Android/SmsSend.ND!tr
Analysis
Android/SmsSend.ND!tr is a malware which targets Android mobile devices.
The malware
It poses as an application to pay online your electricity bill (see below). However, whether you accept or cancel, a SMS is sent without your consent to a phone number controlled by the attacker(s).
Technical Details
The malware comes packaged as google.service. The main activity is google.service.MainActivity.
The malware defines 1 activities: u'google.service.MainActivity'.
The malware defines 3 receivers: u'.BootReceiver', u'google.service.deviceAdminReceiver', u'.AlarmReceiver'.
The malware defines 1 services: u'.MessengerService'.
The malware starts a service that runs in background:
u0_a39 1364 38 213376 22592 ffffffff 400433dc S google.serviceAn SMS is sent to phone number 092419xxxx with the following message:
forwardphonenumber:HEXANUMBERThe malware also posts information via HTTP to a remote server.
The malware shows the following potential capabilities:
- Removes some incoming SMS messages before you can read them
- Retrieves hardware or OS information of the phone (model, product, OS...)
- Registers as a device administration application
- Processing incoming SMS messages
- Sending SMS messages
- Issues native shell commands or run other processes. Those commands are obfuscated.
- ./lib/armeabi/libSafeCore.so
- ./lib/armeabi/libAPKProtect.so
- ./res/layout/activity_main.xml
- ./res/xml/device_admin.xml
- ./res/drawable-mdpi/ic_launcher.png
- ./res/drawable-ldpi/ic_launcher.png
- ./res/drawable-xhdpi/ic_launcher.png
- ./res/menu/main.xml
- ./res/drawable-hdpi/ic_launcher.png
- ./res/drawable-xxhdpi/ic_launcher.png
- ./AndroidManifest.xml
- ./classes.dex
- ./META-INF/MANIFEST.MF
- ./META-INF/CERT.RSA
- ./META-INF/CERT.SF
- ./resources.arsc
- Allows to send SMS messages
- Allows an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages.
- Allows to call or process outgoing calls
- READ_CONTACTS
- CHANGE_WIFI_STATE
- ACCESS_WIFI_STATE
- READ_LOGS
- INTERNET
- Allows to use Bluetooth
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-04-12 | 67.75300 |