Android/DrdLight.B!tr
Analysis
Android/DrdLight.B!tr is a variant of Android/DrdLight.A!tr.
In addition to variant A's functionalities, it is capable of stealing
call logs, contacts, and SMS messages.
Additionally, it sends SMS to contacts found on the device.
The malware stores its configuration file in a file named sense.tcd.
This file is DES-encrypted, using the same key as in variant A, i.e
DDH#XundefinedLTWhen decrypted, it corresponds to an XML file, with various tags such as
- Feed3Proxy9
- UploadProxy7
- DDPackageName2
- Next3Feedback8
- NextTask3
- RName5
- Task3Proxy5
It steals:
- victim's google account name (email), and stores it APPDIR/files/goa4, where APPDIR is the application's private path
- SMS inbox and outbox, stored in APPDIR/files/sms7
- call log (date, duration and type), stored in APPDIR/files/calllog8
- contacts, stored in APPDIR/files/contact7
For example, it builds a URL such as this one:
http://[REMOVED]d.com/p?PhoneType=MODEL&Version=7.0 &PhoneImei=IMEI&PhoneImsi=IMSIOnce uploaded, the files are deleted.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |