Mobile VirusAndroid/Netisend.A!tr
Analysis
Android/Netisend.A!tr targets Android mobile phones. It sends private information to a remote web site. The information consists in the victim's IMEI, IMSI, phone model and manufacturer and whether a given list of applications is installed on the device or not:
- com.cola.twisohu
- com.sohu.newsclient
- com.duomi.android
- com.snda.youni
- cn.emoney.l2
- com.diguayouxi
- com.mx.browser
- com.uc.browser
- com.onekchi.xda
- cn.goapk.market
- com.wuba
- com.mappn.gfan
- com.hiapk.marketpho
Technical Details
Android/Netisend installs without any problem on the device but does not correspond to any application icon in the Application Launcher. Yet, the malware starts after the phone reboots.
When starting, the malware create a SQL database to store "options". The database contains a single table named OptionsTable with 4 columns: OptionsId (primary key, index to the table), OptionsName (a name), OptionsInt (an integer value) and OptionsStr (a string).
Initially, the table contains a single entry, whose name is "Notifacation" (mispelled as in the code) with an OptionsInt equal to 0.
Then, every minute, the malware does the following:
- check is network is available or not
- if network is available, get phone's manufacturer, model, IMSI, IMEI. Then also
check whether the applications listed above are installed on the device or not.
Finally, post that information to a remote web server:
http://[REMOVED].com/netsend/nmsm_json.jsp
The information is posted as a JSON object inside the "params" parameter of an HTTP POST:params: {"data": [{"package":"com.cola.twisohu","status":2,"label":"com.cola.twisohu"}, {"package":"com.sohu.newsclient","status":2,"label":"com.sohu.newsclient"}, {"package":"com.duomi.android","status":2,"label":"com.duomi.android"}, {"package":"com.snda.youni","status":2,"label":"com.snda.youni"}, {"package":"cn.emoney.l2","status":2,"label":"cn.emoney.l2"}, {"package":"com.diguayouxi","status":2,"label":"com.diguayouxi"}, {"package":"com.mx.browser","status":2,"label":"com.mx.browser"}, {"package":"com.uc.browser","status":2,"label":"com.uc.browser"}, {"package":"com.onekchi.xda","status":2,"label":"com.onekchi.xda"}, {"package":"cn.goapk.market","status":2,"label":"cn.goapk.market"}, {"package":"com.wuba","status":2,"label":"com.wuba"}, {"package":"com.mappn.gfan","status":2,"label":"com.mappn.gfan"}, {"package":"com.hiapk.marketpho","status":2,"label":"com.hiapk.marketpho"}], "model":"sdk","imsi":"310260000000000", "manufacture":"20010","imei":"000000000000000"}Status 2 means the application is not present, whereas 1 means it has been found.
Finally, update the "Notifacation" entry in the database and set OptionsInt to 1.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |