Threat Encyclopedia

Android/FakeDoc.A!tr

description-logoAnalysis

Android/FakeDoc.A!tr is a trojan targetting Android mobile phones. It steals information from the victim and sends them back to remote server.
This trojan can be found disguising as a legitimate battery booster application called "Android Battery Doctor" on Android Market.
The application may show many ad popups.
Visiting the application's website automatically downloads the application.


Technical Details


When visiting the application's website, the user will see this banner:

Figure 1. The banner displayed on the application's website.
But the application has been automatically downloaded. When the user will check his notifications by dragging the icon in the top-left corner, and select the battery update, the following screen appears:

Figure 2. The screen looks like a legitimate update notification.
This could lure the user into thinking the phone received a legitimate update.
During installation, the application asks for access to the user's google mail account. This will be used for harvesting information from the user's email account.

Figure 3. Application asking for email access.
Upon installtion, the application asks for the following permissions:

Figure 4 and 5. Application permissions.
When launched, the application looks like this:

Figure 6. Application main screen.
It shows information about the battery and running applications on the device. It also shows a pie chart showing storage space, which is not quite relevant for a power consumption application, and the color schemes are odd (ie: red for free storage space).
Upon execution, and invisibly to the victim, the applications tries to make HTTP requests to http://lp.mob****eze.com/Ad. This website has been reported to be engaged in the distribution of malware.
It will try to display ads from lp.mob****eze.com, whether the application is running or not. This is done through a service it installs called PushService.
It attempts to send the following information to push.mob****eze.com every 4 hours:
  • Screen size
  • Version of the OS
  • Version of the browser
  • Name and version of the trojan
  • Name of Ad campaign
  • Device manufacturer and model
  • Network name
  • Device location
  • IMEI
  • Phone number
  • API key
This is done through a service it installed called NotifAdSDK.
The application also tries to gather information about the google account.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.