Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 4th, 2013

For Your Satisfaction – Android:Satfi-A [Trj]

We all have our favorite apps for all the things we do. I use Shazam when I don’t know what song is playing, Maps when I’m lost, FlightRadar24 when I’m curious about the plane flying over my head. These apps are there for my satisfaction; they meet some need.

main_x

Each of us have different needs and desires. Apps like SatsFiU Player take advantage of that.  Wherever you got this app from, it’s not from the Google Play Store. This app will try to satisfy both your and its developer’s desires.

SafsFiU Player is an app that might come in handy, when you need to be entertained, in an “adult way,” if you know what I mean. For the ones that don’t get it or don’t believe what I’m talking about it, I’ll be clear -  it’s an app that plays pornographic movies. There is the standard “catch” which almost every malicious app for android has. In this case, the catch most visible is that it allows the developer to remotely control your phone, in a particular way. The most distressing part is that he can tell your phone to send an SMS to a given number, potentially premium-rated.

Yes, it’s a win-win situation. Kindof. You’ll be pleased by what you see, he’ll be pleased by the money he gets and the information sent from your phone.

Now it’s time to get some information. Let’s pop open the hood and see what the engine is capable of. First thing you’ll notice is the app permissions that are visible during install.

install_x

Let’s see: CALL PHONE, SEND SMS, RECEIVE SMS, RECEIVE BOOT COMPLETED, RECORD AUDIO. From that you can tell it’s not going to do any good. You want it to play video, that’s all. The app will run automatically after you power up your phone, that’s why it needs the RECEIVE BOOT COMPLETED permission. Also, it has audio recording capabilities, which are not used in this particular version, but once the app is updated, it might start recording you.

pin_xx

When you start the app, it schedules a system task, that will repeat every 12 hours, which I will talk about later. On the first screen you’ll be “prompted” for a PIN which lucky for us is already entered (0000).

pinCheck

When we look in the source code, it tells us that the pin doesn’t really have any function, since you’re unable to change it and it’s always “0000”. So, when you click Go, it takes you to the next screen, where you can see a screenshot from the video and play button. If you’re 18+, you’re allowed to proceed to the next step in which the actual video will be played. If you’re not, nothing can stop you from proceeding anyway. The video is a minute and a half long and it’s embedded in the app, so it never changes. Twelve hours passed and we received the system alarm which had been set on the app startup. The fun starts here.

The app will read your phone number, IMSI (SIM card serial number) and system time. Then it checks whether the phone is connected to the network. If so, it checks for a variable that’s called here “firstRun”. If the value is 0, a new value will be generated and stored (random number from 1000000 to 9000000). The next step is checking whether the app is in “active mode” (default is 1 – yes). If the active mode is on, the story continues.

timingIn

The app sends your phone number, IMSI, operator name, a static parameter called “app=harvest” and system time to a remote server (probably owned by the maker of this app), which answers either with:

  • **S*M*S** – SMS message with the firstRun ID will be sent from your phone to a given number
  • **DE*ACTIVATE** – app will be deactivated (active mode will be set to 0) so it no longer sends automatically all information to server
  • **ACTIVATE** – app will be activated

That is only one part of the app. The second part does something more. As I said before, the app is capable of handling incoming SMS messages. When a message arrives, it gets processed by all the apps that have the RECEIVE_SMS receiver registered, by priority. This app has priority 999 (the higher the number the lower its priority) which probably makes it the last app that is notified. In case it’s not the last app, it aborts the broadcast and no more apps will be notified.

smsInfo

Then the app reads the SMS message and stores the sender, text and SMS center number. The next step is to harvest information about your phone: firstRun ID, system version & build, device name, country you’re in, your phone number and operator.

requestIn

All this information followed by the sender of the incoming SMS, SMStext and SMSservice number, time and IMSI will be sent to server.

So, to wrap it up, the app

  1. Does send SMS messages to numbers you don’t see
  2. Uploads sensitive information about your phone and
  3. Lets someone else control your phone (not completely, but still.. you’re not the one that sends the SMS).

Now you know the story of SafsFiU Player. Sure it’s okay to please your senses whenever you feel like it, but as always, be safe and use protection. :-) You can download our avast! Mobile Security on Google Play Store

Additional information:

APK Package: com.loober.satsfiu

SHA256: C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A

Sources: http://www.bestappsmarket.com/p/app?appId=713991&title=com-loober-satsfiuhttp://apkfile.info/188113278198203/SatsFiU.htm

  1. June 17th, 2013 at 19:09 | #1

    sorry if my comments are not precise post admin sam title.
    I want to ask, when I install my computer and I have installed avast to SN. after that my computer is installed again, now I need SN again, how do I get the LSN again? korek api gas fighter indonesia

Comments are closed.