Threat Encyclopedia

Android/Sumzand.A!tr

description-logoAnalysis

b>Android/Sumzand.A!tr is a piece of malware targetting Android mobile phones.
The Trojan comes disguised as an application called 'Solar Charge' that claims to be a phone battery management application (ref Fig1 and Fig2). However, in the background, it sends out the user's information such as phone number and contact details to a specific server without the knowledge of the user.

Fig1 : Solar Charge icon seen in the Applications menu after installation

Fig2 : Application layout upon launching as seen by the victim

Technical Details


The application comes in a package named net.appzg.
It contains one main activity called AppActivity that is launched everytime the user clicks on the application icon. It performs the following functions:
  • It reads the current battery state and creates the application view that is seen by the user (ref Fig2)
  • It reads the phone number and contact details stored on the victim's phone
  • It sends the above information to the address "hxxp://powchg.net/a/reg_db.php" in a POST request with data
    myid=ph&frdata=contactdata&appid=id
    where ph=victim's phone number ; id="appid" value read from the package strings file (s007) ; contactdata = Contact Details in the format
    "//--------------------//\n" 
    + contact display name 
    + "," 
    + phone number 
    + "," 
    + email id 
    + "\n//--------------------//\n"
    
  • When the user clicks on the "Exit app" button seen in Fig2, the application closes and the activity is no longer active

Permissions required by the application:
  • BATTERY_STATS
  • INTERNET
  • GET_ACCOUNTS
  • READ_PHONE_STATE
  • READ_CONTACTS


recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.