Android/CruseWin.A!tr

Analysis

Android/CruseWin.A!tr is a botnet for Android mobile phones. It gets its command from a remote Command and Control web server. The C&C sends its command as an XML configuration file. The commands are:

• send a SMS message to a given phone number
• transfer an incoming SMS message to a given website
• list all top level applications on the phone and send the list to a remote website
• delete a given application on the phone
• visit a given URL to update the malware
• connect to a given URL to say the malware is up and running on the phone

When installed, a new application icon is added to the application launcher. However, clicking on this icon does not show anything.

Technical Details

When the malware is started, it looks for an instance of the PhoneDataManager class. If such a class does not exist, it creates one, otherwise it retrieves the existing instance.
The malware is configured by an XML configuration file downloaded from a remote C&C whose address is initially hard-coded:

http://[REMOVED].net/flash/test.xml

This XML file has the following format:

<?xml version="1.0" encoding="UTF-8"?>
<response>
<time>02.07.2011 09:12</time>
<connect>http://[REMOVED].com/test.xml</connect>
<send number="0">11</send>
<url>http://[REMOVED].com/url.php</url>
<insms>http://[REMOVED].com/in.php</insms>
<delete number="0"></delete>
<listapp>http://[REMOVED].com/list.php</listapp>
<clean app="123321">http://[REMOVED].com/clean.php</clean>
<update version="101">http://[REMOVED].ru</update>
</response>

At first, the malware sends an HTTP POST to the URL mentioned in the url XML tag (e.g http://[REMOVED].com/url.php).
The HTTP POST is performed with the following headers:

Accept */*
Content-Type multipart/form-data
User-Agent Mozilla/5.0 (Linux; U; Android {0}; 
en-us; {1}/{2}) AppleWebKit/530.17 
(KHTML, like Gecko) Version/4.0 Mobile Safari/ 530.17

The User Agent to use is specified in the package's resources (strings.xml).
A JSON object is serialized and posted. It contains the pair "sms" and a boolean value.
The malware also sends a SMS to the phone number specified in the number parameter of the XML send tag:

<send number="PHONE NUMBER">MESSAGE BODY</send>

The phone number is then added to a list of phone numbers for which the malware is meant to relay SMS.
If that particular phone number replies by SMS, the SMS is automatically relayed (posted by HTTP) to the URL mentioned by the insms XML tag.
In that case, a JSON object is posted, containing the pair "insms" and the message body of the SMS to relay.
The malware also posts the list of applications installed on the phone. It lists all main applications on the device, and for each application, gets the package's name, posts by HTTP to the URL mentioned in listapp XML tag a JSON object containing the pair "list" + the name of the package.
The malware controls application uninstallation. If a given package name corresponds to the name mentioned in the "app" field of the clean XML tag, this application is deleted from the system.

<clean app="PACKAGE NAME TO REMOVE">URL</clean>

If this occurs, the malware sends cleaning information to the URL mentioned by the clean XML tag. It posts a JSON package with the pair "clean" and a boolean, to say whether or not it deleted the relevant application.
The malware also checks its current version. If this version is different from the one mentioned in the XML file (XML tag update), then it automatically connects to the specified URL, presumably to download and install a newer version.

<update version="VERSION NUMBER">URL</update>

Finally, it should be noted that the malware is able to connect to both HTTP or HTTPS websites, so the communication with the remote C&C may be encrypted.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.