Mobile Virus

Android/GGTracker.A!tr

Analysis

Android/GGTracker.A!tr is a Trojan that targets mobile phones running Android. The malware poses as a battery saver application, and is known to be advertized through in-app ads.
In reality, the malware does little to save the victim's battery apart enabling or disabling wifi.
But, meanwhile, it steals incoming SMS messages from selected phone numbers and forwards their content to a remote web server.
The ultimate motivation appears to be automatic (and unwanted) subscription to mobile value-added services.
To subscribe to such a service, an end-user usually surfs to the corresponding website and is asked his/her phone number. The service then sends a confirmation code to that phone number. The end-user receives the SMS with the confirmation code, and if he/she still wishes to subscribe, enters that confirmation code on the service's website.
This protocol ensures the end-user is subscribing his/her own phone, that there is no error in the phone number, and that the end-user is indeed willing to subscribe.
However, if a malware such as GGTracker runs on the mobile phone, the security of the whole protocol is flawed. The malware authors subscribe an infected phone to various services. The services do send a confirmation code. This confirmation code is intercepted by the malware and sent to the malware authors. Finally, the malware authors confirm subscription with the stolen confirmation code.


Figure 1. Android/GGTracker.A!tr is installed on the phone
The malware looks like a genuine battery saver application (see Figures 2 and 3).


Figure 2. Splash screen for the malware

Figure 3. Settings look genuine
When the victim launches the malware, it first creates several preferences files:
  • phone.xml: this file has a single entry, phone, which contains the victim's phone number
  • carrier.xml: this file has a single entry, carrier, and contains the victim's carrier
Then, it performs an HTTP GET on the following page:
http://[REMOVED]k.org/SM1c?device_id=PHONENUMBER&adv_sub=PHONENUMBER
and writes the integer "1" in a file named "track.txt" if everything is successful.
Then, the malware displays a GUI, and performs a few mock tasks to have the victim believe the application is genuine and does try to save power. In particular, it has the ability to disable wifi when the screen is off, and enable wifi when the screen is lit again. It also shows a notification when the battery is low.
The other malicious tasks of the malware are triggered when the infected phone receives SMS messages.
If the phone receives an SMS coming from one of these phone numbers, it aborts the broadcast of the SMS, i.e it 'drops it (the victim won't see the SMS on his/her phone).
99735, 46621, 96512, 33335, 00033335
00036397, 36397, 55991, 55999, 56255
Then, it writes the body of the SMS in a dedicated shared preferences file named content.xml, and the originating phone number of the SMS in another file named from.xml. See below an example of from.xml:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="from">33335</string>
</map>
and toasts a message "Battery Saver Activated" (see Figure 4).

Figure 4. Malware toasts a battery saving message to make the victim believe the application is not malicious
Then, the malware sends all the information concerning the SMS it received within an HTTP POST to
http://[REMOVED]-cloud.com/droid/droid.php
with the following parameters:
  • number: victim's phone number
  • carrier: victim's phone carrier
  • from: phone number of the originating SMS
  • content: SMS body
  • message: hard-coded to "broadcastreceiver". This message is helpful for the developer to indicate which part of the code sends the HTTP POST
  • version: 3
  • sdk: phone's release

In the special case where the incoming SMS comes from 41001, the malware automatically answers "YES" to that number (presumably to confirm subscription) and also posts the information via HTTP to the remote server as in other cases.
Finally, when the malware is stopped, it carries out a final malicious tasks. It consists in reading all SMS messages on the phone, and posting the information to the remote web server. The URL and parameters are the same, except this time, the message parameter is hard coded to "onstop".

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.