Mobile Virus

Android/Tascudap.A!tr

Analysis

Android/Tascudap.A!tr is a piece of malware targetting Android mobile phones.
The malicious package shows no explicit signs of installation however, it is launched every time the 'Google Play' application is launched. In background, the malware spies the victim and forwards SMS messages received by the victim's phone to the attackers' server.
It also receives commands from the attacker's server to perform functions like sending out SMS messages, and sending out numerous UDP packets to a certain URL.

Technical Details


The application calls itself "Google Themes Provider" and comes in the package 'com.google.themes.provider'. Upon installation, it can only be seen in the list of installed applications in the settings menu as seen in Fig1.

Fig1 : Installed application seen in Settings menu
The application is launched every time the Google Play application is launched using the "android.intent.category.APP_MARKET" intent.
It is also launched automatically when the phone is rebooted, an SMS message is received, the phone's network connectivity changes or a new outgoing call is placed.
When launched, the application opens a connection to the following URL at port 2700-2799
[REMOVED]borizslk.com
Then, it listens for commands from the server. Depending upon the first two characters in the message received, the following functions are performed:
Command Function performed
#m The rest of the string received is split at the char ":". An SMS message is sent from the phone with the first part of the string as destination phone number and the second half as the message body
#u The rest of string is split at ":". The first part servers as the destination URL and the 2nd part as the port. The phone then sends out a large number of UDP packets containing randomly chosen bytes to the said destination. This feature is probably used to launch a DDoS attack on the destination.
#t This command is used to check if the connection is still open. If yes, the message "#t i am here" is sent back to the server

The Trojan also listens for SMS messages received and forwards them to the abovementioned server in the format
"#s【源】"(Source) + num + "\n【内容】"(content) + msg
where num = Phone number from which SMS is received ; msg = Contents of SMS received
Permissions required by the application:
  • INTERNET
  • ACCESS_NETWORK_STATE
  • READ_PHONE_STATE
  • RECEIVE_SMS
  • SEND_SMS

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.