Android/AckPosts.A!tr
Analysis
Android/AckPosts.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as Battery Life prolongation or Radio waves improvement applications however, in the background, it sends contact details from the infected phone to the attacker's server.
Technical Details
The main application can be called "Long Battery" or "Radio Waves improvement" or "Secret App" (ref Fig1 and Fig2) and comes in packages such as com.mmmm.batterylong, freetalkn.all.free, com.mmmm.bl, secret.app.android etc.
Fig1 : Long Batter life application
Fig2 : Radio Wave improvement application icon
Fig3 : Secret App application Icon
When the application is launched, the user is shown a message saying the application is not supported by the phone.
Fig4 : Application main screen (The message in Japanese roughly translates to "Sorry, the application is not supported by your phone"
In the background, the application steals contact information and sends it to the attackers server
hxxp://[REMOVED]/bl.phpor
hxxp://[REMOVED]/batterylong.phpin the format
[_id] + ":" + [display_name] + ":" + [phone_number] + ":" + [email_id] + "/"and so on, for each contact on the phone.
Permissions required by the application:
- READ_CONTACTS
- INTERNET
Aimed at Japanese users
Certificate information: Owner: CN=1; Issuer: CN=1
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |