Mobile VirusAndroid/Anserver.A!tr
Analysis
Android/Anserver.A!tr is a malware which targets Android mobile phones.
It contacts a remote web server from which it downloads other malicious payloads
and installs them on the phone without consent.
It detects security programs such as MobileSafe, LBE Privacy Guard and
will try to kill them.
Technical Details
This malware shows several advanced functionalities:
- it obfuscates variables names, constants and URLs using a custom Base64 encoding
- it invokes methods included in other packages it downloads using reflection.
- it checks the signature of its own package to make sure it hasn't been tampered with
When a remote server needs to be updated, information concerning new remote servers are published on a public blog, in an encrypted form.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |