Trojan:Android/Funtasy.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Android

Aliases :

Trojan:Android/Funtasy

Summary

Trojan:Android/Funtasy appears to be a television remote-control app; in reality, the trojan silently subscribes the user's device to a premium-rate SMS service.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:Android/Funtasy appears to be an app for remotely controlling the television; the app however does not contain any tv-remote related functionality.

Instead, the trojan first checks to see if the device is registered to certain Spanish mobile networks (indicating the malware is targeted primarily at users in Spain) and one Australian network. This allows the malware to silently subscribe the user to premium-rate SMS services.

Trojan:Android/Funtasy was previously available from the Google Play Store, but has since been removed.

Premium-rate SMS service subscription

To harvest the user's phone number, the trojan scours configured accounts on the device (including for other installed programs such as the WhatsApp and Telegram messaging apps).

Funtasy.A also tries to get the number by 'reflecting' it to an external site - the malware tries to browse to a web service through an access point with an old WAP feature that forwards the device's phone number to the external site, which then returns it to the trojan.

However the phone number is obtained, Funtasy uses it to sign the device up for the premium-rate SMS service. The name for this trojan is based on the name of the domain hosting the premium-rate SMS service.

To complete the device enrollment, Trojan:Android/Funtasy also listens for incoming SMS messages from a specified phone number, which provides the PIN the user is supposed to return to confirm the subscription; when received, the malware sends the message contents to the registration server to validate the enrollment.

Incoming SMS notifications are suppressed, to ensure the user stays unaware of both the initial enrollment and the subsequent SMS messages sent to the device based on the fraudulent subscription.

More

The Trojan:Android/Funtasy installer sample examined for this analysis also included an executable file with the name 'Crypt5.exe'; the file could be used to decrypt database files for Whatsapp.