Android/Vidro.A!tr

description-logoAnalysis

Android/Vidro.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes in the form of a porn video viewing software however, sends out SMS messages regularly to a premium number in the background without the knowledge of the user.
The software asks the user to agree to certain Terms and Conditions however, these aren't shown to the user at any point.
It is also capable of blocking incoming SMS messages from specific numbers. The application configuration is also regularly updated.

Technical Details


The main application called 'Vid4Droid' (refer Fig1) comes in the form of a package com.vid4droid.

Fig1. Vid4Droid icon The package contains the following elements:
  • PleechApplication: is the main application with an activity PleechActivity
  • 2 receivers : BootReceiver, SmsReceiver
  • 3 services : PleechService, BillingService, UpdateService

These elements are explained in detail below: PleechActivity: is the main component of the application that is launched everytime the application is opened. It performs the following functions:
  • It updates the shared preferences file call SettingsManager.xml. If the application is being run for the first time, this file is created using a file 'settings.json' in the package assets
  • Starts the PleechService described further below
  • If the application is being run for the first time, the user is asked to agree to certain terms and conditions without them being shown (refer Fig2). If the victim clicks on 'No', the application exits


Fig2. The Vid4Droid application Terms and Conditions menu
  • If the user clicks 'Yes', the BillingService is started in the background (described below) and the user can proceed to use the pornographic application.
  • It also downloads updates for the application
  • PleechService: It launches the UpdateService every 24 hours
  • UpdateService: This service generates a random value for the parameter 'UniqueID' and updates the preferences file every time it is launched.
    It then downloads a configuration update by sending an HTTP POST request to https://[CENSORED]id.com/config_update with the parameters
    "version": 4; "message": 
    JSONObject with contents as shown below
    {"msisdn": phone number, "app_version": package version 
    number from package info, "origin": Country ISO3 code, 
    "id": 'UniqueID' value from preferences, "confirmed": 
    'agreed_tos' value from preferences, "first_run": 'first_run_app' 
    value from preferences, "device_model": phone model name, 
    "device_manufacturer": phone manufacturer name, 
    "language": "{0}-{1}"+country code+language code, 
    "operator": "{0}-{1}-{2}"+SIM card country ISO
    +SIM card operator+SIM card operator}

    The response to the POST request is used to update the SettingsManager.xml preferences file.
  • BillingService: This service sends out an SMS message to the premium number 'service_code' (eg: 72908) with message body as 'service_text' (PAY 6b976e27-4b63-4f52-81ae-feeb3adaffbd) atleast every 7 days depending upon the value of parameter 'last_billing_date'. It also verifies if the phone is a Galaxy S2 i.e. if the phone model contains "GT-I9100", a multipart SMS message is sent instead.
  • SmsReceiver: It is launched when an SMS message is received on the phone. It verifies if the originating address of the SMS received matches the value of 'service_code' in preferences and if yes, aborts the broadcast. In this manner, it is able to hide incoming SMS messages from specific numbers
  • The services PleechService and BillingService are automatically launched every time the phone is switched on (see BootReceiver)

Permissions required by the application:
  • SEND_SMS
  • RECEIVE_SMS
  • INTERNET
  • RECEIVE_BOOT_COMPLETED
  • INSTALL_PACKAGES
  • WRITE_EXTERNAL_STORAGE
  • READ_SMS
  • WRITE_SMS
  • READ_PHONE_STATE

Additional information: Some of the shared preferences file (refer Fig3) parameters are explained in detail below:

Fig3. The shared preferences file 'SettingsManager.xml' used by the application. (Click to enlarge the picture)
Parameter Significance
first_run, first_run_app True by default. Set to false after the application is run for the first time
version
agreed_tos False by default. Set to true after the user agrees to the terms and conditions of the application (refer Fig2)
tos_agree_date System time in millisecs when the user to agrees to the application's TOS
UniqueID Randomly generated ID used by the UpdateService in its HTTP POST request
json value of "message" parameter sent in the HTTP POST request
last_successful_fetch System time in millisecs after the last configuration file update by UpdateService
service_code, service_text SMS destination and contents used by BillingService
service_interval time in millisecs after which to launch the BillingService
apk_source Update source for legitimate pornographic application
The pornographic application downloads its content from the URL "http://[CENSORED]bile.net/vid4droid/" and uses a special user-agent:
Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) 
AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile 
Safari/534.30".replaceAll("\\{android_version\\}", 
Build.VERSION.RELEASE).replaceAll("\\{app_id\\}", getAppId(getID()));"

where 'app_id' = ID found in the file 'licence.key' that is saved as parameter 'UniqueID' to the preferences, and 'android_version' is the Android SDK version.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2023-02-16 91.00642
2023-02-16 91.00640
2023-02-14 91.00582
2022-10-24 90.07197
2022-06-01 90.02827
2021-05-22 86.00356
2021-04-21 85.00617
2020-04-21 76.87300
2020-04-21 76.87100
2020-04-20 76.84600