Android/FakeInst.GA!tr

Analysis

Android/FakeInst.GA!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an installer application. In the background, it monitors incoming SMS messages and depending upon the sender's phone number, selectively hides received SMS from the end-user and/or automatically replies to them. Finally, it regularly connects to a C&C server and depending upon the response received, can perform functions such as sending SMS messages, sending out more HTTP requests, displaying notifications on the phone, sending the user's contact list or list of packages installed to the C&C, uninstalling certain packages, making phone calls etc. It also has capabilities to send phone information such as phone number, IMEI, IMSI, model etc to another server.

Technical Details

The main application is called "install" (ref Fig1) and comes in the package "install.app"

Fig1 : Application Icon
When launched, the user sees a screen as seen in Fig2.

Fig1 : Application home screen (Translation : "Installation is complete! Click Next to start the application")
If the user clicks on the 'Agree' button, s/he is directed to the Google App store.
In the background, the victim's phone information is sent in a POST request to the registration server

www.[REMOVED]bin.com/bn

with parameters

• "imei" : [IMEI]
• "imsi" : [IMSI]
• "time" : [Current_Time_in_msecs]
• "phone" : [PH_NUMBER]
• "version" : VER1
• "sid" : SID1
• "type" : callback
• "os" : android
• "model" : Build.MODEL
• "manufacturer" : Build.MANUFACTURER
• "sdk" : Build.VERSION.SDK_INT
• "apiKey" : 131-226
• "appId" : 1058
(apiKey and appId are hardcoded in the package strings)

The application can only be exitted by pressing the 'Home' button, hence ensuring it is always running in the background.
It monitors incoming SMS messages and if the sender's number matches the numbers on a list of "block_numbers", the SMS is hidden from the victim. Also, if the number matches a number on the list aosList, an automatic response is sent to the sender with the message "ok". This functionality could be used to confirm subscriptions on the phone without the victim's knowledge.
Apart from these hard-coded lists, the malware maintains lists "deleteSmsList" and "catchSmsList" each containing pairs of "phone": "text".
If an incoming SMS matches an entry on deleteSmsList, the SMS is hidden from the end-user.
If an incoming SMS matches an entry on catchSmsList, the SMS is forwarded to the registration server above in a POST request.
Finally, the malware contacts the C&C server

http://[REMOVED]hot.be/midlets/ins/?imei=[IMEI]&imsi=[IMSI]&appid=1058&phone=[PH_NUMBER]&country=[ISO_COUNTRY_CODE]&model=[Build.MODEL]&manufacturer=[Build.MANUFACTURER]&sdk=[Build.VERSION.SDK_INT]&flow_id=226

This process is repeated every 24 hours.
Depending upon the keywords contained in the response, the following functions are carried out :

KEYWORD - and optional JSON object	Function performed
{"wait": [WAIT]}	Sets the time for next connection to the C&C to "WAIT" number of seconds later. The default wait between two connections is 24 hours.
{"server": [URL]	Sets the value of registration server above to URL
{"deleteSms": {"phone": [PH], "text": [MSG]}	Adds the values PH and MSG to the deleteSmsList.
{"catchSms": {"phone": [PH], "text": [MSG]}	Adds the values PH and MSG to the deleteSmsList.
{"sendSms": {"phone": [PH], "text": [MSG]}	Sends an SMS message to PH with content MSG
{"removeAllSmsFilters": [True/False]}	If the boolean value is true, the deleteSmsList is cleared
{"removeAllCatchFilters": [True/False]}	If the boolean value is true, the catchSmsList is cleared
{"httpRequest": {"method": [GET/POST], "url": [URL], "params": [JSONObject_with_name_value_pairs], "properties": [JSONObject_with_name_value_pairs]}	Sends an HTTP request to URL with the data in "params". The data in "properties" specifies the HTTP request properties
{"update": [NAME]}	Downloads an application update from the location specified by NAME and saves it at the location "[External_SD]/download/[Current_Time_in_msecs].apk". This package is then installed
{"uninstall": [APK]}	Uninstalls the package APK from the victim's phone
{"notification": {"tickerText": [TXT1], "title": [TITLE], "text": [TXT2], "icon": [ICON_ID]}}	Displays the notification on the victim's phone with the details specified in the enclosed JSONObject
{"openUrl": [URL]}	Opens the site URL on the victim's phone.
{"sendContactList": [True/False]}	If the boolean value is true, the list of contacts on the victim's phone is sent to the registration server in a POST request
{"sendPackageList": [True/False]	If the boolean value is true, the list of packages installed on the victim's phone is sent to the registration server in a POST request
{"twitter": [Twitter_URL]}	Updates the corresponding value in the shared preferences. This value is sent as one of the parameters in the POST request but is never contacted.
{"makeCall": [PH]}	Place a call from the victim's phone to the number PH

Permissions required by the application:

• READ_PHONE_STATE
• ACCESS_NETWORK_STATE
• SEND_SMS
• RECEIVE_SMS
• INTERNET
• WRITE_EXTERNAL_STORAGE
• DISABLE_KEYGUARD
• RECEIVE_BOOT_COMPLETED
• ACCESS_NETWORK_STATE
• INSTALL_PACKAGES
• DELETE_PACKAGES
• RESTART_PACKAGES
• READ_CONTACTS
• READ_LOGS
• READ_PHONE_STATE
• CALL_PHONE
• CALL_PRIVILEGED
• GET_TASKS
• SYSTEM_ALERT_WINDOW
• KILL_BACKGROUND_PROCESSES

Aimed at Russian users
Certificate information: Owner: CN=Developer, OU=Development, O=LLC, L=City, ST=State, C=CA

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.