Android/Shedun.I!tr
Analysis
Android/Shedun.I!tr is a piece of malware targetting Android mobile phones.
It mainly serves as a malware dropper and decrypts, drops & launches a malicious package contained within its assets folder.
The main application can come in packages named "nalic.app.wifishare", "com.a9Wem.58vZ0", "com.CMbZs.RIoZs" or "com.jrhw.pinkygirls".
However, the malicious functionality was always contained in a package named "org.gro.jp" in the samples analyzed.
- The code makes heavy use of reflection to delay manual analysis and evade detection from automatic detection tools. It also uses encryption (combination of XOR and DES) to hide certain crucial strings used by the package.
- Essentially, the dropper (XOR) decrypts the file 'protect.apk' (detected as Android/Ztorg.A!tr) from the package assets and saves it at the path
/data/data/[PackageDirectory]/lib/
- The decrypted package is then loaded using Android's DexClassLoader API
- The application also contains another decrypted malicious package in its assets called 'import.apk' that is subsequently loaded by the 'protect.apk' package
Permissions required by the application:
- WRITE_EXTERNAL_STORAGE
- READ_EXTERNAL_STORAGE
- INTERNET
- ACCESS_NETWORK_STATE
- ACCESS_WIFI_STATE
- WAKE_LOCK
- CHANGE_WIFI_STATE
- READ_PHONE_STATE
- ACCESS_COARSE_LOCATION
- CAMERA
- ACCESS_MTK_MMHW
- ACCESS_FINE_LOCATION
- RECEIVE_BOOT_COMPLETED
- SYSTEM_ALERT_WINDOW
- SYSTEM_OVERLAY_WINDOW
- GET_PACKAGE_SIZE
- UNINSTALL_SHORTCUT
- ACCESS_DOWNLOAD_MANAGER
- MOUNT_UNMOUNT_FILESYSTEMS
- READ_OWNER_DATA
- GET_TASKS
- GET_ACCOUNTS
- RECEIVE_BOOT_COMPLETED
Certificate information:
- Owner: CN=ngsteam, OU=ngsteam, O=xinyinhe, C=CN
- Issuer: CN=ngsteam, OU=ngsteam, O=xinyinhe, C=CN
- Serial number: 2c68a45b
- Valid from: Tue Oct 08 14:44:05 CEST 2013 until: Thu Sep 14 14:44:05 CEST 2113 OR
- Owner: CN=yu, OU=yklj, O=yklj, L=yunnan, ST=yunnan, C=CN
- Issuer: CN=yu, OU=yklj, O=yklj, L=yunnan, ST=yunnan, C=CN
- Serial number: 2e6bf7f6
- Valid from: Fri Feb 27 21:21:22 CET 2015 until: Wed Apr 17 22:21:22 CEST 2097 OR
- Owner: EMAILADDRESS=20150914051720@android.com, CN=Android, OU=Android, O=Android, L=MountainView, ST=California, C=US
- Issuer: EMAILADDRESS=20150914051720@android.com, CN=Android, OU=Android, O=Android, L=MountainView, ST=California, C=US
- Serial number: 915eda5f99f58998
- Valid from: Mon Sep 14 09:17:21 CEST 2015 until: Fri Jan 30 08:17:21 CET 2043
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |