Android/Stels.A!tr

Analysis

Android/Stels.A!tr poses as a fake Flash player update for Android mobile devices. In reality, the victim's phone becomes part of a botnet with several capabilities:

• SMS forwarding or stealing: incoming SMS which match a given pattern are forwarded to the attacker's server. They can also be deleted so that the victim does not see the SMS at all. This functionality is particularly useful to stealing mTANs (mobile banking authentication codes) as those TANs are sent by SMS. The malware will only forward those relevant SMS to its servers, not SMS messages they have no interest in.
• Leaking list of contacts or installed packages: all contacts (resp. installed package names) on the phone are sent to a remote server.
• Remote control: the phone can be piloted by the attacker to call a given phone number, send a given SMS, open a given URL, toast a given message.

The package is named android.systempack.ins.
When the malware is launched, the MainActivity is called. This activity displays a web page which is included in the package's assets (./html/index.html) with the sole goal of giving the end-user the illusion the sample is a Flash Player update.
The malware gets some initial configuration from its resource strings. In particular, it decodes the URL of the remote C&C to contact using a custom Base 64 encoding.

jsonObject.put("server", Functions.decript(this.getString(2130903043)));

Meanwhile, the malware registers a SMS receiver (MainReceiver) and starts a service (MainService) in background. It sends an HTTP request to the remote C&C every 60 seconds (the period actually being configurable), and processes the commands it gets in return. The commands are processed by MainService, where each actual function is implemented in a class named Functions. The commands are listed hereafter:

• wait: wait for a given time before re-contacting the C&C
• server: sets the URL of the remote server
• subPref: sets bot's parameter
• botId: sets the bot's identifier
• remoteAllSmsFilters: removes all delete filters.
• remoteAllCatchFilters: removes all catch filters.
• deleteSms: like the catch filter, but to delete SMS.
• catchSms: sets the catch filter to a given phone number and text. Removes other catch filters. Whenever such a SMS is caught, the malware sends an HTTP POST with as parameter the originating phone number and message body.
• sendSms: sends a SMS to a given phone number with a given text.
• httpRequest: sends an HTTP request to a given URL. The request is customizable: the server can specify the method to use (GET/POST...), the URL, property pairs etc
• update: downloads an update of the malware at a given URL and installs it.
• uninstall: uninstalls a given package. Note that if the application gets the appropriate rights, the malware can potentially uninstall other packages than itself.
• notifications: notifies the victim with the specified message
• openUrl: opens the browser at the specified URL
• sendContactList: sends an HTTP request to the remote server with the list of all contacts on the victim's phone.
• sendPackageList: same but sends the list of all installed packages.
• makeCall: calls a given phone number

For example, below, the server removes all delete filters, sets the period to 60 seconds and updates the server's URL to hxxp://[CENSORD]ashplayer.net.ua/data.php

I/System.out(  635): response: {"removeAllSmsFilters":true,
"wait":60,
"server":"http:\/\/[CENSORED]ashplayer.net.ua\/data.php"}

Each time the malware contacts the remote server by HTTP, it sends sensitive data such as the victim's IMEI and IMSI. The HTTP request also includes a "type" field which indicates the sort of request the malware is doing among:

• "catch" : indicates this is a HTTP request subsequently sent after a SMS matched a catch filter
• "phonebook" : sent when the malware is sending the victim's contacts to the server.
• "packages" : used when the malware is sending the list of all installed packages
• "callback" : for other requests where the remote server is expected to reply.

The malware's current configuration is stored in a shared preferences file in the application's directory (/data/data/android.systempack.ins/shared_prefs/stelsSettings.xml). For example it contains the following:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="sid">1</string>
<string name="botId">BOTIDV</string>
<int name="startPeriod" value="60" />
<string name="deleteSms">[]</string>
<string name="catchSms">[]</string>
<string name="server">http://[CENSORED]shplayer.net.ua/data.php</string>
<long name="timeNextConnection" value="1373032246371" />
<int name="period" value="300" />
<boolean name="first" value="false" />
<string name="version">2</string>
<string name="subPref">SUBPREFV</string>
</map>

Finally, the malware implements a functionality to send emails via an anonymous server URL.However, this functionality does not appear to be used in the sample we analyzed.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.