Android/Sumzand.A!tr

description-logoAnalysis

b>Android/Sumzand.A!tr is a piece of malware targetting Android mobile phones.
The Trojan comes disguised as an application called 'Solar Charge' that claims to be a phone battery management application (ref Fig1 and Fig2). However, in the background, it sends out the user's information such as phone number and contact details to a specific server without the knowledge of the user.

Fig1 : Solar Charge icon seen in the Applications menu after installation

Fig2 : Application layout upon launching as seen by the victim

Technical Details


The application comes in a package named net.appzg.
It contains one main activity called AppActivity that is launched everytime the user clicks on the application icon. It performs the following functions:
  • It reads the current battery state and creates the application view that is seen by the user (ref Fig2)
  • It reads the phone number and contact details stored on the victim's phone
  • It sends the above information to the address "hxxp://powchg.net/a/reg_db.php" in a POST request with data
    myid=ph&frdata=contactdata&appid=id
    where ph=victim's phone number ; id="appid" value read from the package strings file (s007) ; contactdata = Contact Details in the format
    "//--------------------//\n" 
    + contact display name 
    + "," 
    + phone number 
    + "," 
    + email id 
    + "\n//--------------------//\n"
    
  • When the user clicks on the "Exit app" button seen in Fig2, the application closes and the activity is no longer active

Permissions required by the application:
  • BATTERY_STATS
  • INTERNET
  • GET_ACCOUNTS
  • READ_PHONE_STATE
  • READ_CONTACTS


recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR