Android/EWalls.A!tr.spy

Analysis

Android/EWalls.A!tr.spy poses as a wallpaper application for Android mobile phones. Yet, in background, it sends much information via HTTP. This information concerns the phone (build, manufacturer, version etc), but also unfortunately more private information such as the victim's phone number or IMSI.
The malware also reports back to the developer's website which wallpaper is selected.
All this information is sent across HTTP without the victim's consent. Depending on the victim's subscription, this may also result in financial loss.

Figure 1. Android/EWalls.A!tr.spy installed on the phone. Icon bottom left.

Technical Details

When the malware is launched, a class named Main is called. The malware retrieves the phone's IMEI, creates a shared preferences file on the phone, and starts a 'SyncDeviceInfosService' service.
The rest of the Main class handles the GUI of the application, creating an options menu, displaying a web page help, sending feedback to the author.
The SyncDeviceInfosService service has a single task: retrieve numerous device information and post that information to a remote web server, along with the phone's IMEI:

http://[CENSORED]t.us/api/wallpapers/log/device_info?ss=ss

The HTTP POST contains two parameters:

1. uniquely_code: which contains the IMEI of the phone
2. device_info: a string which concatenates device information

Device information is lengthy. The malware gathers the following:

• IMEI
• IMSI
• phone number
• network country iso name
• network type, phone type
• SIM operator, SIM country iso
• device software version
• board name
• phone's brand
• CPU ABI
• device name
• display
• phone's build fingerprint
• manufacturer
• product name
• tags
• build time, user, type, host and id
• version release
• version SDK
• version's codename
• version's incremental number
• screen's density
• screen's dpi
• MCC and MNC parts of the IMSI
• total memory
• height, and width pixels
• ...

Whenever the victim sets a new wallpaper, the wallpaper is downloaded from Internet and stored on the SD Card. Then the malware sends a HTTP request:

http://[CENSORED]t.us/api/wallpapers/photos/feedback

with as arguments the victim's IMEI and the keyword "set".
Logs are written to /sdcard/ewallpapers/space.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.