Threat Encyclopedia

Android/Ozotshielder.A!tr

description-logoAnalysis

Android/Ozotshielder.A!tr poses as a dynamic wallpaper application.
In background, this malware contacts a remote server from which it returns SMS phone numbers and bodies.
Additionally, the malware sends private information (victim's IMSI) and shows the capability of updating, downloading and installing further packages.
Once installed, the malware creates a log file:

/mnt/sdcard/jxlog/jxlog.txt
Then, it decrypts the asset file config.dat which contains 4 parameters:
  • ownerid (e.g 2903)
  • pid (e.g 427957)
  • name: application's name (e.g Bezier curve wallpapers)
  • files
The decryption algorithm is DES-CBC, using PKCS5 padding. The key is "ijklmnop" and the init vector (IV) is "ijklmnop" too.
Then, it registers the various receivers and starts the AndroidThemeService service.
The AndroidThemeService registers receivers for SMS and MMS messages. Then, it retrieves the victim's IMSI.
After that, basically, the malware is designed to send SMS messages to affiliate entities, called channels. The SMS message is sent to a channel number (ChlNumber) and the body is a channel command (ChlCommand).
Channel numbers and commands are queued in a channel information queue.
The malware processes the channel information queue and sends SMS messages to each channel in the queue. Each time a SMS message is sent, a counter, CostNumberSend, is incremented.
When the queue is empty, the malware posts a report via HTTP
http://[CENSORED]/Service.aspx?ac=successinstall&num=X&imsi=IMSI
where X corresponds to the number of SMS message sent (CostNumberSend) and IMSI corresponds to the victim's IMSI.
The malware uses a special User Agent, Android-Mms/2.0.
If necessary, the malware configures the phone's access points to receive MMS and SMS.
When the malware receives a first SMS message, it contacts a remote server:
http://[CENSORED]/AndroidService.aspx?imsi=IMSI&mobile=PHONENUMBER$s&pid=PID&ownerid=OWNDERID&testchlid=0&returnkey=1&busid=19&pidlist=LIST&ver=VERSION&pt=2&androidver=MODEL-RELEASE-SDK
and expects in return some DES-encrypted information (key and IV set to "1a2b3c4d"). The encrypted information contains channel numbers and commands and cost parameters.
The malware also maintains a settings file in which it stores various information such as:
  • RunSmsReceiver: if the SMS receiver has been started
  • sharesmsc: SMS Center
  • shareimsi: victim's IMSI

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.