Mobile VirusRiskware/Sheriff!Android
Analysis
Riskware/Sheriff!Android is a potentially unwanted application for
mobile phones running Android.
The application is used to detect changes of location of the phone it runs on, or changes of sounds surrounding the phone. If a sudden change of location or sounds is detected, the application plays a strong alarm. So, it is typically meant to prevent car or phone theft (in that case, the figureapplication detects a sudden change of location) or abnormal sounds surrounding the phone.
While such a usage does not reprehensible, the application also embeds a stealth mode which can be used against the owner of the phone. In that case, an attacker/spy installs the application on the victim's phone and sets the stealth mode (see Figure 2).
Figure 2. Stealth mode enabled.
In stealth mode, when a sudden change of location or sounds is detected, the application does not do anything visible or audible, but it silently sends a SMS message to a given phone number.
If that phone number is the spy's phone number, the spy can then be warned that his victim/target has moved.
Due to the implementation of the Sheriff application, the attack is however limited by the following constraints:
- the attacker must have physical access to the victim's phone or he must persuade the victim to install the application.
- the application is not particularly hidden from the Application Panel. Additionally, a widget is added to the Android desktop. If the owner of the phone notices that, he/she is likely to be alerted and remove the application, thus the attack will fail.
- the application does not usually report its location by SMS - which is a limitation for the spy. However, in the case the phone is powered off and then powered on in a different location, then the application sends a SMS message saying how far it is from the previous location. This may be useful for the spy to locate the phone (and potentially its owner)
.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-01-19 | 90.09794 |