CyberWire Daily - Apps on third-party Android store carry unwelcome code. [Research Saturday]
Episode Date: June 15, 2019Researchers at Zscaler have been tracking look-alike apps in third-party Android app stores that carry malicious code. Deepen Desai is VP of security research and operations and Zscaler, and he joins ...us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So as part of our daily mobile malware tracking activity,
there are several third-party app stores as well as app stores that are not known before.
But if we see payloads being downloaded from there.
That's Deepan Desai. He's Vice President of Security Research and Operations at Zscaler.
The research we're discussing today is titled, From Third-Party Android Store to SMS Trojan.
So in this case, it was Android packages.
We saw about 49 different Android packages that were downloaded from this location,
which is what got the researchers interested in digging more.
And that's how we discovered this campaign and the fake malicious app store. In the research that you published here, I mean, one of the first things
you have is an image of this app store. And I guess we should say that this is something that's
fairly common on the Android side of things, these third party app stores. Yeah, third party app
stores are fairly common on Android side, for sure. Looking at the images that you posted of
these, it's funny to me how
the games look similar to games we know about. There's one called Crazy Birds, which of course
looks like Angry Birds. There's Super Bros Run, which I guess looks like Super Mario Brothers
Run, and Bubble Candy, which I suppose is supposed to be Candy Crush, and Tetrix Blocks,
which is supposed to be Tetris. So they're all similar, but not quite the original games.
Right. Yeah, that's a good point.
And that's what we noticed as well.
Like all of these are sort of renamed version of some of the popular games.
And Crazy Birds and Super Bros are the ones that we have also mentioned in the blog screenshots.
They look way, very similar.
So, yeah, I believe the intention over here was to attract users' attention and get that package downloaded on the user's cell phone device.
The delivery mechanism was through web.
So the user should have clicked or would have been a drive-by download from another website that the user was already visiting.
another website that the user was already visiting.
So someone is on this site that is pretending to be a third-party app store,
and they click to download one of these apps. So what happens next?
So once a user installs the app and tries to run the game, there is no icon present on the dashboard, right? So because there is no game, the user will not be able to
start anything after
the installation is complete. But in the backend, the app is actually running and it starts sending
SMS messages. It communicates with the command and control server where it reports the infected
device and waits for further instructions from there. Now, it's interesting because again,
one of the screenshots that you have here,
you show someone's screen on their Android device, and there's just a blank space.
So where it's been installed, like you say, there's no app icon, there's no app name,
but something does happen if you click in that blank space.
So when you click on that blank area, what will happen is you will get a page
that will again point the user to one of those two fake malicious app stores screens that you can see in the blog as well.
One of them says Smart World and the other one is Sexy World.
And when you visit any of them, you're going to see again the host of apps that pretends to be some of the popular apps out there with different names.
Also, when you click on one of those, it attempts to escalate your privileges?
It will attempt to get the admin privileges.
And we've shown the screenshot where, you know,
the user will have to activate the administrator privilege for the app.
And that's when the activity will start.
Yeah, it's an interesting little bit of social engineering there.
It says to view all the porn videos you need to update, click to activate.
I can imagine that could grab some people's attention.
Yeah, that has happened in the past as well, right?
Remember PornDroid, as well as many other porn-based ransomware as well, where, you know, user falls for this and then you will see a totally different screen.
No video out there.
Right. And so once you've given this app your admin rights, what happens next?
So once the app receives the admin right, it will then collect the information of the infected
device. It will then relay information such as what's the Android version that's running on the
system, device ID, country code,
all of that information is then relayed to a remote command and control server.
In response to that, the server will then act the information that it receives from the infected device,
and it will then further instruct the device to perform malicious activity.
And what malicious activity does it want the device to do then?
So the one that we saw during the course of analysis was sending text messages to random
numbers. And these numbers could not be random, but we weren't able to connect the dots. The
numbers were legitimate. And the list of messages that we saw are all also listed in our blog. But
again, we didn't make any sense
out of this. So for now, we're calling this spam messages. But there were certain strings that were
related to politics. So one of the potential uses for the author to send politically motivated
messages as well through the infected devices, and that the author doesn't have to pay the bills,
it's the device owner that gets charged for that. Yeah, it's interesting. I mean, I'm looking through the list of SMS
messages that were sent, and it's a wide gamut from, you know, stuff that's a little naughty,
you know, porn kind of things to political things and some things that just sort of seem
nonsensical. I wonder, are they trying to, some sort of signal in the noise there? That could be a possibility. And the other thing was, this is a fairly new campaign that we saw.
One of our researchers believed that this is a malware that is still in testing phase,
and it could be leveraged at an intended time later on.
And do you have any sense for what the source of this, who's behind it?
We do not.
Okay. How widespread is it? How
much are you seeing of this? We saw about 49 different transactions. When I say transactions,
these are unique payloads that were pretending to be different games. We've listed all of those
file hashes in our blog as well. We saw three domains involved. These are domains where
the infected devices would communicate back
after the user's device has been infected. This was during a 90-day period of us tracking this
activity. And is it something you've still got your eye on to see if it gets past this sort of
perceived testing phase? Absolutely. So we're tracking this a few different ways in our cloud,
Absolutely. So we're tracking this a few different ways in our cloud, but this app has been fingerprinted and we are looking for any other variants, both from static point of view, that is minor changes in the code, as well as activity point of view, that is the behavior it exhibits at network level. But when you look at what's going on here, how do you rank the sophistication of these efforts?
When you look at what's going on here, how do you rank the sophistication of these efforts?
It is not that sophisticated.
I would say this is pure luring the user with something enticing and then having them click and do the standard install process.
We didn't see anything sophisticated, any obfuscated code either in this package.
So it's fairly basic. How much do we blame the Android ecosystem here that these third party app stores are so easy to spin up and, and allows this to be a risk to folks?
Agreed. But in the end, it's on the user, right, the device owner, they need to be prudent and
only installing apps that are from official app stores. Like in this case, it's Google Play Store.
that are from official app stores,
like in this case, it's Google Play Store.
Maybe downloading apps from some of the trusted,
reputed third-party app store is fine as long as the user knows what they're downloading.
And what are your recommendations
in terms of people best protecting themselves?
Again, please be prudent on what you're downloading
and installing on your devices, right?
It may appear to be doing nothing when you install
it and you may forget about it. But in the back end, there is a lot of activity that might be
happening on your device that can lead to financial losses. So always stick to official Play Store and
be sure to know what you're downloading and installing.
Now, suppose someone found themselves infected with this. What goes into remediation? Once the user discovers that he's been impacted with this
payload and the user will have to follow the standard steps of removing the app, the first
step in this case would be to remove the administrator privilege of this app. And then
the user will be able to uninstall the app and the user should then reboot the device into normal mode.
And as far as you can tell, that would do it.
There wouldn't be anything else left behind.
There wouldn't be anything left behind.
We didn't see any other code associated with this package getting dropped.
Yeah, I have to say, I mean, this is an interesting one as much in the sort of basic level of it.
It's almost kind of clumsy in the way that it presents things
and installs things.
But I suppose it works.
It does work.
And like I said,
it might be just
the start of this campaign.
We might see many more payloads
or the existing payloads
might get additional instructions
from the CNC server
and we might be able to see
additional activity out of this.
Our thanks to Deepan Desai from Zscaler for joining us.
The research is titled, From Third-Party Android Store to SMS Trojan.
We'll have a link in the show notes.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
approach can keep your company safe and compliant. Thanks for listening.