Android/HippoSms.A!tr
Analysis
Android/HippoSms.A!tr targets Android mobile phones.
Once installed, this malware sends premium SMS messages to a hard-coded
Chinese service provider (at the victim's expense).
It also monitors incoming SMS messages, and deletes any SMS whose originating
phone number begins with 10. Those are typically other SMS messages from
legitimate service providers.
The malware also tries to update itself, downloading a newer version from a
remote web server.
Technical Details
When the phone boots, the malware starts a messaging service called MessageService. This service registers an observer, and sends a SMS to
10661[CENSORED]with a hard-coded body "8".
Then, the malware monitors incoming SMS, parses the SMS (id, thread_id, address etc) and deletes the SMS if it starts by a given hard coded prefix ("10" in that particular case).
The malware also tries to update. To do so, it sends a request (HTTP) to a hard-coded URL:
http://[CENSORED]6.cn/clientRequest.htm?method=update &os=android&brand=android_video_200_gen_f002&sdkVersion=1.5with:
- method: action keyword. Typically, "update" to update the version. "startcharge" to start sending SMS to the premium number.
- os: android in this case
- sdkVersion: sample version number.
http://wap[CENSORED]6.com/clientversion/Android_vi[CENSORED].apkThe name of the package to download changes at each request.
On samples we analyzed, this update fails to install on the phone for two reasons:
- the phone needs to allow installation from third party repositories
- the update does not use the same certificate as the original sample:
Serial Number: 1274343758 (0x4bf4f14e) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Android, CN=Android Debug Validity Not Before: May 20 08:22:38 2010 GMT Not After : May 20 08:22:38 2011 GMT
But in the update:Serial Number: 1283155330 (0x4c7b6582) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing, O=ku6.com, OU=ku6.com, CN=ku6 Validity Not Before: Aug 30 08:02:10 2010 GMT Not After : Aug 6 08:02:10 2110 GMT Subject: C=CN, ST=beijing, L=beijing, O=ku6.com, OU=ku6.com, CN=ku6
If installed, the update installs a video downloading application and sends other SMS messages to other premium phone numbers.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |