Android/BdMir.A!tr

Analysis

Android/BadMirror.A!tr is a malware which targets Android mobile devices.
It creates a pop up notification bubble with additional APKs for users to download and sends private information of the user's phone to a remote server. ( device board, brand, cpu, imei, imsi, mac, model, etc )
It may also execute commands from the server like downloading an app or viewing a URL.

Technical Details

The malware comes packaged as mobi.upgk1.kcjx.
A pop up notification bubble will appear once the malware parses the JSON object from the server for the APKs that can be downloaded.
Figure 1.
Figure 2.
In the background, the malware first checks if there is an update to the app. Then it pushes the phone's information to the server. The information includes: {"channel":"CH00067","device":{"board":"MAKO","brand":"google","cpu":"armeabi-v7a,armeabi","device":"mako","dpi":320,"hardware":"mako","height":1184,"host":"kpfj2.cbf.corp.google.com","locale":"en_US","manufacturer":"LGE","model":"Nexus+4","product":"occam","product_id":"KTU84P","width":768},"xid":"xxxx","userinfo":{"android_id":"xxxx","simserialnumber":"","imei":"xxxx","imsi":"","serialno":"xxxx","line1Number":"","mac":"xxxx","model":"Nexus+4","network":"WIFI","networkCountryIso":"","networkOperator":"","sdk":"19","operator":"","osversionrelease":"4.4.4","radio":"unknown","pkg":"mobi.upgk1.kcjx","productId":"KTU84P","phoneType":1,"networkType":0,"inSys":0,"hasSelfsu":0},"version":"671100","reqType":7} The C&C URLs are hardcoded in the class files. They are DES-CBC encrypted with a hardcoded key with IV "12345678", then base64 encoded, PKzipped, and finally base64 encoded again.
The malware has the potential to execute commands based on the JSON object response from the server like downloading an APK or viewing a URL.

• when a "apk" command is received: "Buffer setted"
• when a SETP command is received: "Number setted". The SMS also contains the phone's IMEI and model.

The downloaded APKs exhibit similar behavior in sending private phone information to a different remote server. The malicious content executes in the background behind game apps.
The malware installs the following files on the device:

• ./resources.arsc
• ./assets/ck
• ./assets/data.jpg
• ./assets/pd
• ./assets/pkg
• ./AndroidManifest.xml
• ./res/color/*
• ./res/drawable/*
• ./res/drawable-hdpi/*
• ./res/drawable-ldpi/*
• ./res/drawable-v11/*
• ./res/drawable-xhdpi/*
• ./res/layout/*
• ./res/layout-large/*
• ./res/layout-v14/*
• ./res/layout-xlarge/*
• ./res/menu/*
• ./classes.dex
• ./META-INF/ALI10314.RSA
• ./META-INF/ALI10314.SF
• ./META-INF/MANIFEST.MF

The malware asks for the following permissions:

• READ_PHONE_STATE
• SYSTEM_ALERT_WINDOW
• CAMERA
• GET_TASKS
• WRITE_EXTERNAL_STORAGE
• INTERNET
• ACCESS_WIFI_STATE
• ACCESS_NETWORK_STATE

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.