Mobile Virus

Android/Dougalek.A!tr

Analysis

Android/Dougalek.A!tr is a piece of malware targetting Android mobile phones.
The package disguises itself as a Video playing software (see Figure 1)

Fig 1. Application Icon
However, in the background, it sends out information from the victim's phone such as the android ID, phone number and contact details on the phone to a URL specified in the package, without the knowledge of the user.

Technical Details


The application comes in packages such as jp.oomosirodougamatome, jp.waraerudouga, jp.youtubedougamatome, jp.yoututubebedouga, jp.himatubusidouga. Possible application names (literal translation from Japanese) are Video summary of interesting, Summary youtube videos, Funny videos, YouTube videos, Videos all together as one, Video kill.
Among other classes, it declares two activities, namely MainActivity and MovieActivity. MainActivity contains the malicious part of the sample whereas MovieActivity implements the legit function.
MainActivity.class: As the name suggests, this activity is launched upon opening the application. The user is shown a screen as shown below.

Fig 2. Message shown to the user upon launching the application. This roughly translates to 'communication pending'
Its main function is to send out a POST request in the background to the URL :
http://[CENSORED]lks.jp/get41.php 
with the parameters:
  • "id" = 64 bit Android ID of the phone
  • "tel" = Phone number (MSISDN)
  • "data" = "name: "+ display name for the contact + "\ttel: "+ phone number of contact + "\temail: " + email address of contact + "\n" for all contacts on the phone

If the POST request is succesful, the MovieActivity is launched.
If the POST request fails, the user is shown an error message as shown below and the application exits.
MovieActivity.class: It contains the legitimate action performed by the application i.e. it launches the VideoView class to display a video file from the URL:
http://[CENSORED]lks.jp/movie/movie41.mp4

Permissions required by the application:
  • INTERNET
  • READ_PHONE_STATE
  • READ_CONTACTS

Mainly aimed at Japanses users.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.