Meet the Most Successful Malware on Google Play: Nearly 1M Users in 4 Months

Authors: Tianfang Guo, Jinjian Zhai

How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.

The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”.  After careful analysis our team found a devious and scary reason behind its user growth.

Screen Shot 2015-07-02 at 10.49.50 AM
Screen Shot 2015-07-02 at 10.50.03 AM
Screen Shot 2015-07-07 at 4.37.06 PM

 

Beginning of the story

Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:

Screen Shot 2015-07-07 at 5.06.03 PMf493908d8528286f25d4a51818c8d45c-1

After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.

 

The detailed analysis

Untitled

Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.

The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.

The key code are from 2 dlls:

ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
2015-07-06 22_39_50-ILSpy
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.
BF929A23-2644-40A3-8920-AFCD16EBBEBD

Upon launching, the app will first communicate with a command & control server:
2015-07-06 22_38_07-ILSpy

The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.

During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
Screen Shot 2015-07-07 at 2.52.38 PM
In this case, the game will start without phishing.

However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Screen Shot 2015-07-07 at 4.04.55 PM

Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)

Here is the our reversed engineered code showing its logic:
Untitled drawing -2-

The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.

As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.

Cowboy2 -1-

After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:

Untitled drawing -3-

After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.

Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to virustotal.com . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
Screen Shot 2015-07-07 at 3.02.31 PM
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.

 

Some thoughts

We have to ask: what’s going wrong? The author’s opinion is as follows:

1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.

2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.

3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.

4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.

——

Update on Jul 9 3pm PST:

After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.

Android Ransomwares: The Escalated Battle

Authors: Tianfang Guo, Jinjian Zhai

When talking about the cybercrime industry, “business model” is more important than the technology itself. According to Security Magazine Cybercrime is costing businesses more than $1,500 per employee annually. That’s a likely a drop in the bucket compared to how much ransomware pirates are extorting from business.

Last year, we published an article “Android Ransomwares – A True Threat or Bluffing”. Reviewing it today, most of the predictions in that article about the technologies used on Android ransomware have come true. Driven by profits, the ransomware makers have shelfed ethicsand laws, trying everything to force the victims pay money. According to the Mcafee lab, the number of ransomwarerequests have grown 165% in Q1 2015. [1]

How can businesses proactively repel Ransomware? Trustlookhas reviewed large amount of ransomware samples in the last few weeks and is building a solution. This article analyzes the ideas and technologies behind the ransomware as well as introducing TrustLook’s solution of detecting them.

Ransomware is best analyzed through 3 key metrics: how they block the normal usage of your phone; in what way they receive a payment from the victim; and how they spread themselves. We will categorize the ransomware by the first and foremost metric, how they block the normal usage, which consists of three classes or levels of harm of severity:

  • Class A: They will cause software level damage to your phone:impairing data, and/or gaining higher privileges to maintain controlling and commanding. These Android ransomware do, on phone, as what the traditional ransomware do on PC.
  • Class B: They will not cause damage or gain higher privilege, but cause trouble on the regular usage of the phone: E.g. popping up “NAG”[2] messages that keep on top of the screen. They can be fixed in an easier way than Class A ransomware.
  • Class C: They do not use any technology to block the usage, instead they rely on fraud information and social engineering to con victims. They are scam apps in natural than ransomware.

We will only discuss Class A and B ransomware in this article. All the malware mentioned in this article is now detected by Trustlook’s security solution.

Class A Ransomwares:

Sample name: Android Performance Enhance
Package name: tx.qq898507339.bzy9
MD5: cdc77f3dfabdea5c5278ac9e50841ff3

Behaviors:

  • – Forged into an system enhancement app
  • – Cheat the user to authorize the device admin, including changing screen-unlock password and lock screen permissions.
  • – Lock screen with a password, victims are supposed to contact the author and make a payment to get the unlock password. We pretended to be the victim and contacted the author. He asked 50 RMB (~$9), via AliPay (China’s paypal).
  • – Cannot be uninstalled using ADB due to the device admin privilege
  • – Spread mainly in China, via Baidu “Tieba” (like China’s reddit) and cloud storage

Screen Shot 2015-07-07 at 10.30.59 PM
Ask for device admin

Screen Shot 2015-07-07 at 10.31.55 PM

Lock screen with a password

Remove Difficulty: 4.5 stars
Transmission: 3 stars
Creativity: 3 stars
Overall Severity: 4.5 stars

 

Sample name: PornPlayer
Package name: com.ayurvedic
MD5: f91b39614dae1aae69337662dd287949

Behaviors:

  • – Forged into a porn video player
  • – Ask for device admin for self protection
  • – Encrypt media files using AES algorithm, difficult to recover the files unless intercept the key before it’s sent out
  • – Pop up an always on top window, ask payment for the unlock key
  • – Stealing phone contacts and call logs
  • – Cannot be uninstalled using ADB due to the device admin privilege

Screen Shot 2015-07-07 at 10.33.25 PM

 

Screen Shot 2015-07-07 at 10.34.19 PM

Our sandbox has clearly intercepted the suspicious encryption operation and the encryption key:

Screen Shot 2015-07-07 at 10.35.17 PM

Remove Difficulty: 5 stars

Transmission: 1 star

Creativity: 2 stars

Overall Severity: 5 stars

 

Sample name: Flash Player
Package name: com.android.locker
MD5: 645a60e6f4393e4b7e2ae16758dd3a11

Behaviors:

  • – Forged into the Flash Player
  • – Ask for device admin for self protection
  • – Forged FBI surveillance message, pop up with an interval of 5s
  • – Ask for $300 via MoneyPak voucher code

Screen Shot 2015-07-07 at 10.36.20 PM

Screen Shot 2015-07-07 at 10.38.19 PM

Screen Shot 2015-07-07 at 10.41.18 PM

Remove Difficulty: 4 stars

Transmission: 2 stars

Creativity: 3 stars

Overall Severity: 4 stars

Class A ransomware summary:

They are one of the most severe type of malware on Android. Their logic is straightforward: block your phone usage, make sure you cannot recover by your own, then ask you “data or money”.

As Android ransomwares don’t have the privilege of their Windows equivalent, the device admin became a critical path for them to do the damage (wipe data, lock screen with password) and self protection – and some users have no idea what device admin is, what can it do and how to revoke it. Even for experienced Android users, they won’t be able to get into the “settings” app to revoke it if the ransomware pops up an always on top activity by applying the SYSTEM_ALERT_WINDOW permission. (or exploiting the device admin vulnerability http://seclab.safe.baidu.com/2014-10/deviceadminexploit2.html)

Even without device admin, the WRITE_EXTERNAL_STORAGE permission will allow the ransomware to encrypt the files on SD card, including the media files, as “hostage”.

 

Class B Ransomwares:

Sample name: Video Player
Package name: com.adobe.videoprayer
MD5: f836f5c6267f13bf9f6109a6b8d79175

Behaviors:

  • – Forged into a video player
  • – Pops up a fake FBI surveillance message
  • – Set the activity always on top. Cannot dismiss using home/return button.
  • – Take photo at background as “evidence”
  • – Access the browser history
  • – Stealing the contacts, threat the user to send the “evidence of watch child pornography” to the victim’s contacts.
  • – Ask $500 via Paypal prepaid voucher card
  • – Send SMS at background to the victim’s contacts with the download link, to spread virally.

Screen Shot 2015-07-07 at 10.42.11 PM

Screen Shot 2015-07-07 at 10.44.06 PM

Screen Shot 2015-07-07 at 10.45.04 PM

Screen Shot 2015-07-07 at 10.48.09 PM

Our sandbox has intercept its background behaviors:

Screen Shot 2015-07-07 at 10.49.16 PM

Remove Difficulty: 3 stars

Transmission: 5 stars

Creativity: 4.5 stars

Overall Severity: 5 stars

 

Sample name: APK compiler
Package name: com.qq2395414390
MD5: f836f5c6267f13bf9f6109a6b8d79175

Behaviors:

  • – Forged into a APK enhancement app
  • – Pops up a windows that always on top. Unable to dismiss using home/return button.
  • – Plays very loud sound. Embarrass the victim in public.
  • – Victims are supposed to contact the author and make a payment.
  • – Spread via “QQ Groupchat”(famous PC messenger in China)

Screen Shot 2015-07-07 at 10.50.32 PM

Remove Difficulty: 2 stars

Transmission: 3 stars

Creativity: 3 stars

Overall Severity: 3 stars

 

 

Class B ransomware summary:

The main idea behind Class B ransomware is “social engineering”, rather than technology. They usually use some sneaky ways to make users fear or embarrassed, and pay money.

Most of them will abuse the SYSTEM_ALERT_WINDOW permission, to pop up an always on-top window.

On the other hand, as they don’t have device admin and file encryption, they can be easily killed by a single “adb uninstall” command by an experienced Android user. If their tricks are unveiled.

 

Reference:

[1] http://www.mcafee.com/us/about/news/2015/q2/20150609-01.aspx

[2] https://en.wikipedia.org/wiki/Nagware

Privacy Defense Battle from Google Play Apps

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Fake Antivirus Found on Google Play

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM

Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1

Screen Shot 2015-03-16 at 8.23.30 PM

Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

App Market Malware Report (Nov-8)

 

Although Google has a series of security measures to keep malwares from Google play (such as routined scanning), there always malwares that slipped through. And one of our security team’s job is making the Android app market a saver place.

Everyday our behavior analysis platform and static analysis engine could identify hundreds of apps containing malicious behavior, such as steal your privacy, exploit vulnerabilities on your phone, or send unwanted SMS or phone calls. From today on, we will routinely updated with you the latest malwares that Trustlook has discovered on app markets, to show you what are the malwares look like and how they threatening your security.

Business Insider
Package Name: com.freerange360.mpp.businessinsider
Still on Google Play? Yes
Behavior: steal privacy (send the phone number to external server without your approval)
bizinsider1

bizinsider2

bizinsider3

TRIO Publications
Package Name: com.freerange360.mpp.thtrsopu
Still on Google Play? Yes
Behavior: steal privacy
360

3601

3602

Royal Poker
Package Name: com.RoyalP
Still on Google Play? Yes
Behavior: steal privacy
poker

poker1

Phone Book
Package Name: archfoe.phonebook
Still on Google Play? Yes
Behavior: steal privacy

MP3 Cutter
Package Name: com.beka.tools.mp3cutter
Still on Google Play? Yes
Behavior: send SMS on background
mp3

mp31

Smile Theme GO LauncherEX
Package Name: com.gau.go.launcherex.theme.smile
Still on Google Play? No
Behavior: Attempt to use “adb setuid rooting vulnerability” to gain root privilege on your phone. If successful,
golauncher
Although named after the famous “Go Launcher”, it’s a malware developed by 3rd party.

dsploit
Package Name: it.evilsocket.dsploit
Still on Google Play? No
Behavior: Attempt to use CVE-2011-3874 rooting your phone on background.
Named after the hacking tool “dSploit”, it’s developed by totally different people. It IS a hacking tool, but the trigger is not in your hand.

水果爱消除2
Package Name: com.fram.fruit.aixiaochu.ceshi
Still on Google Play? No
Behavior: Attempt to use CVE-2011-3874 rooting your phone on background.

Before you see this article, Trustlook Antivirus can identify all of them.

Ads SDKs are causing Privacy Leak on Your Phone

You may have encountered the problem that your games and apps – which looks normal – has been identified as “high risk” by Trustlook antivirus. In this case, you need to check if they are genuine version from official Google Play, and upgraded to the newest version. Otherwise, those app might contain minor risk behavior that violates your privacy.

In this blog we’ll take the “Admogo” (http://www.adsmogo.com/) as an example, which is a famous Ads SDK emerged in China. They claimed to have more than 70k apps covered, with 1.1 billion requests per day. However, we found this SDK contains some code that may send your device IMEI number, location and phone number to the 3rd party servers, and might be use for commercial purpose.

Some well-known games and apps are also in the list (e.g. the old version 2.3.1 of “Don’t Tap The White Tile”, which now have 50m+ install on Google Play). They are malwares, but they do contain stealing behavior. To avoid installing these apps, we suggest you to get apps from Google Play, instead of from a less-known app markets or direct APK download.

Here’s some examples:

Package Name Still on Google Play? MD5
com.raesun.lovely.photo.frames No 0AE614389E861C562D77C9FB80A4B669
zhao.peng.you no 0BEE4547BE554C14D204520539264244
com.doirdfunia.photoartdroid no 0E9BAA19BBF60E8EFC41935C46AE5C79
cn.com.lw.fish no 05525E236F4C5EA5F7D7FB142F1BA171
com.doirdeditor.PhotoFunia no 10402A2E17DC14F23194EC414BECAE38
cn.bluesky.fourinalinekids yes
(newest version is clean)
0B8E1DECAC3EFE6FC5BA63D0EB655758
net.tomcoolz.android.livewallpaper no 0DB19A61974D31C5F813C0A4DAB2CB79
com.raesun.lovely.photo.frames no 0AE614389E861C562D77C9FB80A4B669
cn.chinabus.main yes 5CC96B42A91017184D04CD5F972CA2B4
com.umonistudio.tile yes
(newest version is clean)
EC0AA4AED20669BF68305D686CD94606
com.zjsj.chinachess yes
(newest version is clean)
07186A73DAF1ACD4E8DB9BBEC7F2FCD6
com.funny.camera no 0E31A11E26B4F3A0CCC11DB0A9BCE8E0

Screen Shot 2014-10-12 at 7.01.50 PM
Screen Shot 2014-10-12 at 7.02.01 PM

Detailed behavior in Admogo SDK:

Read personal information from your phone:
Get IMei:
Screen Shot 2014-10-10 at 5.53.20 PM

Get Phone Number:
Screen Shot 2014-10-10 at 5.45.07 PM

Get Location:
Screen Shot 2014-10-10 at 5.37.27 PM

Send Out Information:
Screen Shot 2014-10-10 at 5.26.57 PM

Simple Malware Made by Freshman, Big Problem for Mobile Security

In the last weekend, the Chinese medias are filled with a news “Super Android Virus In-the-Wild”. The consequence of this worm looks remarkable in the mobile virus history: from Jul 28 to Aug 2, it infected millions. And the writer of this malware, a talented 19-year old freshman, was arrested within 9 hours (because he hardcoded email account inside the app). The intent of making this malware was “showing off” and “spy on girlfriend”.

After we took a close look at this virus, we surprisingly found it a “Hello World” style malware: it contains basic control functionalities such as reading the SMS list (specified on e-shopping notifications). It has a simple but efficient way of spreading: reading the contact, and sending phishing SMS containing the APK download link to all the victim’s contacts, caused an exploding infection number.

There is no destructive functionality in this malware, nor does it generate profit for the writer. The only consequence is bugging your friends and waste some money and data on sending messages. The phishing messages was soon blocked by the Chinese service providers, cut its major spreading channel. Chinese AV vendors all claimed they were “first detected the super Android virus”. And the story came to an end.

Here are some analysis result:

Release an APK, which supports all monitoring functionalities, the main APK only serves infection and spreading.

2852747-1

Screen Shot 2014-08-05 at 12.09.45 PM

Reading SMS:

Screen Shot 2014-08-05 at 5.53.43 PM

Read contacts:

Screen Shot 2014-08-05 at 5.24.42 PM

Scam SMS to all contacts:

Screen Shot 2014-08-05 at 5.55.26 PM

Critical evidence leads to the writer to be arrested:

Screen Shot 2014-08-05 at 5.55.26 PM

Screen Shot 2014-08-05 at 5.54.44 PM

Despite the malware itself, there are two problems exposed:

1. Many users are surprisingly lack of security knowledge: SMS phishing is definitely not a new kind of attack. Also Android will pop up warning when install an APK from Internet. However, so many users still gave it green-light all the way. If this incident happened in US, will the consequence be any better?

2. The reaction of AV vendors was no better than in the PC era. The malware created, spreading and eventually being noticed after the number of victim already exploded. Afterwards the AVs made their “detection tool”, which is still based on signature.