Mobile VirusAndroid/Malapp.C!tr.spy
Analysis
Android/Malapp.C!tr.spy is a piece of malware targetting Android mobile phones.
The malware is similar to Android/Malapp.A!tr.spy with the added functionality of manipulating incoming calls on the victim's phone.
Technical Details
The variant is very similar to Android/Malapp.A!tr.spy with the following added functionalities:
Heartbeat messages : Regular HTTP POST requests are sent to
"http://110.34.175.91/ccc.php"every 5 mins containing parameters {"s" : "ok"}
Call Blocking : The phone state is monitored. The application selectively disconnects incoming calls from and prevent outgoing calls to certain numbers
The list of numbers is present in the file mobile.txt in the package assets
Extra permissions required by this variant are:
- CALL_PHONE
- MODIFY_PHONE_STATE
- PROCESS_OUTGOING_CALLS
Aimed at Korean users
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |