Android Malware Targets Diabetic Patients

Affected platforms:                Android
Impacted parties:                   Android mobile users, patients, healthcare institutions
Impact:                                   Malware, Premium rate SMS

I recently ran across an Android app named “Treatment for Diabetes.” With such a title, many would intuitively think this Android application is safe. However, at the recent Virus Bulletin 2019 conference I have showed that malware can be hidden in any application – medical applications included – to enable criminals to generate revenue through aggressive advertisements. While this compromised app does not generate false advertisements, the issue is the same: almost any application can be infected with malware.

As the saying goes, “the habit does not make the monk”: this particular sample “Treatment for Diabetes” is malicious.

The application was automatically detected on our servers in September 2019, and fortunately, customers were already protected by one of our generic signatures. However, nobody had noticed its particular relevance to the medical sector until now. 

This particular sample is named "Treatment for Diabetes." It provides documentation on the different forms of diabetes and its diagnosis, facts and myths, the symptoms of diabetes, information about treatment and insulin, etc.

However, in between providing medical information about this condition, it also sends an SMS message to the phone number 5554… 

Experienced malware analysts will note this malware re-uses a technique from the past: trojan dialers used to be popular in the past, they aren’t any longer. This reminds us of old days…

The malicious application actually requests permission to send this SMS message in the manifest. Of course, for a diabetes resource application, this is immediately suspicious.

In Android 6.0 and beyond, the app checks to ensure that this permission is present, and if not, it requests it.

This code also uses basic-method name obfuscation. However, de-obfuscating it is quite trivial.

“was” inserted into table 1 of movieplayer.db

My emulator tried to send the SMS and marked it (of course, it failed to send the SMS as my emulator has no SIM card!):

Emulator marked SMS message as sent

Who is behind the phone number 5554 receiving the SMS message? It looks like a premium-rate SMS, typically used by malicious Trojan dialers to steal money from a victim, but we do not know the country, its cost, or even if it is still active. 

Regardless of who is behind this, the point is made. Healthcare institutions and patients: do not assume medical applications, such as this diabetes app, are immune to malware, and have them checked before install.

Solutions

FortiGate AV and FortiClient detect the sample as Android/FakePlayer.X!tr with SIGID: 708812

IOCs

sha256: cf661506978f088f276a5a5bc4f0ea71101f99941840dd0864b2068ee2eb2271

Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems.

Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.

Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.