Android/FynCopy.A!tr

description-logoAnalysis

Android/FynCopy.A!tr is a piece of malware targetting Android mobile phones.
The malicious application allows monitoring of folders specified at the time of configuration and any image files present or created at these paths are regularly forwarded to a server.

Technical Details


The main application is called 'photoCopy' and comes in the package 'com.am.fi'. Upon installation, the application can only be seen in the list of installed applications in the Settings menu (refer Fig1). No signs of it can be been in the applications menu.

Fig1 : Application seen in the settings menu
The application is automatically started when the phone is rebooted. Upon rebooting the service mService is started.
mService : This service is responsible for monitoring directory contents. If the application hasn't already been configured, the configurationActivity is launched.
Next, an alarm is set to start the services pService and uService every 12 hours.
configurationActivity : When launched, the activity displays certain terms and conditions for the application that the user must agree to in order to proceed (refer Fig2).

Fig2 : Application Terms and Conditions
If the user agrees, s/he is given the option to choose a folder to monitor on the phone, as seen in Fig3 and to specify an email Address the gathered information is sent to.

Fig3 : Configuration of email address and folders to monitor on the victim's phone.
pService : This service is responsible for copying any image file in the monitored directory (.jpg, .bmp, .png or .gif) to a file at the HiddenFilePath :
[External_SDCard_Path]/.AndroidFI/
The file name is a randomly chosen sequence of 15 characters with extension tmp.
uService : This service iterates though the HiddenFilePath and sends each file at the path in a POST request to the URL
hxxp://fyn[REMOVED]/upload.php
with parameters email, model, phoneNr, image
where email = email address specified in the configuration; model = BUILD.MODEL; phoneNr = phone number/MSISDN of infected phone; image = image file copied from the monitored directory
Next, the files already sent to the server are deleted from the HiddenFilePath
Permissions required by the application:
  • RECEIVE_BOOT_COMPLETED
  • WRITE_EXTERNAL_STORAGE
  • ACCESS_WIFI_STATE
  • INTERNET
  • ACCESS_NETWORK_STATE
  • READ_PHONE_STATE

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR