Mobile Virus

Android/Pirates.A!tr

Analysis

Android/Pirates.A!tr trojans an Android game named "Coin Pirates". In reality, the Trojan processes a few commands from a remote server such as:

  • register to a random service provider among a list, and possibly be charged for those services. The victim is registered without his/her consent.
  • visit a given WAP page. The malware authors possibly indirectly get some revenue from the amount of visitors on those pages. The victim's browser automatically opens to such a page - without the victim asking for anything.
  • add a bookmark. The malware silently and automatically adds new bookmarks to the phone's bookmark list.
This Trojan has been reported to be found in unofficial Chinese Android market places.


Technical Details


The malware consists of 4 main classes:
  • BootReceiver: this class simply makes sure the MonitorService class is started after the phone reboots.
  • AlarmReceiver: the MonitorService starts an alarm, triggered every minute. This alarm makes sure the MonitorService is activated every minute.
  • SMSReceiver: spies incoming SMS messages. Triggers MonitorService, providing the SMS sender and body as parameter.
  • MonitorService: main malicious class, detailed below.
When MonitorService starts, it performs the following tasks:
  • get the phone's IMEI, model, SDK version and IMSI.
  • configure the phone to add a new access point. This access point corresponds to a mobile phone operator in China.
  • creates an internal database named mydb, with a single table named blogconfig containing 4 columns: BlogType, KeyWords, IsConfirm and Charging.
  • writes a preferences file: MyPrefsFile.xml which contains the current day of the month.
Then it basically starts two threads which contact a remote server, whose name is hard-coded in the malware: [CENSORED]bk.info. The communication with the server is done via HTTP POST, using the phone's User Agent and the Chinese provider's proxy. The remote server's answers are processed by the malware.
The first thread posts the victim's IMEI as the "uid" field of an HTTP POST to a particular script on the remote server:
http://[REMOTE SERVER]/AndroidInterface/FreeAction.aspx
The malware awaits for answers formatted as "SMS:xxxx|xxx|xxx|xxx". If the answer is "SMS:finish", the thread ends. Otherwise, the various fields are inserted in the blogconfig database.
The second thread sends several HTTP POSTs:
  • registration: the IMEI (uid), ChannelId (10006), OSType and IMSI are sent to
    http://[REMOTE SERVER]/AndroidInterface/Reg.aspx
    
    If the remote server answers "sendsms", this calls a function named SendRegSms() in the code, which corresponds to sending an SMS to register to given services.
    The malware sends an SMS to a random number among:
    13521419442
    13552040604
    13661258744
    13521273944
    13552040894
    13520931794
    13520234741
    13520234194
    
    The body of the SMS is "ADReg: IMEI, UA" where IMEI is the phone's IMEI, and UA is the phone's User Agent.
  • blog down: the IMEI is posted to:
    http://[REMOTE SERVER]/AndroidInterface/BlogDown.aspx
    
    The malware does not expect any particular response. It will automatically call the HandleBlog() method.
  • free down: sends the IMEI (Uid) and Version (1) to
    http://[REMOTE SERVER]/AndroidInterface/FreeDown.aspx
    
    Afterwards, it inserts data in the database and does some other processing.
  • fav down: sends the IMEI
    http://[REMOTE SERVER]/AndroidInterface/FavDown.aspx
    
    Afterwards, it calls the HandleFav() method, which will add a new bookmark to the phone.
  • open wap: sends the IMEI to:
    http://[REMOTE SERVER]/AndroidInterface/OpenWap.aspx
    
    and then visits the page the server returns as answer.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.