Mobile VirusAndroid/RuSMS.AO
Analysis
Android/RuSMS.AO!tr is a malware which targets Android mobile devices.
It sends SMS messages and may be controlled by a remote server.
The malware comes packaged as com.cisoft.supernatural. Its main activity is com.cisoft.supernatural.MainActivity.
Its malicious payload is implemented under the path com.adobe.air (and has no relationship with the real Adobe AIR framework). The malicious classes are:
com.adobe.air.Boroda com.adobe.air.E1 com.adobe.air.JSONParser com.adobe.air.UpdateCheckUp com.adobe.air.UpdateLastId com.adobe.air.Updates
When the malware is launched, it requests device administrator rights from the victim, and will act as an application downloader and installer. It asks to download a PDF file, whose name is read from an asset 'name.txt'.
Meanwhite, a background service named E1 will start a thread where it sends an HTTP POST request to a remote website:
http://[CENSORED]dvert.ru/api/app7.phpwith the following information:
- imei: phone's IMEI
- deviceid: this is the Android ID
- package: the malware's package name
- model: the device's manufacturer and model name
- operator: the network operator name
The remote server is expected to reply with a JSON object in which it may include several commands and parameters:
- clearfilter
- addfilter
- stavotpr
- dura: this sends a SMS message with a given text body and number specificed by the server (parameters n1 and t1)
- otprstran
- duraverh: will display a given URI
- newserver: this updates the remote server's URL to contact
- dromotpr
- optrpril
- driko
The malware shows the following potential capabilities:
- Listens to incoming SMS messages
- Runs in background
- Registers as a device administration application
- Listing applications installed on the phone
- ./AndroidManifest.xml
- ./assets/name.txt
- ./assets/url.txt
- ./META-INF/MANIFEST.MF
- ./META-INF/NEW.RSA
- ./META-INF/NEW.SF
- ./classes.dex
- ./resources.arsc
- ./res/drawable-mdpi/ic_launcher.png
- ./res/drawable-hdpi/ic_launcher.png
- ./res/layout/activity_main.xml
- ./res/menu/main.xml
- ./res/xml/my_admin.xml
- ./res/drawable-xxhdpi/ic_launcher.png
- ./res/drawable-xhdpi/ic_launcher.png
- Allows to send SMS messages
- Allows an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages.
- READ_CONTACTS
- ACCESS_WIFI_STATE
- INTERNET
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |