Mobile VirusAndroid/Pirates.A!tr
Analysis
Android/Pirates.A!tr trojans an Android game named "Coin Pirates". In reality, the Trojan processes a few commands from a remote server such as:
- register to a random service provider among a list, and possibly be charged for those services. The victim is registered without his/her consent.
- visit a given WAP page. The malware authors possibly indirectly get some revenue from the amount of visitors on those pages. The victim's browser automatically opens to such a page - without the victim asking for anything.
- add a bookmark. The malware silently and automatically adds new bookmarks to the phone's bookmark list.
Technical Details
The malware consists of 4 main classes:
- BootReceiver: this class simply makes sure the MonitorService class is started after the phone reboots.
- AlarmReceiver: the MonitorService starts an alarm, triggered every minute. This alarm makes sure the MonitorService is activated every minute.
- SMSReceiver: spies incoming SMS messages. Triggers MonitorService, providing the SMS sender and body as parameter.
- MonitorService: main malicious class, detailed below.
- get the phone's IMEI, model, SDK version and IMSI.
- configure the phone to add a new access point. This access point corresponds to a mobile phone operator in China.
- creates an internal database named mydb, with a single table named blogconfig containing 4 columns: BlogType, KeyWords, IsConfirm and Charging.
- writes a preferences file: MyPrefsFile.xml which contains the current day of the month.
The first thread posts the victim's IMEI as the "uid" field of an HTTP POST to a particular script on the remote server:
http://[REMOTE SERVER]/AndroidInterface/FreeAction.aspxThe malware awaits for answers formatted as "SMS:xxxx|xxx|xxx|xxx". If the answer is "SMS:finish", the thread ends. Otherwise, the various fields are inserted in the blogconfig database.
The second thread sends several HTTP POSTs:
- registration: the IMEI (uid), ChannelId (10006), OSType and IMSI are sent to
http://[REMOTE SERVER]/AndroidInterface/Reg.aspx
If the remote server answers "sendsms", this calls a function named SendRegSms() in the code, which corresponds to sending an SMS to register to given services.
The malware sends an SMS to a random number among:13521419442 13552040604 13661258744 13521273944 13552040894 13520931794 13520234741 13520234194
The body of the SMS is "ADReg: IMEI, UA" where IMEI is the phone's IMEI, and UA is the phone's User Agent. - blog down: the IMEI is posted to:
http://[REMOTE SERVER]/AndroidInterface/BlogDown.aspx
The malware does not expect any particular response. It will automatically call the HandleBlog() method. - free down: sends the IMEI (Uid) and Version (1) to
http://[REMOTE SERVER]/AndroidInterface/FreeDown.aspx
Afterwards, it inserts data in the database and does some other processing. - fav down: sends the IMEI
http://[REMOTE SERVER]/AndroidInterface/FavDown.aspx
Afterwards, it calls the HandleFav() method, which will add a new bookmark to the phone. - open wap: sends the IMEI to:
http://[REMOTE SERVER]/AndroidInterface/OpenWap.aspx
and then visits the page the server returns as answer.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |