Android/SmsZombie.A!tr
Analysis
Android/SMSZombie.A!tr is a malware targetting Android mobile phones.
It is a Chinese wallpaper application.
Its malicious activity consists in installing another malicious package, detected as Android/SMSZombie.B!tr.
That latter malware, Android/SMSZombie.B!tr, carries most of the malicious payload, i.e sending SMS messages, motoring incoming SMS messages or hiding messages from the victim.
Technical Details
Android/SMSZombie.A!tr malicious activity is limited to installing The main application is a Chinese wallpaper application that can come in the form of the packages com.gmdcd.pic, com.ldh.no1, com.bntsxdn.pic, com.hxmv696.pic, com.xqxmn18.pic, com.zqbb1221.pic, com.lzll.pic.
Upon installation, the application cannot be seen in the main phone menu, however, it can be seen in the list of wallpapers (refer Fig1)
Fig1 : The main wallpaper application
Once the user chooses the wallpaper for the first time, a notification as shown in Fig2 is seen by the user. It basically asks the user to click on the icon and install an application in order to receive 100 points.
Fig2 : Wallpaper notification
Upon clicking, a user confirmation - as shown in Fig3 - is required.
Fig3 : Installation confirmation required upon clicking the icon
The functions above are implemented by the BXWallActivity class of the package.
If the user clicks on the agree button, another application called "Android System Services" (in Chinese) is installed on the victim's phone that contains the malicious functions.
This functionality is implemented by the jifenActivity class. It reads the file a33.jpg in the package assets which is actually a malicious Android package (detected as Android/SMSZombie.B!tr) and installs it.
Permissions required by the application:
- BIND_WALLPAPER
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |