Android/Raddex.A!tr
Analysis
The malicious application typically poses as a messaging application update, for example a Telegram update app.
The package name for the sample we analyze hereafter is com.uucryptdsecelljune.update.sys.
The main activity is com.uucryptdsecelljune.update.sys.MainActivity.
Once launched, the malware:
The communication with the remote CnC is handled by a service named NetService. The communication is done via socket, and the information is sent using XML format. Packets are made of:
At first, the malware sends a packet with command id 17 containing the smartphone's system information:
<HmzaPacket>
<Command>17</Command>
<MSG></MSG>
<Success>true</Success>
<XMLData><SysInfo>
<APK>Telgram_2018_PIF_DateFix</APK>
<Android>8.0.0</Android>
<Chanel>0</Chanel>
<DBName></DBName>
<DateOn>Installed @ : X Aug 2018 XX GMT</DateOn>
<DeviceName>Unknown Android SDK built for x86_64</DeviceName>
<IMEI>358240051111110</IMEI>
<Loc>us</Loc>
<Oper>310260</Oper>
<Rate>0</Rate>
<Root>No Root </Root>
<Sim>Android</Sim>
<SimSer>LAC: 3| CID: 91| MCC : 310| MNC : 260</SimSer>
<WIFI>"AndroidWifi"</WIFI>
</SysInfo></XMLData>
</HmzaPacket>
Then the malware will listen for various incoming commands. It will also regularly send a heartbeat packet (id 30) with the malware's package name
<HmzaPacket>
<Command>30</Command>
<MSG>com.uucryptdsecelljune.update.sys</MSG>
<Success>true</Success>
<XMLData></XMLData>
</HmzaPacket>
Some of the supported commands are:
The malware defines 3 receivers:
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |