Trojan:Android/Funtasy.A

Trojan:Android/Funtasy appears to be an app for remotely controlling the television; the app however does not contain any tv-remote related functionality.

Instead, the trojan first checks to see if the device is registered to certain Spanish mobile networks (indicating the malware is targeted primarily at users in Spain) and one Australian network. This allows the malware to silently subscribe the user to premium-rate SMS services.

Trojan:Android/Funtasy was previously available from the Google Play Store, but has since been removed.

Premium-rate SMS service subscription

To harvest the user's phone number, the trojan scours configured accounts on the device (including for other installed programs such as the WhatsApp and Telegram messaging apps).

Funtasy.A also tries to get the number by 'reflecting' it to an external site - the malware tries to browse to a web service through an access point with an old WAP feature that forwards the device's phone number to the external site, which then returns it to the trojan.

However the phone number is obtained, Funtasy uses it to sign the device up for the premium-rate SMS service. The name for this trojan is based on the name of the domain hosting the premium-rate SMS service.

To complete the device enrollment, Trojan:Android/Funtasy also listens for incoming SMS messages from a specified phone number, which provides the PIN the user is supposed to return to confirm the subscription; when received, the malware sends the message contents to the registration server to validate the enrollment.

Incoming SMS notifications are suppressed, to ensure the user stays unaware of both the initial enrollment and the subsequent SMS messages sent to the device based on the fraudulent subscription.

More

The Trojan:Android/Funtasy installer sample examined for this analysis also included an executable file with the name 'Crypt5.exe'; the file could be used to decrypt database files for Whatsapp.