Android/Raddex.A!tr

Analysis

It communicates with a remote CnC (Command and Control) server from which it gets command that can steal images (including from various messaging apps), contacts, SMS from the smartphone.
The malicious application typically poses as a messaging application update, for example a Telegram update app. The package name for the sample we analyze hereafter is com.uucryptdsecelljune.update.sys. The main activity is com.uucryptdsecelljune.update.sys.MainActivity. Once launched, the malware:

• Tries to execute command su and grabs the output. This presumably tests if the device is rooted or not.
• Opens a socket to the remote CnC on port 1740 (by default)
• Copies a malicious PE32 executable in various .PIF files on the SD card (e.g /DCIM/DCIM.PIF). This is to infect a Windows host that would be connected to the mobile phone via USB or via SD card insertion.
• Asks for device administrator rights
• If the victim presses a button, the application disappears (seamingly uninstalled) where it actually continues to execute in background

The communication with the remote CnC is handled by a service named NetService. The communication is done via socket, and the information is sent using XML format. Packets are made of:

• A command identifier
• XML data
• Success (or failure) indication
• A message

At first, the malware sends a packet with command id 17 containing the smartphone's system information:

 <HmzaPacket>
  <Command>17</Command>
  <MSG></MSG>
  <Success>true</Success>
  <XMLData><SysInfo>
  <APK>Telgram_2018_PIF_DateFix</APK>
  <Android>8.0.0</Android>
  <Chanel>0</Chanel>
  <DBName></DBName>
  <DateOn>Installed @ : X Aug 2018 XX GMT</DateOn>
  <DeviceName>Unknown Android SDK built for x86_64</DeviceName>
  <IMEI>358240051111110</IMEI>
  <Loc>us</Loc>
  <Oper>310260</Oper>
  <Rate>0</Rate>
  <Root>No Root </Root>
  <Sim>Android</Sim>
  <SimSer>LAC: 3| CID: 91| MCC : 310| MNC : 260</SimSer>
  <WIFI>&quot;AndroidWifi&quot;</WIFI>
</SysInfo></XMLData>
</HmzaPacket>

Then the malware will listen for various incoming commands. It will also regularly send a heartbeat packet (id 30) with the malware's package name

<HmzaPacket>
 <Command>30</Command>
 <MSG>com.uucryptdsecelljune.update.sys</MSG>
 <Success>true</Success>
 <XMLData></XMLData>
</HmzaPacket>

Some of the supported commands are:

• 18. Send to CnC the contents of SD card directories which contain pictures for various messaging applications such as WhatsApp, GBWhatsApp, Telegram, Viber and ShareIt.
• 19. Server requests a given file to be uploaded. If the file is big, it is split in various chunks
• 20. Download a given file to the smart phone.
• 21. Delete a file
• 22. Copy a file
• 23. Move a file
• 24. Rename a file
• 28. Create a directory
• 29. Go to a given directory. When done, send a packet with this ID and status done.
• 31. Upload all contacts to CnC.
• 32. Upload all SMS in inbox to CnC
• 33. Upload call logs (phone number, name, duration, type, date...) to CnC
• 34. Start audio recording. The recording is only active when the screen is off
• 35. Stop audio recording and send it to CnC.
• 36. Take a picture
• 39. Save a new IP address and port for the CnC.
• 40. Report current IP address and port of CnC.
• 41. Send to CnC list of installed applications.

The malware defines 3 receivers:

• hmzaSurvival: to ensure the malicious process continues to operate when the screen is off
• SystemUpteen: to handle device administrator rights
• Alarm: ensures that the CPU continues to run (and thus the malware)

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.