Mobile Virus

Android/FinSpy.A!tr.spy

Analysis

Android/FinSpy.A!tr.spy is a piece of malware targetting Android mobile phones.
The malware disguises itself as an Android services application, however, steals user information such as SMS/MMS messages, phone call recordings, emails and sends it to the attackers.
It also allows the attacker to download information from the victim's phone such as contacts, calendar, pictures, files and GPS location data.

Technical Details


The main application is called "Android Services" and comes in a package named com.android.services.
Upon installation, the application can only be seen in the list of installed applications in the Settings menu (ref Fig1)

Fig1: Application as seen in Settings menu
The Trojan is automatically launched if any of the following events take place:
  • an SMS message is received
  • The phone connectivity changes
  • The Wifi or bluetooth state changes
  • The phone state changes i.e. a phone call is received or made from the infected phone
  • The battery or storage space is low
  • The malware package itself is changed

The configuration information used by the Trojan is saved in a file called 84C.dat at the package path which contains the attackers' C&C addresses.
Finally, the purpose of the Trojan is that it collects information from the victim's phone such as incoming SMS/MMS messages, phone call recordings, emails and data such as contacts, calendar, pictures, files and GPS location.
This stolen information is sent to the attackers either via SMS messages or via internet to the attackers' server (both addresses are found in the configuration file mentioned above).
Permissions required by the application:
  • ACCESS_COARSE_LOCATION
  • ACCESS_FINE_LOCATION
  • INTERNET
  • READ_PHONE_STATE
  • ACCESS_NETWORK_STATE
  • READ_CONTACTS
  • READ_SMS
  • SEND_SMS
  • RECEIVE_SMS
  • WRITE_SMS
  • RECEIVE_MMS
  • RECEIVE_BOOT_COMPLETED
  • PROCESS_OUTGOING_CALLS
  • ACCESS_NETWORK_STATE/li>
  • ACCESS_WIFI_STATE
  • WAKE_LOCK
  • CHANGE_WIFI_STATEmo
  • MODIFY_PHONE_STATE
  • BLUETOOTH
  • RECEIVE_WAP_PUSH
  • CALL_PHONE
  • WRITE_CONTACTS
  • MODIFY_AUDIO_SETTINGS

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.