Mobile Virus

Android/MobileTx.A!tr

Analysis

Android/MobileTx.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a Chinese fortune telling application however, leaks information from the victim's phone such as IMSI. It also sends out SMS messages to a premium rate number, hence causing losses for the user.

Technical Details


The malicious application comes in packages such as com.tx.pet The malicious package contains the following classes :
  • MainActivity : It creates the application view and starts the task ValidateAsyncTask described below. Next, it checks if the TxActivity is running, every 12 secs, and if not, launches it.
  • ValidateAsyncTask : It reads the phone's IMSI and registers the phone with the attacker's server by sending out a POST request to
    hxxp://[REMOVED].tx.com.cn:8081/client/xxx.xx
    with the IMSI as a parameter.
    In turn the server responds with a group of #-separated values that are reads as the uid, imsi and phonenumber, in that order.
    Next, it sends out an SMS message to the premium number 12114 with the contents
    "天下#99#" + imsi + "#android#sp_jifeng"
  • TxActivity : This activity contacts the URL
    http://[REMOVED].tx.com.cn:8081/client/xxxx.xx?viewerId="+uid+"&imsi="+imsi+"&phonenum="+phonenum+"&type=15
    where the parameter variables are the value received in the previous request.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.