Quantcast
Channel: Blogs Feed
Viewing all articles
Browse latest Browse all 1473

Joker, Facestealer and Coper banking malwares on Google Play store

$
0
0
Google Play Store is typically considered to be one of the safest sources for users to find and install android apps. However, threat actors continue to evolve their tactics and are able to successfully upload dangerous apps laced with malware on the Google play store. Recently, the Zscaler ThreatLabz team discovered apps involving multiple instances of the Joker, Facestealer, and Coper malware families spreading in the virtual marketplace. The ThreatLabz team immediately notified the Google Android Security team of these newly identified threats, and they promptly removed the malicious apps from the Google Play Store. The following is the technical analysis of these three malware family payloads that were recently discovered in the Play Store: Joker Malware Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques. This malware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Over the past two months, our ThreatLabz researchers discovered the following malicious Joker downloader apps in the Google Play Store: Simple Note Scanner - com.wuwan.pdfscan Universal PDF Scanner - com.unpdf.scan.read.docscanuniver Private Messenger - com.recollect.linkus Premium SMS - com.premium.put.trustsms Smart Messages - com.toukyoursms.timemessages Text Emoji SMS - messenger.itext.emoji.mesenger Blood Pressure Checker - com.bloodpressurechecker.tangjiang Funny Keyboard - com.soundly.galaxykeyboard Memory Silent Camera - com.silentmenory.timcamera Custom Themed Keyboard - com.custom.keyboardthemes.galaxiy Light Messages - com.lilysmspro.lighting Themes Photo Keyboard - com.themes.bgphotokeyboard Send SMS - exazth.message.send.text.sms Themes Chat Messenger - com.relish.messengers Instant Messenger - com.sbdlsms.crazymessager.mmsrec Cool Keyboard - com.colate.gthemekeyboard Fonts Emoji Keyboard - com.zemoji.fontskeyboard Mini PDF Scanner - com.mnscan.minipdf Smart SMS Messages - com.sms.mms.message.ffei.free Creative Emoji Keyboard - com.whiteemojis.creativekeyboard.ledsloard Fancy SMS - con.sms.fancy Fonts Emoji Keyboard - com.symbol.fonts.emojikeyboards Personal Message - com.crown.personalmessage Funny Emoji Message - com.funie.messagremo Magic Photo Editor - com.amagiczy.photo.editor Professional Messages - com.adore.attached.message All Photo Translator - myphotocom.allfasttranslate.transationtranslator Chat SMS - com.maskteslary.messages Smile Emoji - com.balapp.smilewall.emoji Wow Translator - com.imgtop.camtranslator All Language Translate - com.exclusivez.alltranslate Cool Messages - com.learningz.app.cool.messages Blood Pressure Diary - bloodhold.nypressure.mainheart.ratemy.mo.depulse.app.tracker.diary Chat Text SMS - com.echatsms.messageos Hi Text SMS - ismos.mmsyes.message.texthitext.bobpsms Emoji Theme Keyboard - com.gobacktheme.lovelyemojikeyboard iMessager - start.me.messager Text SMS - com.ptx.textsms Camera Translator - com.haixgoback.outsidetext.languagecameratransla Come Messages - com.itextsms.messagecoming Painting Photo Editor - com.painting.pointeditor.photo Rich Theme Message - com.getmanytimes.richsmsthememessenge Quick Talk Message - mesages.qtsms.messenger Advanced SMS - com.fromamsms.atadvancedmmsopp Professional Messenger - com.akl.smspro.messenger Classic Game Messenger - com.classcolor.formessenger.sic Style Message - com.istyle.messagesty Private Game Messages - com.message.game.india Timestamp Camera - allready.taken.photobeauty.camera.timestamp Social Message - com.colorsocial.message ThreatLabz has discovered over 50 unique Joker downloader apps on the Play Store till now. All of these apps were downloaded over 300k times combined and they typically fall into one of the following common categories: Communication Health Personalization Photography Tools The following is the breakdown of the number of apps per category: The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group. Consistent with previous findings, ThreatLabz latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques. Check out our previous blog Joker Joking in Google Play for a more in-depth analysis of this specific campaign. The following is the technical analysis of the Enjoy Message Joker app: App Name: Enjoy Message Package Name: sms.ienjoy.joysms.message The Joker malware authors develop and release a range of apps from the very complex to incredibly simple. Instead of waiting for apps to gain a specified volume of installs and reviews before swapping for a malware-laced version, the Joker developers have taken to hiding the malicious payload in a common asset file and package application using commercial packers. Serving as one of the primary reasons why these malicious apps often go undetected by antivirus softwares and during evaluation by the Play Store. Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user's phone. The malware uses these advanced permissions to carry out its operations. In the Enjoy SMS application, the payload is hidden in the known path but the path itself is obfuscated in the application's class. Fig 1: Obfuscated path of the payload Upon deobfuscation, the path becomes visible in the asset directory "io/michaelrocks/libphonenumber/android/data/PhoneNumberAlternateFormatsProto_53" where payload is residing. The package name of the application is used to derive the hash which is used as the AES decryption key. This key is used to decrypt the payload with an executable(.so) file which should contain the following declared functions. Fig 2: Function/class names of similar known SDKs To deter investigation, the class and method names of the functions appear similar to known SDKs. "onInstall" function in the hidden dropped executable is called at runtime after loading executable by the "system.loadlibrary" function. Fig 3: Implementation of malicious code inside executable As shown above, the executable loads the method ‘Wnjre’ from the ‘com.Brling’ class. The dropped executable hides the payload with Base64 encryption. Fig 4: Base64 encrypted content The second payload downloads a known weaponized Java ARchive (JAR) file as a third payload as shown below. Fig 5: Decrypted payload The following are some examples of common techniques used by Joker Malware: 1. The app confirms if its package is still live on the Google Play Store. Fig 6: Checks Google Play Store to confirm the app is still live. 2. Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture. 3. Joker malware hides payloads with different types of encryption including, XOR, AES, DES, ElGamal which are also commonly used with fake known asset files. Few of them have extensions like JSON, TTF, PNG or database files. In several examples, apps encrypted and hide the malicious payload in the meta-data of the app manifest file. More often, the decryption key is derived from the package name of the app possibly to avoid the additional effort of customizing decryption routines. Fig 7: ELGAMAL encryption Fig 8: DES key derivation from the package name IOCs: http://givehotdog[.]com https://trustcats[.]com http://giveme8[.]com/ https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/xjuys http://139[.]177[.]180[.]78/hell https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/fbhx1 https://xjuys.oss-accelerate[.]aliyuncs[.]com/fbhx2 FaceStealer Malware Facestealer malware was also discovered on the Google Play Store, known for targeting Facebook users with fake Facebook login screens. Once the device is infected, the user is prompted to login to Facebook and can’t use the app without entering their credentials. Upon successful login, the credentials as well as auth tokens are stolen by the malware author. App Name: cam.vanilla.snapp Downloads: 5000 Category: Tools Fig 9: Fake Facebook login screen The fake page shown above, opened by the app injects downloaded javascript from the server using WebView. Fig 10: URL for downloading malicious JavaScript Once enabled, the malware app reaches out to the command and control (C2) server to download the malicious javascript. The URL, https://busynow[.]store/config, is still active and in the latest update, the malware authors added a character to fail the automatic decode of the Base64 encoded string. In the following screenshots, the added extra “W” character will cause the decode failure and revert to plaintext. Fig 11: Base64 decoded As shown in the screenshotbelow, stolen credentials and tokens are sent to the C2 serverwith the help of javascript loaded with malicious code. Fig 12: Shows the "c_url" parameter for a remote C2 stealing facebook credentials. IOCs: busynow[.]store Zs8668[.]com kcoffni[.]xyz Coper Malware Coper is a well known trojan that targets banking applications in Europe, Australia, and South America disguised as a legitimate app in the Google Play Store. Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server. The result of these activities ultimately leads to attackers gaining information and access they can leverage to steal money from victims. App Name: Unicc QR Scanner Package name: com.qrdscannerratedx Sha256: 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 Fig 13: Unicc QR Scanner app laced with Coper malware on Google Play Store This app disguises itself as a free QR scanner. Once installed, the app immediately prompts the user to update the app. Fig 14: Screenshots show the process of enabling the malware infection by asking the user to upgrade the app, then prompting them to further grant advanced access permissions to the app in their device settings. Next, the threat actors use a trojan dropper designed to install malware or a backdoor to a device, by leveraging the Google Firebase app developer tool to call-out and receive the URL that will deliver the malicious payload as shown in the screenshot below. Fig 15: Firebase call-out The malware downloads a configuration that includes the URL hosting the new and malicious payload. As shown in the screenshot below, the name of the new payload is set by the android Shared Preferences file. The name of the installed payload also continues to change as well. Fig 16: Shared preferences The newly installed file is a fake Google Play Store app on the device with the package name “com.fromtoo2” that immediately prompts the user to grant escalated accessibility permission and gain full control of the user's phone. In the background, the fake Google Play Store app loads the libWeEq.so executable file and calls the predefined MvsEujZ function as further shown and described below. Fig 17: MvsEujZ function called from executable file The MvsEujZ function shown above decrypts a runnable file with a static key found in the executable and prompts the user to grant escalated accessibility permissions at launch. After decrypting with libWeEq.so, the Coper code base becomes visible, as shown in the below screenshot. Fig 18: Coper codebase This final payload uses Rivest Cipher 4 (RC4) encryption to hide its malicious signatures and avoid detection. The following screenshot shows the decrypted C2 server addresses used by the Coper malware. Fig 19: Screenshot shows the decoded contents of the payload In the case that the Virtual Network Computing (VNC) service for remote-control access is not available, the malware authors leverage the android TeamViewer app to monitor the screen of the infected device as shown in the screenshot below. Fig 20: Screenshot shows the code enabling attackers to use TeamViewer to monitor the screen of a device remotely Finally, this last screenshot shows the backend of WebView where malicious javascript is loadedto enable the attackers to take full control through a C2 server connection and execute the actions they need to compromise and ultimately extort the victim. Fig 21: Shows attackers leveraging the android developer app WebView IOCs: raw[.]githubusercontent[.]com/k6062019/qq/main/porc[.]apk abashkinokabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/ asqwnbvb[.]shop/ZmEwY2ZmZWYzN2Mw/ barabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/ ccnfddbvb[.]pics/ZmEwY2ZmZWYzN2Mw/ eendfbvb[.]sbs/ZmEwY2ZmZWYzN2Mw/ nbervbwe[.]monster/ZmEwY2ZmZWYzN2Mw/ nbrtvbsd[.]mom/ZmEwY2ZmZWYzN2Mw/ nbvb3954[.]fun/ZmEwY2ZmZWYzN2Mw/ nbvbvber[.]makeup/ZmEwY2ZmZWYzN2Mw/ nbvmnbbn[.]lol/ZmEwY2ZmZWYzN2Mw/ nbvvvb[.]hair/ZmEwY2ZmZWYzN2Mw/ nterospbnvdos[.]site/ZmEwY2ZmZWYzN2Mw/ nterospusios[.]shop/ZmEwY2ZmZWYzN2Mw/ ntospusios[.]top/ZmEwY2ZmZWYzN2Mw/ nytbvb[.]one/ZmEwY2ZmZWYzN2Mw/ qqnnffbvb[.]space/ZmEwY2ZmZWYzN2Mw/ qwnnnbvb[.]skin/ZmEwY2ZmZWYzN2Mw/ vbfdnbvb[.]online/ZmEwY2ZmZWYzN2Mw/ vntososupplsos[.]live/ZmEwY2ZmZWYzN2Mw/ wwereffnbvb[.]store/ZmEwY2ZmZWYzN2Mw/ xxfdnbvb[.]quest/ZmEwY2ZmZWYzN2Mw/ What Android user’s can do to avoid infection by these malwares: Don’t install unnecessary, untrusted, and un-vetted apps on your mobile device. Stick to the sources and providers you know and trust. Look for apps with very high install numbers and positive reviews. Seek out apps that are recommended by sources you trust and also feature lots of installs and positive reviews. Don't grant notifications listener permissions and escalated accessibility permissions to apps you don't fully trust. The notification listener service enables the package name of the app to be added to the enabled_notification_listeners provider. This enables read notifications and it includes critical access notifications like auto-generated one-time password/pin (OTP). Avoid installing messaging apps if possible or use extreme caution and take the time to research and ensure that the app is well known and reviewed. Even when a link comes from a trusted friend asking you to download a messaging app, consider the possibility that your friend’s device may be compromised by malware and stop to confirm with them first, and then still take the time to conduct your own research and verify the app has a well-established and safe reputation before installing. Messaging apps require Read_SMS permission as their functionality and can easily leverage that permission to gain information including a key OTP they can use to further compromise victims. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app. It is important that we work together to identify, flag, and remove malicious apps from our preferred app stores as soon as possible to limit the spread of malware and inhibit the success of threat actors. If you are responsible for protecting your corporate network, deploy Zscaler’s zero trust architecture to protect your users and prevent further compromise if a malicious app is downloaded by a user on their personal device.

Viewing all articles
Browse latest Browse all 1473

Trending Articles