Mobile VirusAndroid/Smsilence.A!tr.spy
Analysis
Android/Smsilence.A!tr.spy is a malware which targets Android platforms.
It typically comes in the form of a fake theme for Vertu phones (luxury mobile phones).
In reality, it spies on the victim and sends to a remote server
his/her phone number and all subsequent incoming SMS messages.
When the application is launched, this main activity class is called and displays
a screen in relationship with Vertu phones (see Figure 1), along
with an error message, saying "Service is offline or a high load. Please try again later."
Figure 1. Main screen of Android/Smsilence.A!tr.spy
Meanwhile, the malware however performs its malicious task.
It sends an HTTP POST to
http://[CENSORED]889.com/Android_SMS/installing.phpwith the victim's mobile phone number as parameter (mobile=PHONENUMBER).
Then, it listens to all incoming SMS messages. Whenever a SMS is received, it forwards it to the same remote web site
http://[CENSORED]889.com/Android_SMS/receiving.phpwith the following parameters:
- mobile: originating phone number of incoming SMS. The country prefix is removed if present.
- revsms: incoming message body.
- If the message body contains the string 112, the malware uninstalls itself.
- If the message body contains the string 113, the malware downloads and installs other
payload from
http://hg[CENSORED].com/ms.apk
- If the SMS comes from phone number 1588366, the malware deletes an application named com.google.macport.application. It is assumed that this corresponds to the additional payload downloaded using the 113 command. However, currently, this is no longer true, ms.apk currently corresponding to an application named com.QQPhone.sxcs
Both Japanese and Korean versions of Android/Smsilence.A!tr.spy have been found in the wild up to now.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |