Android/Foncy.A!tr

description-logoAnalysis

Android/Foncy.A!tr is a trojan for Android mobile phones.
It poses as a plan tracking application to help users better manage voice, text and data usage to avoid overage.
The malware's name mimicks a legitimate and genuine application found in the Android Market and named "Track Your Plan". Contrary to the legitimate application, the malware does not track your plan, but sends SMS messages to short numbers.
The malware has been reported on file hosting web servers.


Technical Details


Once installed, an icon called "SuiConFo" (SUIvi CONsommation FOrfait, french for "Track Your Plan") appears in the launcher menu.

Figure 1. The application's icon in the launcher menu.
When the user launches the application however, the message "ERROR: Android version is not compatible" is displayed, and nothing else happens...

Figure 2. The error displayed when the application is launched.
Nothing visible to the user that is. As soon as the message is displayed, the application retrieves the device's SIM country code. Then depending on the country, the application will send 4 SMS messages to premium numbers:
  • France: "STAR" to 81***. In France, each SMS costs 4.50 euros
  • Belgium: "GA SP" to 99**
  • Switzerland: "GEHEN SP 300" to 54*
  • Luxembourg: "ACCESS SP" to 64***
  • Germany: "SP 462" 63***
  • Spain: "GOLD" to 35***
  • United Kingdom: "SP2" to 60***

There is also a premium number for Canada (60***), but the author made an error in the code, and the sending will fail.
Upon receiving a SMS message from either of those premium numbers, the application stores the message body and deletes the SMS message so that the user never sees them. The stored body is then sent to a french mobile number:
  • 06******64

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-03-06 91.01181
2022-06-01 90.02827
2021-05-22 86.00352
2021-02-10 83.93700
2021-01-27 83.60100
2020-02-05 75.04300
2020-01-24 74.77000