Mobile Virus

Android/Twikabot.A!tr

Analysis

Android/Twikabot.A!tr is a piece of malware targetting Android mobile phones.
It uses algorithmically generated twitter accounts to acquire the names of C&C servers to contact. Using the information received from these servers, it then sends out SMS messages from the victim's phone.

Technical Details


The malware comes in a package called com.google.usagestats.updater
The name of the application is "Be social ! plugin". It hides itself well from the victim by not appearing in the main applications menu. The only evidence of the presence of the application can be seen in the Settings menu.

Figure 1. Android/Twikabot.A!tr installed on the phone
It contains one receiver StatisticsUploader that is launched when the phone is rebooted or when the phone keyguard is removed.
The rest of the classes in the package appear to have been obfuscated using popular male names for class names (CHARLES, RICHARD, KENNETH...). The malicious package performs the following actions:
  • Once launched, the StatisticsUploader class generates a random string using an algorithm using predefined strings present in the package

    Figure 2. Predefined strings used by the account name generation algorithm.
  • The generated string serves as a nickname for a twitter account (e.g 9homeek4my). The malware then sends an HTTP GET request to
    http://mobile.twitter.com/{generated nickname}
    
  • From the response to the HTTP request, it extracts the string present between a randomly chosen "tag" (see arrayOfString3 in Figure 2 - those are the tags) and a randomly chosen domain value (see arrayOfString1 in Figure 2).
    For example, the response is:
    {99,9m}Command and Control server name.qipim.ru{99,9m}
    
    In that case, the tag is {99,9m}. The domain name is qipim.ru. And the command and control server name is extracted from the beginning of the string.
  • Sends a POST request to the URL "http://"+extracted C&C string+"/carbontetraiodide" with a randomly generated user agent and the connection timeout set to 5 seconds. The parameters of the POST request are two JSON objects, one inside the other one.
    { "tag" : "task_info",
      "data" : { "task_title": "title" },
      	   { "task_done" : BOOLEAN },
    	   { "data" : STATUS }
    }
    
    where BOOLEAN is "true" or "false", and STATUS is a string such as "delivered", "not delivered", "failure sent", "sent".
  • It then checks the response to the POST request to see if it contains a "module" called "sms". If yes, it sends out an SMS message using information in the POST response such as "phone" (SMS destination), "data" (SMS body) and "interval"(number of times to send the SMS, e.g "once")

Permissions required by the application:
  • RECEIVE_BOOT_COMPLETED
  • INTERNET
  • READ_PHONE_STATE
  • WRITE_EXTERNAL_STORAGE
  • ACCESS_NETWORK_STATE
  • SEND_SMS
  • RECEIVE_SMS

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.