Android/FakeDefend.C!tr

Analysis

Android/FakeDefend.C!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an application to view pornographic videos.
Once the user clicks on the application, s/he is asked to check for viruses before running the application which leads to a fake screen from "Avast anti-virus" reporting infections on the phone.
In order to clean the phone, the user is asked to pay a 'fine' of $100 using a Code for GreenDot MoneyPak.
Each time the user enters a code, it is forwarded to the attacker's server along with the phone's IMEI and other Build information about the phone, whereas the user is shown an error message.
These codes can be used by the attackers to make purchases at the victim's expense.

Technical Details

The main application is called "PornHub" and comes in the package "com.avastmenow". The image below describes the procedure followed by the malware.

Fig1 : The working on Android/FakeDefend.C!tr.spy
The following steps are shown in the figure :

• 1. Application's main screen
• 2. Application shows error asking to check for viruses first
• 3. Avast License Agreement
• 4. Avast 'About' screen asking to start 'Virus Scan'
• 5. End of Virus Scan
• 6. Results of Virus Scan (The list of Viruses shown is hardcoded in the malware and will be the same irrespective of the phone 'scanned'
• 7. Instructions to unlock the device specifying payment using MoneyPak Code
• 8. MoneyPak screen asking to enter Code
• 9. Payment 'succeeds' at the 20th try

Each time the user starts the application, a request is sent to

hxxp://XXX.XX.254.73/check.php?device=[IMEI]

with the victim's phone's IMEI.
The MoneyPak codes are sent to the attacker at

hxxp://XXX.XX.254.73/get.php?a=[X]

where

X = Base64("deviceID=" + [IMEI] + "&model=" + [Build.MANUFACTURER + " " + Build.MODEL] + "&code=" + [Code_Entered_By_User] + "&sdk=" + [Build.VERSION.RELEASE])

Permissions required by the application:

• RECEIVE_BOOT_COMPLETED
• CHANGE_NETWORK_STATE
• ACCESS_WIFI_STATE
• INTERNET
• CHANGE_WIFI_STATE
• UPDATE_DEVICE_STATS
• WAKE_LOCK
• ACCESS_NETWORK_STATE
• READ_PHONE_STATE

Certificate information:

• Owner: CN=Timkin Ivan, OU=MySelf, O=MySelf, L=MySelf, ST=MySelf, C=7
• Issuer: CN=Timkin Ivan, OU=MySelf, O=MySelf, L=MySelf, ST=MySelf, C=7
• Serial number: 513f3db5
• Valid from: Tue Mar 12 15:37:41 CET 2013 until: Wed Feb 28 15:37:41 CET 2063

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.