Virus

Android/FakeInst.E!tr

Analysis

Android/FakeInst.E!tr is a piece of malware targetting Android mobile phones.
The malicious application poses as an activator for another application (Figure 1)
However, upon launching, it merely sends out SMS messages from the victim's phone without actually activating/installing another application.

Fig 1. Activator application Icon

Technical Details


The application is called "Activator" and comes in the package com.activator
The package declares an Activity called ActivatorActivity that performs the following functions:
  • Upon lauching the application, it retrieves the phone's operator/Service Provider Name
  • If the first three characters of the operator name are b or e (lower or upper case), an SMS message is sent To : 1518 with Body : DEF1773.
  • If the first three characters of the operator name are m, t or s (lower or upper case), an SMS message is sent To : 770656 with Body : DEF1773
  • Finally, an SMS message is sent To : 3170 with Body : (4037 + 1 + a random number chosen between 0 and 1000)
  • If the operator name string is empty, the user is shown an alert in Russian that translates to "Failed to load base wallpaper. Please try again later." and the application is closed

Permissions required by the application:
  • WRITE_EXTERNAL_STORAGE
  • RECEIVE_BOOT_COMPLETED

It is mainly aimed at Russian users, and Russian telecom operators Beeline and MTS.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.