b>Android/Sumzand.A!tr is a piece of malware targetting Android mobile phones.
The Trojan comes disguised as an application called 'Solar Charge' that claims to be a phone battery management application (ref Fig1 and Fig2). However, in the background, it sends out the user's information such as phone number and contact details to a specific server without the knowledge of the user.
Fig1 : Solar Charge icon seen in the Applications menu after installation
Fig2 : Application layout upon launching as seen by the victim
The application comes in a package named net.appzg.
It contains one main activity called AppActivity that is launched everytime the user clicks on the application icon. It performs the following functions:
- It reads the current battery state and creates the application view that is seen by the user (ref Fig2)
- It reads the phone number and contact details stored on the victim's phone
- It sends the above information to the address "hxxp://powchg.net/a/reg_db.php" in a POST request with data
myid=ph&frdata=contactdata&appid=idwhere ph=victim's phone number ; id="appid" value read from the package strings file (s007) ; contactdata = Contact Details in the format
"//--------------------//\n" + contact display name + "," + phone number + "," + email id + "\n//--------------------//\n"
- When the user clicks on the "Exit app" button seen in Fig2, the application closes and the activity is no longer active
Permissions required by the application:
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.