Android/Anserver.A!tr

description-logoAnalysis

Android/Anserver.A!tr is a malware which targets Android mobile phones. It contacts a remote web server from which it downloads other malicious payloads and installs them on the phone without consent.
It detects security programs such as MobileSafe, LBE Privacy Guard and will try to kill them.


Technical Details


This malware shows several advanced functionalities:
  • it obfuscates variables names, constants and URLs using a custom Base64 encoding
  • it invokes methods included in other packages it downloads using reflection.
  • it checks the signature of its own package to make sure it hasn't been tampered with
The remote server actually answers to the infected device in XML format. The XML tags are obfuscated to make reverse engineering of the XML more difficult to grasp.
When a remote server needs to be updated, information concerning new remote servers are published on a public blog, in an encrypted form.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2023-03-21 91.01633
2023-03-10 91.01307
2023-03-06 91.01181
2021-04-21 85.00617
2020-10-07 80.92000
2020-04-21 76.87300
2020-04-21 76.87100
2020-04-20 76.85200
2020-04-20 76.85100
2020-04-20 76.84900