On Friday, May 16, a new strain of Android malware that has been attacking Israeli Android devices was identified. This strain has now spread to other countries making this a global problem. This post should answer most of the early questions about the malware named Foto_Album.

This is one of the first aggressive and successful mobile worms that has taken hold and done so with simple but effective social engineering tactics.

Before going any further, we’d like to ensure you that Lacoon MobileFortress is 100% capable of identifying the attack and mitigating its consequences if your enterprise is infected.

To keep things straightforward, we’ve created a quick Q&A below that summarizes everything we currently know about the Foto_Album attack.

Which devices are vulnerable?
For the time being, all we can say is that the attack only affects Android devices, so iOS users are safe.

What does the malware do?
Once it has infected a device the malware can:

  1. Extract sensitive user and device data from the device (including contacts, GSM data and a unique device ID) .
  2. Relay SMS messages back to a CnC (Command and Control) server without them showing up as sent.
  3. Serve as backdoor to download an additional strain of malware (named update.apk) and attempt to install it.
  4. Initiate phone calls
  5. Initiate device notifications that can aid the attacker in gaining more permissions and access.
  6. Receive simple commands via SMS.
  7. Acquire administrator-level permission, making it difficult to remove from an infected device.

The malware uses several separate methods to hide itself from the user and Anti-Virus apps:

  1. It doesn’t appear on any home screen after installation.
  2. It disguises itself as “Google Play” within the list of installed applications.
  3. It has the ability to change it’s binary hash in order to evade static signature detection


How are devices being infected?
We’re not sure how the first victim was infected but the malware is now spreading via SMS. Once a device has been infected, it sends a malicious SMS message to the entire contact list. The SMS contains a message in Russian and a URL that directs the victim to a malicious server, initiating the download of the malware.

Since the message is written in Russian, some devices that don’t support the Cyrillic alphabetic will display the message in random symbols instead.

What to do if a device is infected?
It’s quite simple to cleanse your device from this threat.
Find and remove the new app named “Google Play” from the list of installed applications.

If the uninstall option is disabled, users should first uncheck “Google Play” within the device administration screen before reverting to the applications list and removing the offending app.

What else do we know?
Our researchers have begun to dissect the malware. The malicious file is named foto_album.apk. So far, we’ve come to the conclusion that it’s a relatively simple piece of malware that uses basic obfuscation methods (i.e it doesn’t hide itself particularly well).

It looks like a generic mass malware attack, as opposed to a more sophisticated mRAT (Mobile Remote Access Trojan). Based on the URL address of the CnC server and other pieces of evidence, the attacks appear to have Russian origins.

How does Lacoon MobileFortress protect your devices?
If a device is infected and begins to exhibit suspicious behaviour (extraction of data, irregular SMSs) , MobileFortress will immediately update the user and can block the outgoing data.

NEED FURTHER ASSISTANCE? If you have any questions on this threat please contact us at info@lacoon.com

You may also like