Riskware/Biige!Android
Analysis
Riskware/Biige!Android is a piece of malware targetting Android mobile phones.
The application is used to spying on a victim's phone by monitoring SMS messages, outgoing calls, location information etc. The collected information is sent to the application's website.
It also provides an 'Uninstallation Protection' feature that sends out an SMS message from the phone to a user-defined number each time an attempt to uninstall the application is made.
Technical Details
The main application is called "PhoneBeagle Recorder" or "BiiGe Recorder" (ref Fig1 and Fig2) and comes in the package 'com.agilebinary.phonebeagle' or 'com.biige.recorder'
Fig1 : PhoneBeagle Recorder application Icon
Fig2 : BiiGe Recorder application Icon
Once the application is started, the user is asked to Activate the application with a product key as seen in Fig 3
Fig3 : Application activation screen
Once the application is activated, information from the device such as SMS messages, outgoing calls, location information etc. is collected and sent to the application's server
hxxp://[REMOVED]beagle.com
It also has an Uninstallation Protection feature that requires Device administration rights. At the time of activation of the feature, the user is asked to enter a phone number.
Each time the user tries to uninstall the application, an SMS message is sent to the number specified with the message
The PhoneBeagle Recorder Uninstall Protection has been deactivated.
The application is automatically started when the phone is rebooted.
Permissions required by the application:
- INTERNET
- READ_PHONE_STATE
- RECEIVE_SMS
- READ_SMS
- SEND_SMS
- WRITE_SMS
- PROCESS_OUTGOING_CALLS
- READ_CONTACTS
- WRITE_CONTACTS
- RECEIVE_BOOT_COMPLETED
- ACCESS_FINE_LOCATION
- ACCESS_COARSE_UPDATES
- ACCESS_NETWORK_STATE
- WAKE_LOCK
- ACCESS_WIFI_STATE
- CHANGE_WIFI_STATE
- PROCESS_OUTGOING_CALLS
- READ_HISTORY_BOOKMARKS
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.