Android/Vidro.A!tr
Analysis
Android/Vidro.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes in the form of a porn video viewing software however, sends out SMS messages regularly to a premium number in the background without the knowledge of the user.
The software asks the user to agree to certain Terms and Conditions however, these aren't shown to the user at any point.
It is also capable of blocking incoming SMS messages from specific numbers. The application configuration is also regularly updated.
Technical Details
The main application called 'Vid4Droid' (refer Fig1) comes in the form of a package com.vid4droid.
Fig1. Vid4Droid icon The package contains the following elements:
- PleechApplication: is the main application with an activity PleechActivity
- 2 receivers : BootReceiver, SmsReceiver
- 3 services : PleechService, BillingService, UpdateService
These elements are explained in detail below: PleechActivity: is the main component of the application that is launched everytime the application is opened. It performs the following functions:
- It updates the shared preferences file call SettingsManager.xml. If the application is being run for the first time, this file is created using a file 'settings.json' in the package assets
- Starts the PleechService described further below
- If the application is being run for the first time, the user is asked to agree to certain terms and conditions without them being shown (refer Fig2). If the victim clicks on 'No', the application exits
Fig2. The Vid4Droid application Terms and Conditions menu
- If the user clicks 'Yes', the BillingService is started in the background (described below) and the user can proceed to use the pornographic application.
- It also downloads updates for the application
- PleechService: It launches the UpdateService every 24 hours
- UpdateService: This service generates a random value for the parameter 'UniqueID' and updates the preferences file every time it is launched.
It then downloads a configuration update by sending an HTTP POST request to https://[CENSORED]id.com/config_update with the parameters"version": 4; "message":
JSONObject with contents as shown below
{"msisdn": phone number, "app_version": package version number from package info, "origin": Country ISO3 code, "id": 'UniqueID' value from preferences, "confirmed": 'agreed_tos' value from preferences, "first_run": 'first_run_app' value from preferences, "device_model": phone model name, "device_manufacturer": phone manufacturer name, "language": "{0}-{1}"+country code+language code, "operator": "{0}-{1}-{2}"+SIM card country ISO +SIM card operator+SIM card operator}
The response to the POST request is used to update the SettingsManager.xml preferences file. - BillingService: This service sends out an SMS message to the premium number 'service_code' (eg: 72908) with message body as 'service_text' (PAY 6b976e27-4b63-4f52-81ae-feeb3adaffbd) atleast every 7 days depending upon the value of parameter 'last_billing_date'. It also verifies if the phone is a Galaxy S2 i.e. if the phone model contains "GT-I9100", a multipart SMS message is sent instead.
- SmsReceiver: It is launched when an SMS message is received on the phone. It verifies if the originating address of the SMS received matches the value of 'service_code' in preferences and if yes, aborts the broadcast. In this manner, it is able to hide incoming SMS messages from specific numbers
- The services PleechService and BillingService are automatically launched every time the phone is switched on (see BootReceiver)
Permissions required by the application:
- SEND_SMS
- RECEIVE_SMS
- INTERNET
- RECEIVE_BOOT_COMPLETED
- INSTALL_PACKAGES
- WRITE_EXTERNAL_STORAGE
- READ_SMS
- WRITE_SMS
- READ_PHONE_STATE
Additional information: Some of the shared preferences file (refer Fig3) parameters are explained in detail below:
Fig3. The shared preferences file 'SettingsManager.xml' used by the application. (Click to enlarge the picture)
Parameter | Significance |
first_run, first_run_app | True by default. Set to false after the application is run for the first time |
version | |
agreed_tos | False by default. Set to true after the user agrees to the terms and conditions of the application (refer Fig2) |
tos_agree_date | System time in millisecs when the user to agrees to the application's TOS |
UniqueID | Randomly generated ID used by the UpdateService in its HTTP POST request |
json | value of "message" parameter sent in the HTTP POST request |
last_successful_fetch | System time in millisecs after the last configuration file update by UpdateService |
service_code, service_text | SMS destination and contents used by BillingService |
service_interval | time in millisecs after which to launch the BillingService |
apk_source | Update source for legitimate pornographic application |
Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30".replaceAll("\\{android_version\\}", Build.VERSION.RELEASE).replaceAll("\\{app_id\\}", getAppId(getID()));"
where 'app_id' = ID found in the file 'licence.key' that is saved as parameter 'UniqueID' to the preferences, and 'android_version' is the Android SDK version.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |