Android/Dougalek.A!tr is a piece of malware targetting Android mobile phones.
The package disguises itself as a Video playing software (see Figure 1)
Fig 1. Application Icon
However, in the background, it sends out information from the victim's phone such as the android ID, phone number and contact details on the phone to a URL specified in the package, without the knowledge of the user.
The application comes in packages such as jp.oomosirodougamatome, jp.waraerudouga, jp.youtubedougamatome, jp.yoututubebedouga, jp.himatubusidouga. Possible application names (literal translation from Japanese) are Video summary of interesting, Summary youtube videos, Funny videos, YouTube videos, Videos all together as one, Video kill.
Among other classes, it declares two activities, namely MainActivity and MovieActivity. MainActivity contains the malicious part of the sample whereas MovieActivity implements the legit function.
MainActivity.class: As the name suggests, this activity is launched upon opening the application. The user is shown a screen as shown below.
Fig 2. Message shown to the user upon launching the application. This roughly translates to 'communication pending'
Its main function is to send out a POST request in the background to the URL :
http://[CENSORED]lks.jp/get41.phpwith the parameters:
- "id" = 64 bit Android ID of the phone
- "tel" = Phone number (MSISDN)
- "data" = "name: "+ display name for the contact + "\ttel: "+ phone number of contact + "\temail: " + email address of contact + "\n" for all contacts on the phone
If the POST request is succesful, the MovieActivity is launched.
If the POST request fails, the user is shown an error message as shown below and the application exits.
MovieActivity.class: It contains the legitimate action performed by the application i.e. it launches the VideoView class to display a video file from the URL:
Permissions required by the application:
Mainly aimed at Japanses users.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.