Femas is a new family of Android malware, which falls into the class of malware known as droppers. The dropper class of malware has become increasingly popular for ad fraud related applications such as HummingWhale and numerous other families with similar behavior. In this case, the dropper downloads a remote access trojan to exfiltrate data, although with less functionality than DroidJack.
The first publicly known occurrence of Femas is an upload to VirusTotal on December 22, 2015. A new variant appeared in early 2016. Femas has not been identified on devices outside of Israel or in any major app stores. It is entirely reliant on socially engineering individuals to disable OS protections and sideload applications for deployment.
Kaspersky provided the original research into Femas, describing it as having ‘relatively unsophisticated technical merit’. This was followed up by Lookout who referred to this malware as an “advanced persistent threat (APT)”, “very sophisticated”, and with the more marketable name, ViperRAT. Both have stated that Femas is targeting the Israeli Defense Force.
This malware family requires users to go through multiple manual steps including; downloading APKs from links sent in messaging apps, enabling ‘Unknown Sources’ in the system settings, and manually launching both the dropper app, and the downloaded RAT. The RAT is likely to appear as WhatsApp Update, or Viber. At this time, the threat to enterprises is low.
Recommendations for Enterprises
- Employ a mobile security solution that detects suspicious behaviors, sideloaded apps, and malware.
- Push internal enterprise apps via your MDM.
- Advise users not to install applications provided via links.
- Advise users to never adjust their settings to allow installation of apps from unknown sources.
How Appthority Customers and Their Employees Are Protected
All Appthority customers are automatically protected against this malware as part of the Appthority MTP solution’s malicious threat coverage. Any devices found with “Infected by Femas” should be remediated immediately. Further information is available in this support document: How to find Femas Apps in Appthority.