Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan:Android/Funtasy.A


Aliases:


Trojan:Android/Funtasy

Malware
Trojan
Android

Summary

Trojan:Android/Funtasy appears to be a television remote-control app; in reality, the trojan silently subscribes the user's device to a premium-rate SMS service.



Disinfection & Removal

F-Secure's Mobile Security product blocks installation of this program with default settings.



Technical Details

Trojan:Android/Funtasy appears to be an app for remotely controlling the television; the app however does not contain any tv-remote related functionality.

Instead, the trojan first checks to see if the device is registered to certain Spanish mobile networks (indicating the malware is targeted primarily at users in Spain) and one Australian network. This allows the malware to silently subscribe the user to premium-rate SMS services.

Trojan:Android/Funtasy was previously available from the Google Play Store, but has since been removed.


Premium-rate SMS service subscription

To harvest the user's phone number, the trojan scours configured accounts on the device (including for other installed programs such as the WhatsApp and Telegram messaging apps).

Funtasy.A also tries to get the number by 'reflecting' it to an external site - the malware tries to browse to a web service through an access point with an old WAP feature that forwards the device's phone number to the external site, which then returns it to the trojan.

However the phone number is obtained, Funtasy uses it to sign the device up for the premium-rate SMS service. The name for this trojan is based on the name of the domain hosting the premium-rate SMS service.

To complete the device enrollment, Trojan:Android/Funtasy also listens for incoming SMS messages from a specified phone number, which provides the PIN the user is supposed to return to confirm the subscription; when received, the malware sends the message contents to the registration server to validate the enrollment.

Incoming SMS notifications are suppressed, to ensure the user stays unaware of both the initial enrollment and the subsequent SMS messages sent to the device based on the fraudulent subscription.


More

The Trojan:Android/Funtasy installer sample examined for this analysis also included an executable file with the name 'Crypt5.exe'; the file could be used to decrypt database files for Whatsapp.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free