Android/FakeInst.B!tr
Analysis
Android/FakeInst.B!tr is a piece of malware targetting Android mobile phones.
It usually poses as an installer for well-known applications such as Opera Mini,
ICQ, Skype:
Figure 1. Installer for the Opera Mini browser.
The malware may try to look like a legitimate downloader and display an agreement message:
Figure 2. The user is shown the message "Do you agree with loading BatteryOptimizer" with the choice to click on one of two buttons named "Agree" and "Agreement".
If the user clicks on the first option ("Agree"), a list of links is displayed which may lead to downloading further packages.
Figure 3. Links from where to download packages
However, in background, the malware gets commands from a remote server. These commands can ask the malware to send over the list of contacts, send SMS messages, delete given SMS messages, update itself etc.
Technical Details
Permissions required by the application:
- READ_PHONE_STATE
- ACCESS_NETWORK_STATE
- SEND_SMS
- RECEIVE_SMS
- INTERNET
- WRITE_EXTERNAL_STORAGE
- INSTALL_PACKAGES
- DELETE_PACKAGES
- READ_CONTACTS
- RECEIVE_BOOT_COMPLETED
When the malware is launched, it loads configuration settings present in raw resources. In particular, it reads and decrypts SMS settings from /res/raw/sms.xml. The encrypted file has the following format:
- a first byte for the length of the XOR key
- the XOR key
- the ciphertext
<?xml version="1.0" encoding="UTF-8" ?> <sms url="http://[CENSORED]"> <operator name="default" code="XXX"> <item number="3170" text="99[CENSORED] 612 Android (425) 2012-02-22 11:30:05 ope[CENSORED] y" /> </operator> <operator name="megafon" code="25002"> <item number="3150" text="99[CENSORED] 612 Android (425) 2012-02-22 11:30:05 ope[CENSORED]" /> </operator> <operator name="megafonx" code="7920,7921,[CENSORED]"> <item number="3170" text="99[CENSORED] 612 Android (425) 2012-02-22 11:30:05 ope[CENSORED]" /> </operator></sms>The malware populates internal lists from the settings it reads.
There is a list of SMS numbers with a short code (number) and a text (message body). Those are the potential SMS messages the malware sends.
There is a list of operators. That list contains a list to the list of SMS (above) to send for that operator, the name of the operator and a list of codes (separated by a comma in the XML configuration). So, the SMS messages the malware may send depends on the operator the phone uses.
The malware also maintains other lists:
- delete list: if the malware receives a SMS from a number in that list, it deletes the SMS.
- catch list: if the malware receives a SMS from a number in that list, it notifies a remote server by HTTP
It gets commands from this server. Those commands are sent using the XML format:
- catch number=xyz: adds a number to the catch list
- delete number=xyz: adds a number to the delete list
- command name=removeAllSmsFilter: this will clear the delete list
- command name=sendContactList: dumps the list of contacts of the phone in XML format and sends it to the remote server.
- command name=removeCurrentCatchFilter: clears the catch list
- wait seconds
- http url=URL method=GET or POST: sends a HTTP GET or POST
- param name=xyz: when sending HTTP message, specify this HTTP parameter in the packet.
- update: update the malware to a given URL
- screen: customize the update screen with a given screen text and button.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |