Fake Antivirus Found on Google Play

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM

Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1

Screen Shot 2015-03-16 at 8.23.30 PM

Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

0Day Malware, 0Day Detect

unnamed

Authors: Tianfang Guo, Jinjian Zhai

The “Fake Amazon Giftcard” is a malware that has been breaking out in the last 48hrs. It’s pretty simple from the technical aspect, but has infected 4,000 devices and caused over 200,000 spam SMS worldwide in less than 24hrs (source: http://goo.gl/cFs2BG).

Let’s see what it can do:

    • The app presents itself into a “survey for giftcard” app to attract a user install.

gazon-home

    • After user has installed it, it will read the contact list, and send spam SMS, which includes a download link, to all the victim’s contacts. So it spreads like a worm.

 

Hey [contact name], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazonReward

    • The app’s interface is a series of surveys based on a web view, which will collect a lot of the user’s private information – especially those who are greedy for the giftcard. Also, the app includes an Advert SDK, to generate more profit.

gazon-scam2

Trustlook has intercepted a sample from our user base yesterday, Mar 3rd, and the dynamic analysis sandbox gave us a detailed report within 2 minutes:

Screen Shot 2015-03-04 at 5.03.36 PM

Screen Shot 2015-03-04 at 5.07.26 PM

According to Virustotal, at the time of intercept, only 2 out of 57 Antivirus programs can identify it. After 24hrs, there are still 46 out of 57 AV programs blind to this simple malware. Nor is any AV program warning their users about the malicious link used to download the malware.

Screen Shot 2015-03-04 at 4.49.31 PM

Screen Shot 2015-03-04 at 4.37.42 PM

-Another example that shows the superiority of behavioral analysis in the modern mobile era.

How Android Phones are Hacked when Power is “Off”

Authors: Jinjian Zhai, Tianfang Guo

Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware [1] at that time.

 

Initial scanning result.

 

The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.

 

The malware disguised itself as a google package.

 

It can even forbid ring and vibration in order to record the phone call in a file on the phone.

 

14d9f1a92dd984d6040cc41ed06e273e_forbid_ring

 

Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.

 

14d9f1a92dd984d6040cc41ed06e273e_file

 

The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off [2].

The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog [3] as well as the AVG blog [2].

First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:

 

interceptKeyBeforeQueueing

 

Second the code is redirected to the KeyEvent.KEYCODE_POWER case:

 

屏幕快照 2015-03-02 6.13.47 PM

 

Then the interceptPowerKeyDown() method is called:

 

屏幕快照 2015-03-02 6.15.19 PM

 

Finally the phone is closed when handling mPowerLongPress variable:

 

屏幕快照 2015-03-02 6.17.52 PM

 

Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff” [4] to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible [5] when turned off. The scanning result of the provided sample [4] has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.

The tool [4] was an implementation of the Xposed platform [6] , which is a dynamic hijack tool targeting Android phones [7]. Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class.  Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class

屏幕快照 2015-03-02 6.59.41 PM

 

In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:

 

屏幕快照 2015-03-02 7.11.54 PM

 

In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():

 

屏幕快照 2015-03-02 7.13.11 PM

 

The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:

 

屏幕快照 2015-03-02 7.18.49 PM

 

As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.

Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.

 

REFERENCE:

 

[1] https://www.virustotal.com/en/file/be0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88/analysis/

[2] http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

[3] http://www.jiandande.com/html/bianchengjiqiao/androidkaifa/2014/1128/5189.html

[4] http://security.tencent.com/index.php/opensource/detail/14

[5] https://github.com/monstersb/hijackAndroidPowerOff/blob/master/src/com/example/hijackpoweroff/Callbacks.java

[6] http://repo.xposed.info

[7] http://m.blog.csdn.net/blog/wxyyxc1992/17320911