AnalysisAndroid/Fjcon.A!tr is a Trojan for Android mobile phones. It has been found to parasite a 3d marble puzzle game named Colorix (see below).
The malware contacts a remote C&C server, from which it receives two sorts of commands:
- commands to send SMS: the server specifies a list of numbers to send SMS to. Those numbers are typically service providers the malware subscribes to without the victim's consent.
- commands to install packages: the server automatically downloads and installs those packages, without victim's consent.
This malware targets in particular end-users located in China, using China Mobile operator and devices which use a custom ROM.
The malicious part of the package is contained in the path com.nl, and consists of two main classes:
- MyService: a (malicious) service which runs in background once the application has been launched or at system reboot.
The service starts a thread that polls a remote web site:
In particular, the XML answer contains a list of SMS messages, SMS destination numbers and province codes (separated by commas).
If the infected device is in a Chinese province listed in the XML answer, the malware sends SMS to the corresponding destination and with the corresponding message. If the message is too long, it is split in several SMS messages.
- MyReceiver: this is a malicious receiver class that handles
BOOT_COMPLETED, SMS_SENT, DATE_CHANGED, SMS_RECEIVED and other
For BOOT_COMPLETED (the phone has been rebooted), the receiver starts the service.
For SMS_SENT, the receiver sets value true to shared preferences parameter "sent". This is used internally by the malware.
For DATE_CHANGED, the receiver resets value false to parameter "sent". It also commits the date to the shared preferences file. It then makes sure the MyService service is started.
The mechanisms implemented by SMS_SEND/DATE_CHANGED ensure the malicious service is run regularly.
For SMS_RECEIVED, the malware gets the incoming SMS. If the SMS meets one of the following conditions, it is trashed (abortBroadcast):
- SMS comes from 10658166 (legit China Mobile service reminding end-users of their subscriptions)
- SMS body contains value: 83589523.
- SMS body contains string "customer service phone" - in Chinese
- SMS body contains string "Yuan / article" - in Chinese
- SMS body contains string "RMB / time" - in Chinese
That filtering being done, if the SMS comes from a number which is listed in the C&C's answer (sendnumber field), then the malware replies back by SMS to that number, with a specific reply code that depends on the number.
For example, let's say the malware authors are interested by number 123. They configure the C&C to reply that 123 is interesting, and that the corresponding reply code is A23B (for instance). Then, when the victim receives a SMS from 123 the malware automatically replies back to 123 with message "A23B".
Apparently, the C&C can also reply with an XML message to download, install and open packages. The XML message of the C&C contains the name of the package, the name of the activity to start and the URL to download the package from.
When the C&C requests installation of packages, the download and installation is done silently provided the malware runs on a device with a custom ROM signed by the AOSP key.
As a matter of fact, the silent installation of packages comes with the INSTALL_PACKAGES permission on Android. In normal situations, this permission is not grantable to a standard application, and can only be granted to a system application that has been signed with the device's platform key, or directly included on the device's firmware.
However, Android tech end-users sometimes install on their phones custom versions of Android to enhance this or that feature of their phone. For simplicity, those custom versions are often signed by the publicly available private key of the Android Open Source Project (AOSP). Consequently, any application signed with this key is considered as a system application by people running custom ROMs, and if they request special permissions such as INSTALL_PACKAGES, the permission is granted - and the application ends up with the right to silently install other applications.
This technique has already been used by other malware, such as Android/JSmsHider.
Once the application is downloaded, it is installed using the command:
pm install -r packageThe malware has threads that ensure that the following common (and legitimate) applications (if present) are launched:
- com.taobao.mobile.dipei: this is a lifestyle tool to find restaurants and recreation areas in China
- com.kandian.hdtogoapp: a video downloading tool for Chinese movies and TV programs
- com.tencent.mtt: QQ browser
- com.tencent.qqpimsecure: QQ instant messaging application
- com.renren.mobile.android: a Chinese social networking application
- com.uc.browser: UC browser
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.