, , ,

Minimal permissions are adequate for fraudulent Android financial applications

SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers' server, giving them unauthorized access to the user's banking credentials and potentially leading to fraudulent activities or financial loss.

The fraudulent app's icon may closely resemble the original app's icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.

Fig1: Legitimate & malicious apps icon

Infection cycle:

The fraudulent apps utilize two crucial permissions.

  1. SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
  2. INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker's server.

After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.

Fig2: Card details with random values


Fig3: Prompt for Card details


Fig4: Prompt for Card details


Fig5: Checks for SMS permission


Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker's C&C server.

Fig6: Sharing card details with C&C server


Storing the user and card information in a local database located within the application system folder.

Fig7: Application system folder

Fig8: Storing user info in a local database


Read incoming messages on a device and save them in JSON format.

Fig9: Read incoming SMS


Fig10: Stores SMS info in a JSON format


It shares incoming message details with the C&C server.

Fig11: Sends SMS info to the C&C server


The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Fig12: VirusTotal image


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):


















, , ,

New campaign spreading Android Remote Access Trojan

SonicWall Capture Labs Threat research team recently discovered a malware campaign that utilizes a Remote Access Trojan (RAT) with enormous capabilities, including keylogging, stealing sensitive device information, bypassing Google Authenticator, etc. These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud and identity theft.

This malware uses icon masquerading, a common tactic used by malware authors to evade detection and deceive users. The technique involves using the icons of legitimate and popular apps as a disguise for malicious apps. This allows the malware to blend in with other apps on the device and avoid suspicion.

After installation, the malware prompts the victim to enable the Accessibility Service on the targeted device. If the victim grants permission, the malware then takes advantage of the Accessibility Service to perform malicious activities without the user's knowledge.

Fig1: Installed malicious app


Accessibility service usage is shown below:

Fig2: Accessibility permission


We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig3: Latest samples found on VT

Infection cycle:

The malware requests 34 permissions, some of the critical permissions used in these apps are mentioned below:


The components mentioned in the manifest file are absent from the compiled dex file.

Fig4: Mismatched components in the manifest file


During execution, the malware unpacks the “PFf.so” file from the assets section and drops it into the application system folder.


Fig5: drops unpacked dex file in the application folder


The application hides its own icon so that it is not visible in the launcher's app tray.

Fig6: Hide app icon


The threat actor uses the below functions to collect the device information like IMEI no, country code, device model, installed package name etc.

Fig7: Collecting device info


It stores the user’s details using Shared Preferences and tries to connect to the C&C server (hxxps://141[.]98[.]6[.]86)

Fig8: Package Installation list


The malware has the ability to download HTML phishing pages from the Command and Control (C&C) server and then inject them into a WebView, to steal sensitive information such as login credentials and credit card numbers.

Fig9: Webview injection


Read incoming messages on a device and save them in JSON format.

Fig10: Read incoming SMS


Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig11: 2FA code


The malware accepts commands from the C&C server allowing the malware author to send SMS  and calls from the infected device.

Fig12: Ability to make calls


Fig13: Ability to send SMS


The malware has integrated keylogging functionality by taking advantage of the Accessibility Service.

Fig14: Store the key logs


This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig15: Malware capture screenshots


It disables notifications by setting the interruption filter to “INTERRUPTION_FILTER_NONE",

locks the device, and sets the ringer volume silent to remain unnoticed and silently reads the incoming notifications.

Fig16: Disable incoming notification


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.


Indicators of Compromise (IOC):
















, , ,

Android malware steals your Google Authenticator codes

SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:

Fig 1: Malware using famous app icons


We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig 2: Latest sample found on VT


Infection cycle

The critical permissions used in these apps are mentioned below:


After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.

Fig 3: Installed malicious app


Fig 4: Accessibility permission


The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:

Fig 5: C&C server


In web data, it creates a database where it stores the victim’s personal information and card details.

Fig 6: Database created for storing information


Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig 7: Stealing Google authenticator code


This malware also sends details of current location of the victim to its remote C&C server.

Fig 8: Latest location info

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig 9: Malware capture screenshots


It stores C&C server’s details like Host address ( and port number (33660) in base64 encoded form.

Fig 10: Network connection


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.


Indicators of Compromise (IOC):










, , ,

Malicious Android applications impersonate antimalware to send high cost SMS

SonicWall Capture Labs Threats Research team has been regularly sharing information about the malware threats targeting Android devices. SonicWall has tracked down some active trojan SMS applications.

This Android SMS app purports to be a famous antimalware application for easy initial access and after installation  it acts as a completely different application silently sending SMS without the user’s knowledge.

Infection Cycle :

The application has icons like DrWeb which easily evade users’ attention.


Figure 1: DrWeb icon used by the malware author


Permissions used by the application are:


After installation application shows an agreement page.


Figure 2: Agreement page


The assets folder contains agree.txt which has agreement text written in Russian, and it also contains three .res files that have double base64 encrypted content (number and text)


Figure 3: Asset folder


Content in the agreement states that it is open access to a paid closed archive of erotic downloads.


Figure 4: Agreement content


At the time of analysis URL mentioned “hxxp://topfiless[.]com” was not accessible.


Figure 5: Inactive URL


To decrypt data that contains information of text and numbers it uses base64 twice and is stored in JSON format

Figure 6: Information decryption& message sending


Figure 7: Decrypted number and text used to send High-Cost SMS


Checks incoming messages and matches the content with desired data, then sends SMS accordingly.


Figure 8: Checks for incoming messages


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.


Indicators of Compromise (IOC):









Android Adware reappears on third party after being taken down from the Google play store

SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.

Fig1:Application removed from  Google Play Store


Fig2: Malicious applications available on third-party store


Infection Cycle:

After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.

Fig3: Application icon change


Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.

Fig4: Use of activity alias tag


After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.

Fig5: Multiple Advertisement


This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.

Fig6: Message in the status bar


Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.

Fig7: Pop up after new application installation


Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.

Fig8: Access device information


To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.


Fig9: Battery usage


The problem caused by Adware:

  • Difficult to identify and uninstall the application.
  • Due to intensive resource usage device speed goes down and applications start crashing.
  • The battery starts draining quickly.
  • Leads to high internet usage.


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):





, , , , ,

Android ransomware purports to be a free social media follower application

Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.


Figure 1: Ransomware App Icons


All these malicious apps are recently submitted over malware sharing platforms like Virus Total.


Figure 2: VirusTotal submission history


Infection Cycle:

Major permissions used in these apps are mentioned below:


Permission “SYSTEM_ALERT_WINDOW“  is used to display overlay windows above all activity windows in order to show ransom notes.

After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps


Figure 3: Malicious app visible under settings


In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.


Figure 4: Main activity launcher missing


Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.


Figure 5: Ransom note


On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.


Figure 6: Password and Ransom note present in code


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):








Android Malware impersonates Google Update Application with old traits

SonicWall Capture Labs Threats Research team has been regularly sharing information about malwares including spyware targeting Android devices. SonicWall has tracked down a huge number of fake applications disguised as legitimate Google update applications.

Fig 1. Fake Google Update applications


The new version of the spyware is recently available on malware-sharing platforms like VirusTotal.

Fig 2. VirusTotal submission history


Infection Cycle:

Most of the fake malicious google updater apps have some common activities of spyware and a few of them work as banking trojan as well.

After installation, the apps ask for Accessibility permission and then hide from the app drawer.


Fig 3: App Installation & Accessibility permission


It accesses the following activities on the device and tracked information is saved in the corresponding .json file and establishes a socket connection with C&C server “help.domainoutlet.site” and shares the device information in JSON file.

  • SMS
  • Call logs
  • Call Recording
  • Device Info
  • Location
  • Keyloggers
  • Device Contact
  • Notification

Fig 4: Storing contact details in JSON file


In some cases, along with spyware activities it also acts as a Banking Trojan, like SHA-256 fb3837dc602c3f51939891b75a34d706bbefa73f822cffffeb1b863a6526bf95 .

Dex file is dynamically loaded which contains the malicious banking trojan code.

Fig 5: Load Dex file


It checks for installed applications and compares them against specific package names preferably banking and Cryptocurrency apps (350+ apps). Once it determines that one of these apps is being used, it can carry out an overlay attack. In order to carry out an overlay attack, it places fake page over legitimate apps which looks similar to steal credentials.

Fig 6: Checking installed apps


Fig 7 : Load WebView for overlay attack


Fig 8: List of targeted apps


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.


Indicators of Compromise (IOC):

















, , , , ,

Info Stealers are leveraging betting apps ban over Google Play store

SonicWall Capture Labs Threats Research team has been regularly sharing information about malware threats targeting Android devices. Recently we have observed some fake fantasy league betting applications in the wild.

Google Play store banned all the gambling and sports betting applications but since March 2021 an update in their policies for online gaming ban was lifted in 19 countries while they use external third-party platforms in the rest of the other places.

In India, more than 25 fantasy apps are available, with an app named "Dream11" being the most popular and whose download count reached more than 130 million as per their official website.

As these apps are not present in the Google Play store malware authors are leveraging this fact to host fake malicious apps which look like genuine apps.

Infection cycle:

Once installed on the device, Dream11 application uses the following icons:


Fig 1: Malicious App icon


Fig 2: Showing the correct match schedule

Once executed it displays a page showing the match schedule as in Figure 2 above, however the app does not respond after this page. During our static investigation, we observed that it performs several malicious activities:

  • Receives commands via SMS
  • Reads and sends SMS
  • Reads and deletes contacts
  • Accesses call log (incoming, outgoing & missed calls)
  • Tracks location
  • Records audio
  • Logs keystrokes
  • Camera Access


Fig 3: Reads SMS and Executes command accordingly

Fig 4: Commands Received

Fig 5: Sent SMS

Fig 6: Call log Access


Fig 7: Deletes contact details


Fig 8: Audio record

Fig 9: Access device Location

Fig 10: Config file

Fig 11: Sending user info using socket connection

We urge our users to always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Fakeapp.FL 

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Indicators of Compromise (IOC):






, , , ,

A Github repository exists for AndroSpy spyware for Android

SonicWall Threats Research team identified a version of AndroSpy in the wild. Interestingly, there exists a Github repository for this version of the malware. This repository was created a few months back and appears to be fairly active.

Sample specifics

  • MD5: 1749d7830b1593fbe9eec1946002dee7
  • Application Name: Critical Device Settings
  • Package Name: com.kernel32.criticalprocess


This app requests a number of dangerous permissions, few of them are listed below:



This version of AndroSpy boasts a number of functionalities, some of them are listed below:

  • Access camera
  • Access files
  • Live microphone
  • Keylogger
  • SMS manager
  • Shell terminal
  • Access contacts
  • Call Logs
  • Check installed apps
  • Live screen
  • Disable Google Play Protect


Similar threats

Searching for this app on Virustotal showed a number of related apps, some with different names and icons:


This indicates that this threat is being used and propagated with malicious intent. As mentioned earlier, the attacker server ad other configurations can be viewed under resources>res>values>strings

Additional observation

The github repository shows a BTC wallet address for donations towards this project:


Overall this is a spyware that is available on Github as a framework. This spyware is being used as legitimate application in some cases.


Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androspy.GT


Indicators of Compromise:

  • 1749d7830b1593fbe9eec1946002dee7
  • 603b7c441289ff7a15d3a458add66f2d
  • 0e9d6812f7ed7f912fab2f74e143ea76
  • 4f48d7d1258d52db555e0aae4b5136d6
  • 93c0c8c706a219d4194110035898f36d
, , , ,

McAfee themed Android malware spotted

SonicWall Threats Research team received yet another report about an Android malware hosted on Discord. The URL associated with this threat being -

  • https[:]//cdn.discordapp.com/attachments/900818589068689461/948690034867986462/McAfee9412.apk


Application specifics


The application requests for a number of suspicious permissions, some of them include:



Infection cycle

The instance of malware that we analyzed masquerades itself as a legitimate McAfee application. Upon installation, the application is visible as below:


Once the app is executed, it requests for Accessibility service. If this service is granted, the malware does a number of things in the background as visible in the GIF below:


User device related information is sent to the attacker. This acts as an identifier for the infected device, the name of the PHP page further solidifies this:


The malware is capable of accepting a number of commands from the attacker, some of them are as listed below:

  • Push CC Injection
  • Take Photo
  • Send SMS
  • Send SMS to All Contacts
  • Inject a web page
  • Download File
  • Kill Bot
  • Push Bank Injection with Time
  • Push Bank Injection
  • Uninstall an app
  • Record Audio
  • Get Google Authenticator Codes
  • Call a number/Run USSD code
  • Start VNC
  • VNCClick
  • VNCHold
  • VNCDrag
  • HOME
  • BACK


Additional Observations

  • There are a number of hardcoded .PHP pages which indicate their purpose based on the naming convention. Some of them are listed below:
    • /project/apiMethods/register.php?botid=
    • /project/apiMethods/updateLoc.php?botid=
    • /project/apiMethods/updateStat.php?botid=
    • /project/apiMethods/uploadCall.php?botid=
    • /project/apiMethods/uploadFilesList.php?botid=
    • /project/apiMethods/uploadInbox.php?botid=
    • /project/apiMethods/uploadKeylogs.php?botid=
    • /project/apiMethods/uploadLog.php?log=
    • /project/apiMethods/uploadVNC.php?botid=


  • The malware contains a large number of classes and strings with random names, these are used to make it difficult for researchers to perform analysis:


  • There is a HTML file in assets folder titled startaccessibility.html. However its contains just HTML tags with no real content. There is another file titled welcome.html which contains contents that are showed when asking AccessibilityServices request. This is a sign that probably the malware is still under construction or this might be a test version :


  • There is a hardcoded URL within the code - http[:]//melanieparker.42web.io - which has now been taken down


Overall this malware contains the capability to do a number of things once it infects a device. The power of Accessibility Services is on display as the malware grants a number of permissions and performs a multitude of actions once the user grants this permission.


Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.ES


Indicators of Compromise: