Android/Sumzand.A!tr
Analysis
b>Android/Sumzand.A!tr is a piece of malware targetting Android mobile phones.
The Trojan comes disguised as an application called 'Solar Charge' that claims to be a phone battery management application (ref Fig1 and Fig2). However, in the background, it sends out the user's information such as phone number and contact details to a specific server without the knowledge of the user.
Fig1 : Solar Charge icon seen in the Applications menu after installation
Fig2 : Application layout upon launching as seen by the victim
Technical Details
The application comes in a package named net.appzg.
It contains one main activity called AppActivity that is launched everytime the user clicks on the application icon. It performs the following functions:
- It reads the current battery state and creates the application view that is seen by the user (ref Fig2)
- It reads the phone number and contact details stored on the victim's phone
- It sends the above information to the address "hxxp://powchg.net/a/reg_db.php" in a POST request with data
myid=ph&frdata=contactdata&appid=id
where ph=victim's phone number ; id="appid" value read from the package strings file (s007) ; contactdata = Contact Details in the format"//--------------------//\n" + contact display name + "," + phone number + "," + email id + "\n//--------------------//\n"
- When the user clicks on the "Exit app" button seen in Fig2, the application closes and the activity is no longer active
Permissions required by the application:
- BATTERY_STATS
- INTERNET
- GET_ACCOUNTS
- READ_PHONE_STATE
- READ_CONTACTS
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |