Android/GoldDream.A!tr.spy
Analysis
Android/GoldDream.A!tr.spy targets mobile phones running Android.
It trojans legitimate games such as the DragRacer car game, i.e the genuine
(and non malicious) game is re-packaged to include malicious code.
In background, the malware logs all incoming and outgoing phone calls and
received SMS. Those spy logs are written to files on the device and later
sent to a remote web site.
Moreover, the malware shows the features below:
- sending SMS message
- installing or deleting packages
- calling phone numbers
Technical Details
Initially, the malware registers a receiver (zjReceiver) which is triggered when the phone boots or receives an SMS.
When the phone boots, the receiver starts a service (zjService).
If the phone receives an SMS, the malware logs the SMS originating phone number, body and time in a file named zjsms.txt (in /data/data/com.creativemobi.DragRacing/files/).
The format of logs is:
SMS PHONE NUMBER#SMS BODY#SMS TIMEIf the phone places an outgoing call, it logs:
OUT#PHONE NUMBER#SYSTEM TIMEThis log is written to zjphonecall.txt If the phone receives an incoming call, the malware logs the begin and end time of the phone call.
IN_BEGIN#PHONE NUMBER#SYSTEM TIME IN_END#PHONE NUMBER#SYSTEM TIMEWhen the zjService starts, it first writes an XML configuration file with default values. This file contains:
- dom: the domain name of the remote web server to contact
- ws: watch sms. Boolean indicating whether to spy SMS or not. False by default.
- wc: watch call. Boolean indicating whether to spy calls or not. False by default.
- ltd: last work task time
- lud: last update time
- uid: user identifier
- tti: task type id. Default type is 1.
- rtt: rest time
- uwf: literally: upload watch files. This is a boolean indicating whether to upload spy files or not
- tph: task per hours
- rt: boolean indicating if resting or not. Unclear yet, but could be indicating that the remote web server is currently out of service.
http://[REMOVED]cp.net/zj/RegistUid.aspk?pid=9971&cid=1000&imei=PHONE IMEI&sim=PHONE SIM&imsi=PHONE IMSI&ua=USER AGENTAnd then it gets a number of tasks from the remote server, and executing those tasks.
The amount of tasks to perform is retrieved by accessing:
http://[REMOVED]cp.net/zj/countWorkTask.aspx?tti=TASK IDThen, each task is executed one by one. First, the malware retrieves the information for a task:
http://[REMOVED]cp.net/zj//alotWorkTask.aspx?no=TASK NUMBER&uid=USER ID&ti=TASK IDThe task number (parameter "no") is incremented for each task which is retrieved.
Then, the task is executed. Depending on its nature, it may consist in:
- calling a phone number
- sending a SMS
- deleting a package on the device
- installing a package on the device
- uploading watch files to the remote web server.
In that case, the files are uploaded to this URL:
http://[REMOVED]cp.net/zj/upload/UploadFiles.aspx?askId=3
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |