Threat Encyclopedia

Android/Anserver.A!tr

description-logoAnalysis

Android/Anserver.A!tr is a malware which targets Android mobile phones. It contacts a remote web server from which it downloads other malicious payloads and installs them on the phone without consent.
It detects security programs such as MobileSafe, LBE Privacy Guard and will try to kill them.


Technical Details


This malware shows several advanced functionalities:
  • it obfuscates variables names, constants and URLs using a custom Base64 encoding
  • it invokes methods included in other packages it downloads using reflection.
  • it checks the signature of its own package to make sure it hasn't been tampered with
The remote server actually answers to the infected device in XML format. The XML tags are obfuscated to make reverse engineering of the XML more difficult to grasp.
When a remote server needs to be updated, information concerning new remote servers are published on a public blog, in an encrypted form.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry