard-coded URLs:

http://[REMOVED]mstsv.com/Test/
http://[REMOVED - DIFFERENT from above]mstsv.com/Update

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.