Funtasy Trojan Targets Spanish Android Users with Sneaky SMS Charges

Summary

• A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April.
• Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store.
• Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network.
• Funtasy subscribes victim’s phones to premium SMS services which cost up to 30 euros per month, while hiding the evidence of the subscription.

Let the Funtasy Begin

Palo Alto Networks WildFire detected a new Android Trojan on May 7th, 2014 when a customer using our enterprise security platform downloaded the malicious application from the Google Play store. We’ve named the malware family Funtasy, based on the domain it uses for registering compromised phones to the premium SMS service. The first version of Funtasy we detected is a fake television remote control application.

Figure 1: Funtasy Trojan Disguised as TV Remote Control App.

A developer using the ID “fun app” published the Trojan, and the remote control application they uploaded on April 21 is their most successful app so far, with between 10,000 and 50,000 downloads on the play store. Based on the reviews, the application does not function very well as a remote, but in reality it doesn’t contain remote control capability. There’s no mention of a premium SMS service in the description, but a review of the permissions reveals that the program will have complete access to SMS messages.

Figure 2: Remote control app requests complete control over your SMS messages.

After the user installs the remote application and opens it, they are presented with a terms of service screen. This is the user’s only chance to realize that opening this application is going to cost them dearly.

Figure 3: Remote control app terms of service.

If you can’t read the fine print, I don’t blame you. Here’s the text decoded from the application’s source code.

Servicio de suscripción para usuarios Movistar, Vodafone, Orange, Yoigo, R y Simyo para mayores de edad o menores con capacidad legal para contratar, prestados por (FUNTASY MOBILE S.L., operador titular ARGATEL SOLUTIONS SL, n. atención al cliente 902 303 803 ó inf@argatel.com, apartado de correos 167, 17001 Girona. Coste por SMS recibido 1.46 euros/sms (IVA incluido) más el coste de navegación WAP, que dependerá del operador que tenga contratado. Máximo 10 sms/semana. El límite máximo de facturación del servicio puede variar en función de tu operador (18 a 30 euros/mes). Baja automática para cancelar el servicio: envía BAJA al 797977.

This message is pretty straightforward, assuming the user actually reads it. It explains that by opening the application the reader agrees to receive up to 10 SMS messages a week at a cost of 1.46 euros each. The maximum cost per month should between 18 and 30 euros per month. If the user would like to unsubscribe they can text “BAJA” to 797977. Any user who reads this message and understands it is unlikely to agree, but Funtasy does not even wait for their agreement.

While the terms page is on the screen, in the background the Trojan checks to see if the phone is attached to a network with one of the following mobile network codes (MNC):

• 21401: Vodafone Spain
• 21403: France Telecom España SA
• 21404: Xfera Moviles SA
• 21406: Vodafone Spain
• 21407: Telefónica Móviles España
• 21416: Telecable de Asturias S.A.U.
• 21417: R Cable y Telecomunicaciones Galicia S.A.
• 21418: Cableuropa S.A.U.
• 21419: E-PLUS Moviles Virtuales España S.L.U.
• 21421: Jazz Telecom S.A.U.
• 50503: Vodafone Hutchison Australia Proprietary Limited

Each of these networks is Spanish, except for a single Australian network. This data, along with an encoded version of the Terms of Service are stored as static strings in the Android package file.

Constants.java

After determining the phone is on one of the correct networks, the malware searches for the phone’s mobile number. It does this in three ways:

• Invoking the TelephonyManager’s getLine1Number() method.
• Traversing the phones call logs and parsing the phones outgoing number.
• Searching the phone for account numbers associated with messaging apps WhatsApp and Telegram.  If a user has registered with one of these applications using a number not associated with the phone, that number will be used by Funtasy.

Util.java

With the phone’s number captured, Funtasy then registers the mobile account with a premium SMS service by sending an HTTP POST request to the following URL.

• http://funtasymobile.com/alertas_alta_web.php

The request is made without the users knowledge, they have no choice to select a number. Of course, premium SMS services require that the user confirm that they want to sign up by sending incoming SMS message containing a PIN.  Funtasy  intercepts this message, parses out the PIN and sends it back to the registration server, completing the enrollment process.

IncomingSms.java

Of course, once users begin receiving the SMS messages, they are likely to unsubscribe from the service they never really wanted. To prevent this, Funtasy blocks the incoming messages before they are displayed to the user and modifies the time stamp on each message to make them appear to have been received 15 days earlier. This moves it to the back of the inbox there the victim is unlikely to ever see it.  Funtasy does this even when the victim uses alternative SMS managers, like Google Hangouts or GO SMS Pro.

Oscar Sanchez

After evaluating the remote control app and finding malicious behavior, we decided to evaluate all of the other applications published by “fun app”, and found 12 more which all contains the exact same behavior.

Figure 4: Additional “fun app” applications, all contain the Funtasy Trojan.

Each of these applications is designed to appear like a legitimate application already in the app store. To raise the ranking of these apps, the author appears to have given many of them five-star ratings. Unfortunately for them, this gave us additional insight into their operation.

To rate and comment on applications, users must have a Google account. One account using the name “Oscar Sanchez” gave high ratings and positive comments to many of the “fun app” applications. He also rated apps made by two additional publishers with the names "MilApps101" and "Milapps102." Between the two of these developers they have produced five applications, and we’ve found that every one of them contains the Funtasy Trojan. While the name “Oscar Sanchez” may be a pseudonym, Whois data indicates it was also used to register the domain hosting the Funtasy Mobile premium SMS service.

In total we’ve found 18 different applications in the Google Play store that contain the Funtasy Trojan. Each of these files also has the same internal class structure, which is represented by the tree structure below.

Figure 5: Funtasy internal class structure.

Researchers interested in investigating them further can find more information in the table below.

Using this Trojan the attacker could be generating up to 30 euros per month for over 67,000 infected mobile phones. That adds up to 2 million euros per month, but the actual number is likely much lower. Many of the users who downloaded the tool may not be using one of the targeted Spanish or Australian networks.

Figure 6: List of Android APK files infected with Funtasy Trojan

Users who want to defend against the Funtasy Trojan should not rely on traditional antivirus programs, as they do not currently detect this threat. Common sense is the best defense against these types of abusive programs. While many users breeze past the list of permissions required when installing new apps, readers of this blog should ask themselves, “Does my electronic bible need to read my SMS messages?”