Threat Encyclopedia



Android/FkLookt.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package disguises itself as the legitimate LookOut Antivirus application, however, it connects to a server from where it receives certain commands. Depending upon the commands received, the piece of malware can delete files on the victim's phone, upload the phone's file listing to an FTP server and save SMS or MMS history from the phone to a particular location.

Technical Details

Upon installation, no evidence of the malware can be seen in the applications menu however, it can be seen in the list of installed applications as a LookOut AntiVirus application (ref Fig1)

Fig1 : Malware seen in list of installed applications.
The application is launched by triggers such as changes in battery state, use of camera, changes in date or time, connection to/disconnection from Gtalk, installation/removal/changes in packages, rebooting the phone, changes in Wifi state, receipt of SMS messages, among numerous others.
The malicious package has the following important components :
  • StartService : This is the main service of the application. When launched, it starts UploadService and then calls HttpFileUploader
  • UploadService : This service checks for the presence of a file 'alarmIsSet' that contains the current state of the the AlarmReceiver. If the value in this file is :
    • False, the AlarmReceiver is launched every 60 secs
    • Reset, the AlarmReceiver is stopped and restarted every 60 secs. The value in alarmIsSet is set to True
    • True, no action is carried out
  • HttpFileUploader : It contains the following malicious functions:
    • It sends the contents of UPLOADFOLDER via FTP to the server [CENSORED] with Username : ftpuser and Password : upload to a folder named as the 64 bit Android ID of the victim's phone
    • It contacts the URL "http://[CENSORED]" that, in return, sends the malware some commands. Depending upon the answer received from the URL certain functions are carried out.
    • Command Received Operation performed
      clearFileList Deletes all files in the UPLOADFOLDER
      clearAlarm writes string 'Reset' to the file alarmIsSet
      getTexts Reads MMS and SMS contents on the victim's phone. Bitmaps of MMS images are saved at the path 'UPLOADFOLDER/mmsImage+randomly generated UUID'. SMS message contents are saved at the path 'UPLOADFOLDER/date of receipt of message+"_"+Phone Number of sender'. The string 'GotTexts' is written to Data.dat
      getDir Saves the directory and file listing from PATH to a file named UPLOADFOLDER/FileList.txt+PATH. The listing is also saved to a file Data.dat to avoid duplication of data and checked before creation of new files in the UPLOADFOLDER
      getFile Reads the sizes of files at PATH and saves them to a file named UPLOADFOLDER/SizeRet.txt+PATH. The file Data.dat is set to "getFile"+size string
      getSize Performs the same action as getFile but for single files instead of a directory. The file Data.dat is set to "getSize"+size string

    where UPLOADFOLDER=dataCache on the external SD card
    PATH = path specified by the attacker's server, default value = DCIM on the external SD card
  • AlarmReceiver : When launched, it calls HttpFileUploader

Permissions required by the application:

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.