executive summary
Security is no longer a “nice to have,” but a must-have. Modern malwares are not only about stealing files anymore, they are about stealth and complexity too. Targeted attacks, one of the most vicious examples of a stealth threat, they precisely target individuals, businesses, governments and their data. These attacks are a sophisticated weapon to carry out targeted missions in cyber space.
The scenario becomes worst when these attacks are on your mobile devices. A scary fact to admit, our mobile have more critical and private data as compared to our computers. Our mobiles are authorized to access our mailboxes, bank accounts, social networks, online backups and whatnot.
In our digital forensics lab, while investigating client’s case we realized how users were compromised using Android based malware. Later on these malwares were sent to our malware analysis team for further in-depth analysis. In our malware analysis lab, we deeply analyzed malware to understand its working and behavior. In this edition we present few exclusive malware that we found lurking inside users Android devices without their knowledge.
With this research based bulletin we intent to create a research collaboration and educate our reader so that internet community can fight against these cyber threats.
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."
google services framework
In Android phones, sometimes you can’t stop malware from “serving” you, especially when the “service” is actually a malicious Android class running in the background and controlled by a remote access tool (RAT). This malware pretended to be a “Google Service Framework” and starts killing all anti-virus processed before performing any malicious activities. We found this fake Google Service Framework when we receive a financial fraud case. This fake app was installed in users mobile in which he had installed few banking applications and linked his account with his phone.
In the past, we have seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this malware takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking.
A few seconds after the malicious app was installed, the “Google Services” icon appears on the home screen. When the icon was clicked, the app asked for administrative privilege. Once administration privileges were assigned, the uninstallation option got disabled and a new service named “GS” was started as shown below. The app icon showed “App isn’t installed.” when the user tried to click it again and the icon was removed automatically.
The malware has plenty of malicious actions, which the RAT can command, as shown below:
Within a few minutes, the app started connecting with the CNC server and begins to receive a task list from it. The server IP was 103.228.65.101, and was located in Hong Kong. We cannot conform that it’s the hacker’s IP or a victim IP controlled by the RAT or some pivoting attack.
After performing these activities, it first kills the antivirus process and then start modifying banking applications. After few house user received a notification “The new version has been released. Please use after reinstallation.” But usually when an update is available, users are asked to download it not to install it. Android performs the installation itself. The malware then downloaded an app named after “update” and the bank’s short name from the CNC server, for example if SBI is the Bank then it will download SBI Update. Also while the fake banking app was downloading, the malware uninstalled the original bank app.
This was first step, in second step when the command to upload SMS is received from the RAT, all the SMS of Android phone started uploading to the CNC server. It’s more of a complex hijacking framework than a simple malware.
After successful execution of all steps planned by hacker, he was able to access his all bank account and was able to transfer money from his account. Hacker was also capable to access his SMS for OTPs. This is how his all bank accounts connected to his mobile was compromised.
recommendations
It’s better to have a deep research about any app you install in your phone. If you are using banking applications with your phone then install only those apps which you actually use and do not give administrative access to any app.
sms worm
We received these malware when user complained that he received his mobile bill more than 100 times of his normal bill. Mobile bill showed that he has been sending many international SMS every day. This Android phone was brought to our knowledge for further analysis.
After normal analysis, we didn’t found anything malicious happening on his phone. We changed the SIM card and installed one prepaid SIM and balance was nil within minutes. Later on this case was taken up to our malware analysis lab for further analysis and we found an application named “XXshenqi.A”.
This application came up with free games APK downloaded by user from some torrent site. While installing the game, he was asked to download this application and claimed that this will work as crack of game and without crack your game will not work. After downloading this application, the game worked perfectly fine, so the user never cared to remove this crack and this malware had a functionality of spreading SMS worm.
Once the installation was complete, it asked user to fill a registration form. The data of this form were send to malware author.
The real behavior started when the form was filled. First it hides app’s icon from menu then startsregistering the phone to receive/send SMS broadcast and broadcast boot. App started a lot background service and hence slowed down the phone’s performance and started draining phone’s battery. We also found that the incoming SMS were giving commands to infected phone to execute malicious behavior, including the transmission of e-mail, send text messages, fake messages, sending malicious downloads links contacts, etc. Also the user information were send to malware author to his email ID a137736513@qq.com as you can see in below source code extracted from malware.
Installing antiviruses and security solutions doesn’t secure your device completely. Most of the users are compromised by pirated and fake apps. We recommend you to only download and install app from official market place (Google Play) of your device. Do not install or accept any .apk file until and unless you trust the vendor or understand what you are doing
This anti-virus program was actually a spam mail sender and the user had already authorized fake antivirus program to access his Gmail ID. Also, his email was used to send invite to his all personal as well as official contacts and hence this fake antivirus was spread in his entire office and few more colleagues were using it.
User was also using one reputed antivirus and this program wasn’t detected as malicious as this program as it didn’t performed any malicious activities in beginning. When the program was installed, it automatically established connection to http://malicious.coproration.hxor.ex/ and downloaded few more supporting files and these files were actually malicious.
recommendations –
We recommend our readers to not to be fooled by these lucrative offers. Sometimes you may receive offers related to your internet searching habits or page you liked in Facebook but most of them are fake. Do not use or download any pirated antiviruses as these are meant to protect your device and alert you for any possible threats. And if you are using pirated antivirus, it will not alert you anymore. It’s like hiring a thief as guard of your home.
installing genuine “flash player”?
You might be aware about fake antiviruses and fake apps but what about genuine famous apps delivering malware to your device? Few famous and widely used apps are customized by hackers to deliver ransomware to your device. Ransomware is a type of malware which restricts access to the mobile device that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.The malware comes in the form of “flash player” and install like normal apps, it also remains undetected by most of the mobile antiviruses as this app will not perform any malicious activity, instead it will download some malicious code to perform that malicious activity on your device. Once this app is installed it starts killing on-system processes and a message appears on users screen to deposit 300$ in order to unlock your own device.
After clicking proceed button a message pop up instructing user to pay $300 to GreenDot MoneyPack and retrieve a coupon code thereafter user will enter that particular code in order to unlock the device. This makes the malware author untraceable. MoneyPak is a portal to send money to where users need it. It works as a ‘cash top-up card’ and once user have purchased it by a participating retailer with cash or online transfer, he is need to purchase a $300 card and enter the code here.
Even after purchasing $300 card, there is no assurance that your device will work properly like it was working before the invasion.
The malware does its best to be as intrusive as possible by blocking the victim’s normal device-use with the app. It uses a Java TimerTask, which is set to run every 10 milliseconds, the application will kill any other running processes that the user interacts except the malware itself. The malware also uses an Android WakeLock to prevent the device from going to sleep.
In some cases, these apps steals your IMEI too and displays it to the user as a scare tactic. Sometimes user receives threatening messages saying – ‘We know who you are’. In some instances the app sends this IMEI back to its command & control server (C&C) to identify the device later to make it work like a bot.
Most of the time users receives messages and notifications that you have been caught by FBI and this is an FBI malware. Even the malware captures user’s photo from front camera to make the threatening more realistic.
recommendations
Unfortunately, these ransomware are not detected by several major mobile antivirus and security solutions and these are extremely hard to remove if you had given this malware device administrator privileges. Flashing or hard resetting your device will work in all cases to get back your phone in proper functioning state. Avoid giving device administration access to applications unless you’re really sure of what they do. Only download apps from developers you know and trust. Download apps like Lookout, which can detect these threats before you open them
