Android/SmsSend.ND!tr

description-logoAnalysis

Android/SmsSend.ND!tr is a malware which targets Android mobile devices.
The malware It poses as an application to pay online your electricity bill (see below). However, whether you accept or cancel, a SMS is sent without your consent to a phone number controlled by the attacker(s).


Technical Details


The malware comes packaged as google.service. The main activity is google.service.MainActivity.
The malware defines 1 activities: u'google.service.MainActivity'.
The malware defines 3 receivers: u'.BootReceiver', u'google.service.deviceAdminReceiver', u'.AlarmReceiver'.
The malware defines 1 services: u'.MessengerService'.
The malware starts a service that runs in background:
u0_a39    1364  38    213376 22592 ffffffff 400433dc S google.service
An SMS is sent to phone number 092419xxxx with the following message:
forwardphonenumber:HEXANUMBER
The malware also posts information via HTTP to a remote server.
The malware shows the following potential capabilities:
  • Removes some incoming SMS messages before you can read them
  • Retrieves hardware or OS information of the phone (model, product, OS...)
  • Registers as a device administration application
  • Processing incoming SMS messages
  • Sending SMS messages
  • Issues native shell commands or run other processes. Those commands are obfuscated.
The malware is obfuscated using APKProtect.
  • ./lib/armeabi/libSafeCore.so
  • ./lib/armeabi/libAPKProtect.so
  • ./res/layout/activity_main.xml
  • ./res/xml/device_admin.xml
  • ./res/drawable-mdpi/ic_launcher.png
  • ./res/drawable-ldpi/ic_launcher.png
  • ./res/drawable-xhdpi/ic_launcher.png
  • ./res/menu/main.xml
  • ./res/drawable-hdpi/ic_launcher.png
  • ./res/drawable-xxhdpi/ic_launcher.png
  • ./AndroidManifest.xml
  • ./classes.dex
  • ./META-INF/MANIFEST.MF
  • ./META-INF/CERT.RSA
  • ./META-INF/CERT.SF
  • ./resources.arsc
The malware asks for the following permissions:
  • Allows to send SMS messages
  • Allows an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages.
  • Allows to call or process outgoing calls
  • READ_CONTACTS
  • CHANGE_WIFI_STATE
  • ACCESS_WIFI_STATE
  • READ_LOGS
  • INTERNET
  • Allows to use Bluetooth

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-12 67.75300