Android/Fjcon.A!tr

Analysis

Android/Fjcon.A!tr is a Trojan for Android mobile phones. It has been found to parasite a 3d marble puzzle game named Colorix (see below).

The malware contacts a remote C&C server, from which it receives two sorts of commands:

• commands to send SMS: the server specifies a list of numbers to send SMS to. Those numbers are typically service providers the malware subscribes to without the victim's consent.
• commands to install packages: the server automatically downloads and installs those packages, without victim's consent.

To conceal its activity, the malware has the ability to automatically delete specific alert SMS messages which might be coming from the operator.
This malware targets in particular end-users located in China, using China Mobile operator and devices which use a custom ROM.

Technical Details

The malicious part of the package is contained in the path com.nl, and consists of two main classes:

• MyService: a (malicious) service which runs in background once the application has been launched or at system reboot.
  The service starts a thread that polls a remote web site:

  http://[CENSORED]73:9903/fjcon/fjRece
  

  Then, it reads the XML answer, which is encrypted by the AES algorithm. The encryption key is randomly generated from a PRNG seeded with the string "125".
  In particular, the XML answer contains a list of SMS messages, SMS destination numbers and province codes (separated by commas).
  If the infected device is in a Chinese province listed in the XML answer, the malware sends SMS to the corresponding destination and with the corresponding message. If the message is too long, it is split in several SMS messages.
• MyReceiver: this is a malicious receiver class that handles BOOT_COMPLETED, SMS_SENT, DATE_CHANGED, SMS_RECEIVED and other messages.
  For BOOT_COMPLETED (the phone has been rebooted), the receiver starts the service.
  For SMS_SENT, the receiver sets value true to shared preferences parameter "sent". This is used internally by the malware.
  For DATE_CHANGED, the receiver resets value false to parameter "sent". It also commits the date to the shared preferences file. It then makes sure the MyService service is started.
  The mechanisms implemented by SMS_SEND/DATE_CHANGED ensure the malicious service is run regularly.
  For SMS_RECEIVED, the malware gets the incoming SMS. If the SMS meets one of the following conditions, it is trashed (abortBroadcast):
  • SMS comes from 10658166 (legit China Mobile service reminding end-users of their subscriptions)
  • SMS body contains value: 83589523.
  • SMS body contains string "customer service phone" - in Chinese
  • SMS body contains string "Yuan / article" - in Chinese
  • SMS body contains string "RMB / time" - in Chinese
  • etc
  This filter is made to conceal SMS messages that might help the victim spot he/she has been infected and is sending SMS messages to service providers.
  That filtering being done, if the SMS comes from a number which is listed in the C&C's answer (sendnumber field), then the malware replies back by SMS to that number, with a specific reply code that depends on the number.
  For example, let's say the malware authors are interested by number 123. They configure the C&C to reply that 123 is interesting, and that the corresponding reply code is A23B (for instance). Then, when the victim receives a SMS from 123 the malware automatically replies back to 123 with message "A23B".
  

The malware also shows the capability to download and install Android packages, although exactly how this action is triggered is not clear yet.
Apparently, the C&C can also reply with an XML message to download, install and open packages. The XML message of the C&C contains the name of the package, the name of the activity to start and the URL to download the package from.
When the C&C requests installation of packages, the download and installation is done silently provided the malware runs on a device with a custom ROM signed by the AOSP key.
As a matter of fact, the silent installation of packages comes with the INSTALL_PACKAGES permission on Android. In normal situations, this permission is not grantable to a standard application, and can only be granted to a system application that has been signed with the device's platform key, or directly included on the device's firmware.
However, Android tech end-users sometimes install on their phones custom versions of Android to enhance this or that feature of their phone. For simplicity, those custom versions are often signed by the publicly available private key of the Android Open Source Project (AOSP). Consequently, any application signed with this key is considered as a system application by people running custom ROMs, and if they request special permissions such as INSTALL_PACKAGES, the permission is granted - and the application ends up with the right to silently install other applications.
This technique has already been used by other malware, such as Android/JSmsHider.
Once the application is downloaded, it is installed using the command:

pm install -r package

The malware has threads that ensure that the following common (and legitimate) applications (if present) are launched:

• com.ganji.android
• com.taobao.mobile.dipei: this is a lifestyle tool to find restaurants and recreation areas in China
• com.kandian.hdtogoapp: a video downloading tool for Chinese movies and TV programs
• com.tencent.mtt: QQ browser
• com.tencent.qqpimsecure: QQ instant messaging application
• com.renren.mobile.android: a Chinese social networking application
• com.uc.browser: UC browser

The malware also starts the application it has downloaded and silently installed.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.