Android/FakePlayer.A!tr
Analysis
This trojan affects mobile phones running on the Android platform.
The trojan takes the appearance of a movie player for the Russian community. But, actually, the malware sends 3 SMS to two Russian premium numbers.
Technical Details
The trojan installs on the mobile phone under the name of "Movie Player".
The mobile phone warns the end user the trojan has the capability of sending SMS (but an unsuspecting end-user might still want to install the application):
Figure 1. Installation warning
After installation, the trojan's "Movie Player" icon appears in the application panel:
Figure 2. The trojan is installed
Launching the malware for the first time displays a message in Russian:
Figure 3. Russian message translated by Google
The malicious sample is included in a Android application package file (.apk extension).
This setup package contains the core application code (.dex), the resources (icon, string, ...), the corresponding manifests and hashes of these files like the following:
res/drawable/icon.png res/layout/main.xml res/values/strings.xml res/values/public.xml META-INF/MANIFEST.MF META-INF/CERT.RSA META-INF/CERT.SF classes.dex resources.arsc AndroidManifest.xml
The core "classes.dex" is a Dalvik Excutable. The .dex is executed by the Android Virtual Machine that uses specific byte code. The byte code may be disassembled:
.class public Lorg/me/androidapplication1/MoviePlayer; .super Landroid/app/Activity; .source "MoviePlayer.java" # direct methods .method public constructor()V .locals 0 .prologue .line 22 invoke-direct {p0}, Landroid/app/Activity;-> ()V return-void .end method
Additionally, the XML manifest shows the "entry point" of the malware: it is themovieplayer class. See below:
<activity android:label="Movie Player" android:name=".MoviePlayer"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity>The class reveals that the malicious behavior is effective once: the trojan checks a database entry via a routine called "canwe" and sets a flag. If the flag is already set, the trojan does not send any SMS.
.line 29 .local v6, dh:Lorg/me/androidapplication1/DataHelper; invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;->canwe()Z move-result v2 if-eqz v2, :cond_0
The malware sends SMS to two Russian premium number. One of those numbers is used twice.
.line 54 .local v0, m:Landroid/telephony/SmsManager; const-string v1, "3353" .line 55 .local v1, destination:Ljava/lang/String; const-string v3, "798657" .line 57 .local v3, text:Ljava/lang/String; const/4 v2, 0x0 const/4 v4, 0x0 const/4 v5, 0x0 :try_start_0 invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager; ->sendTextMessage(Ljava/lang/String;Ljava/lang/String; Ljava/lang/String;Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V ... .line 63 :goto_0 const-string v1, "3354" ... invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager; ->sendTextMessage(Ljava/lang/String;Ljava/lang/String; Ljava/lang/String;Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V ... const-string v1, "3353" ... invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager; ->sendTextMessage(Ljava/lang/String;Ljava/lang/String; Ljava/lang/String;Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V :try_end_2
Also, the malware author probably coded his malware out of the "HelloWorld" in the Android SDK. The hint comes from the "main.xml" file of the layout ressources:
<?xml version="1.0" encoding="UTF-8"?> <LinearLayout android:orientation="vertical" android:layout_width="fill_parent" android:layout_height="fill_parent" xmlns:android="http://schemas.android.com/apk/res/android"> <TextView android:layout_width="fill_parent" android:layout_height="wrap_content" android:text="Hello Android from NetBeans" /> </LinearLayout>
The corresponding class isn't called, probably it was used to test the sending SMS methods. We found a different russian message that can be translated in "Click OK to access the video library".
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor |