Android/Fakemart.A!tr

description-logoAnalysis

Android/Fakemart.A!tr is a mobile malware which specifically targets Android end-users in France. It poses as a front-end application to access the alternative market "Black Market", but in reality, it sends SMS messages to short numbers (without warning the end-user), removes related SMS responses and notifies remote web sites when specific SMS messages are received on the victim's phone.

Fig 1. Android/Fakemart.A!tr is installed on the phone Fig 2. Main screen of Android/Fakemart.A!tr


Technical Details


Mainly, the malware operates as follows:
initialization. The malware gets its initial settings from the web: it contacts a remote server named
http://[CENSORED]tous.com/script.php?idd=90123
and searches in the response for a string between two specific tags:
+ 0.34 €"},"sms":{"smsKeyword":"
and
","smsKeywordImage":"","smsPh
If it finds those tags, it initializes the malware a given way. If not, it initializes the malware using another default way.
The settings are written to two shared preferences files named XMBPSP.xml and XMBPS3.xml. XMBPS3.xml stores parameters whose values have an integer type. XMBPSP.xml stores parameters with a string type.
send SMS. The malware sends SMS message in two circumstances. First, it sends one SMS message when the malware finishes the initialization step.
Second, it sends another SMS each time it receives a SMS message whose body matches a particular value.
In both cases, the SMS is sent to a short number and with a body specified in the settings.
access remote servers. The malware contacts three different remote servers.
  1. for settings. As stated previously, it contacts [CENSORED]tous.com each time it is launched, to get configuration data from the remote server.
  2. notification. Additionally, each time the malware is launched it notifies a remote site
    http://[CENSORED]sonline.com/seignor.php?idajax=ID LAUNCH PRO 7.7
    
    where ID is a fixed string: "Jerry56 -BlackMarketAlpha".
    This string is followed by a "LAUNCH PRO 7.7" (depends on sample).
    Also, each time a SMS with a particular body is received. In that case, it contacts a given URI specified in the settings, such as:
    http://[CENSORED]sonline.com/momitojuli.php?idajax=ID,ENCSTRING
    
    where ID is the fixed string : "Jerry56 -BlackMarketAlpha"
    and ENCSTRING is the XOR-encrypted body which has been received. Precisely, the body is XORed with a computed key. The result is written in hexadecimal and reversed (last byte to first). The key is computed from the hard-coded string "9127". Each character of the string is converted to its integer ASCII value and added. The result is the XOR key. So, the XOR key is 57 (9)+49 (1)+50 (2) +55 (7) = 211 = 0xD3.

    Fig. 3 HTTP message sent to a remote web server
  3. for test. The malware uploads a test file to
    http://[CENSORED]anel.com/[CENSORED]ono/include/secu/class_poo.php
    
    This part does not seem to be used.

The XMBPSP.xml shared preferences has the following parameters:
  • Number: the SMS short code number
  • KeyWord: the SMS body to send to Number
  • DataINFO: SMS body values to spy
  • URI: the URI to contact when a SMS is received with body such as DataINFO

By default, the malware contacts:
  • Number: 81038
  • KeyWord: AP
  • URI: http://[CENSORED]sonline.com/momitojuli.php?idajax=ID,ENCSTRING
  • DataINFO: code

If the settings server returns data between the two predefined tags, the malware contacts:
  • Number: 81211
  • KeyWord: the string found between the two tags
  • URI: http://[CENSORED]sonline.com/allobb.php?idajax=ID,ENCSTRING
  • DataINFO: BD MULTIMEDIA

In XMBPS3.xml, the malware stores a counter which counts the number of times the malware found an SMS with an 'interesting' body i.e a body that matches the current DataINFO.
Besides this SMS and URL activity, the malware does a few other tasks when launched:
  • it mutes the phone (it won't ring)
  • it deletes all SMS coming from 81211
  • it enables data connectivity (to ensure the malware is able to contact the remote servers)
  • due to implementation error(?), all incoming SMS are trashed (abortBroadcast)

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-04-23 68.01900
2019-04-12 67.75300