virus logo Mobile Virus

Android/NotCompatible.A!tr.bdr

description-logoAnalysis

Android/NotCompatible.A!tr.bdr is a trojan targetting Android mobile phones.
It disguises as a legitimate security update when victims visit compromised websites, triggering a drive-by download.
It communicates with a remote C&C server which will send commands allowing a remote attacker to use the device as a proxy server to gain access to private networks.

Technical Details


Android/NotCompatible.A!tr.bdr is downloaded on the victim's mobile phone when he/she visits a compromised website containing a malicious iframe redirecting the Android phone to either:
  • http://gao[REMOVED].info/[REMOVED]
  • http://android[REMOVED].info/fix1.php

After download, a notification will be displayed, trying to lure the victim into thinking they need to install a security update.
However, the installation will only complete if the victim has:
Settings -> Applications -> Unknown sources set to enabled.

Figure 1: Unknown sources option checked.
The trojan asks for the following permissions:

Figure 2: Permissions.
This will enable the trojan to be run each time the device is started.
The trojan installs and runs a service called SecurityUpdateService.
The service first tries to decrypt an AES encypted file using the SHA-256 hash of the hard-coded string "ZTY4MGE5YQo". The file is located in the ressources folder of the application: /res/raw/data.
The file contains 2 remote server URLs:
  • not[REMOVED]app.eu:8014
  • 3na[REMOVED].ru:8014
The trojan and the C&C server communicate with customized packets of data which are arrays of bytes. The sent commands allow the device to execute the following orders:
  • connectProxy: Get the IP address and port and tries to open a connection, will redirect traffic to that host
  • newServer: Modify the AES encrypted data file with a new C&C URL
  • sendError: Send a custom packet when the command is not valid
  • sendPong: Send a custom packet to reply to the server's "ping". It is used to test connectivity on the device.
  • shutdownChanal: Closes a specific connection with a remote host

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

ID 3940655
Released Jun 12, 2012
Description
Updated		 Jun 15, 2012
Aliases Kaspersky: Backdoor.AndroidOS.Nisev.a, Sophos: Andr/Notcom-A.
Platform Profile Android platform
Profile Type Trojan Backdoor (tr.bdr)