Android/Pjapps.A!tr

Analysis

This malware targets Android phones and has them perform various unsollicited actions remotely, such as sending SMS, adding new bookmarks, visiting URLs, installing new applications etc.
The malware is known to trojan legitimate applications such as Steamy Window. When launched, the steamy window operates correctly (see Figure 1), but hidden malicious tasks also run in background.

Figure 1. Steamy Window launched, with application menu

Technical Details

Once installed, the malware :

• gets tasks to perform from a remote C&C server

  xml.andr[REMOVED].com:8118/push/androidxml/1/other.xml
  

  It provides several parameters such as the victim's phone IMEI, IMSI, phone number. The answer specifies tasks to perform using XML syntax.
• performs tasks such as inserting a new bookmark, sending SMS, installing new software etc.
• each action is logged on a remote web site:

  log.andr[REMOVED].com:9033/window.log
  

  Information to log is provided as parameters to the URL:
  • id (e.g wl-gws-game5002): possibly corresponds to an affiliate network identifier
  • softid: return code of the task which was performed
  • cn: set to 1
  • nt: next time
  • sim: phone's IMEI
  • tel: victim's phone number
  • imsi: victim's IMSI
  • iccid: Integrated circuit card identifier (SIM's serial number)
  • sms: SMS Service Center
  • task: for example, URL added to bookmarks
  Additionally, logs are written on the victim's memory card at /sdcard/androidh.log.

The malware is able to process several different commands:

• execMark: inserts a new URL in the phone's bookmark. This command corresponds to XML tags below:

  <title>Title of the bookmark</title>
  <url>URL of the bookmark</url>
  

• execPush: send SMS messages (spam !):

  <url>Link to provide in the SMS</url>
  <smscontent>Body of the SMS</smscontent>
  <tel>Phone numbers seperated by #</tel>
  

• execSoft: install a new application. The application is downloaded from a given <url> tag. This command also involves other tags such as "isreset" and "pack".
• execTanc: the use of this command is yet unknown. A URL and an isreset flag is provided.
• execXbox: this command is sent with tags url, isreset, type, shieldnum, exactnum, linkenum. The mobile device visits the aforementioned URL.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.