, , ,

Minimal permissions are adequate for fraudulent Android financial applications

SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers' server, giving them unauthorized access to the user's banking credentials and potentially leading to fraudulent activities or financial loss.

The fraudulent app's icon may closely resemble the original app's icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.

Fig1: Legitimate & malicious apps icon

Infection cycle:

The fraudulent apps utilize two crucial permissions.

  1. SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
  2. INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker's server.

After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.

Fig2: Card details with random values

 

Fig3: Prompt for Card details

 

Fig4: Prompt for Card details

 

Fig5: Checks for SMS permission

 

Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker's C&C server.

Fig6: Sharing card details with C&C server

 

Storing the user and card information in a local database located within the application system folder.

Fig7: Application system folder


Fig8: Storing user info in a local database

 

Read incoming messages on a device and save them in JSON format.

Fig9: Read incoming SMS

 

Fig10: Stores SMS info in a JSON format

 

It shares incoming message details with the C&C server.

Fig11: Sends SMS info to the C&C server

 

The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Fig12: VirusTotal image

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

 

01dad4cb5fd433b1138078d39d7ced11229d22971acc4ba71bb03eb09e5b702b

0901a1d1b25ed81a6100d5e9e4a8363e9a638e45ae4a418d80e78189c01510ec

14732a80ea580c54b88780c3346b95a58d1dad80e1ed60800018c76746caa421

17ccf51b19072810490319b20d5d337c9621405e443c73fa2ec96c8d04038d6c

1825679fb5840bd63002a28656a69bd6bac120cb3d0d2dee9c396b198b5db109

35eeaeea8d91cc999456d4f86330ea03beed3c53274c1525f541341b2a46bf4e

36c61e92e4f991339340d9b89a891c5c74ef043ee362df5173e8e50c617f1372

6e9f03a81be3b29be22f769b6a00e4f8ee5220884959d91c84906e163dbb592c

6ff0c6f8b54142b76d6acc3a1f7e2dc5fc9955bb92b4adea86e8d3e69c0f9399

8f088d49c70b1d64b3ab8df0b2e4e527d1bad8865cf609bc0801acfbf3b1bd15

9cf21cfb921658c85ec63c362bfb71c5137e56c93caeab9ec0b2798bcbeeea6f

cec60348cf2be5400b37597ba8903453f12aef5a936aabad85cce13320cc59ee

ddfe903d31c87f49c02fbb4e5b63351964e55c8ef12a8fa5500e5471236d10f2

e740a368bbfc74b32eddfe57282094100a66a7a11f31181a262c40914e9449dd

ec409e8f9bb9d19b786e3e0f99f863d97da8465b7b2569bbd88a83f4ec439880

f9d94528bdb34628c9169bc3770c8d087afd5793d47247eb84e7fa60ead17534

/by
, , ,

New campaign spreading Android Remote Access Trojan

SonicWall Capture Labs Threat research team recently discovered a malware campaign that utilizes a Remote Access Trojan (RAT) with enormous capabilities, including keylogging, stealing sensitive device information, bypassing Google Authenticator, etc. These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud and identity theft.

This malware uses icon masquerading, a common tactic used by malware authors to evade detection and deceive users. The technique involves using the icons of legitimate and popular apps as a disguise for malicious apps. This allows the malware to blend in with other apps on the device and avoid suspicion.

After installation, the malware prompts the victim to enable the Accessibility Service on the targeted device. If the victim grants permission, the malware then takes advantage of the Accessibility Service to perform malicious activities without the user's knowledge.

Fig1: Installed malicious app

 

Accessibility service usage is shown below:

Fig2: Accessibility permission

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig3: Latest samples found on VT

Infection cycle:

The malware requests 34 permissions, some of the critical permissions used in these apps are mentioned below:

  • READ_SMS
  • CALL_PHONE
  • RECEIVE_SMS
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • WRITE_EXTERNAL_STORAGE
  • USES_POLICY_FORCE_LOCK
  • REQUEST_DELETE_PACKAGES
  • ACCESS_NOTIFICATION_POLICY
  • ACCESS_BACKGROUND_LOCATION

The components mentioned in the manifest file are absent from the compiled dex file.

Fig4: Mismatched components in the manifest file

 

During execution, the malware unpacks the “PFf.so” file from the assets section and drops it into the application system folder.

 

Fig5: drops unpacked dex file in the application folder

 

The application hides its own icon so that it is not visible in the launcher's app tray.

Fig6: Hide app icon

 

The threat actor uses the below functions to collect the device information like IMEI no, country code, device model, installed package name etc.

Fig7: Collecting device info

 

It stores the user’s details using Shared Preferences and tries to connect to the C&C server (hxxps://141[.]98[.]6[.]86)

Fig8: Package Installation list

 

The malware has the ability to download HTML phishing pages from the Command and Control (C&C) server and then inject them into a WebView, to steal sensitive information such as login credentials and credit card numbers.

Fig9: Webview injection

 

Read incoming messages on a device and save them in JSON format.

Fig10: Read incoming SMS

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig11: 2FA code

 

The malware accepts commands from the C&C server allowing the malware author to send SMS  and calls from the infected device.

Fig12: Ability to make calls

 

Fig13: Ability to send SMS

 

The malware has integrated keylogging functionality by taking advantage of the Accessibility Service.

Fig14: Store the key logs

 

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig15: Malware capture screenshots

 

It disables notifications by setting the interruption filter to “INTERRUPTION_FILTER_NONE",

locks the device, and sets the ringer volume silent to remain unnoticed and silently reads the incoming notifications.

Fig16: Disable incoming notification

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0098fef6d54bc27d2cec81fccdb319ed9949ed4edd80e56c8d9acd00e8f0131a

013185b920a6b6cc1f38ae361f6a134502f87c847372c4d70f3d704fce1a8138

3f7c7af5153f5a4b30d35f7ff2ba832887bcbfe3d37f9915dcc23c76896ee199

50651c753d57e12f155c2261fe8735c077e65ed84f4b3d58b2fd82965c24f6ef

6d3e64e9a60aa9e098226815aad96d620285c98ed4812fd39ae0d2a3f7f03783

70bd486f69815312e6e23b75680cb1fd05bad69e3b538ccddb277e86d4818ab7

873d3211bde4614a1dcb04c4c059a7aa3a1ef314ce95cca3d9c733525c80177b

a0360aac3b925a5185d7bd00e6392be6419e6c4dde871526b6a7dcaaa3fe2aa2

a78659bbc0c03b06a9985aa360ae1390e5f2a1081387da9b3be3f2eb5910932d

ae6cca0df5a4a005ae157bab3567e19a9059adc2f308ebfb972815ecb8838350

b0de190c20c17d5c02d1a80bc1d157a8a63b2abf6e701722a0168d48efbfe492

e0eaf12b806baf45add1f959619cfa548a6265705c08d59d9a914813a04da5a3

e74a55e74835579eed7fc80296171435a0e2a1aae01e791d723e9b2d51954190

ec0d682cd5d72fa32b8e47f0eede32b30216bc88f08acba88d403071df69b233

 

/by
, , ,

Android malware steals your Google Authenticator codes

SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:

Fig 1: Malware using famous app icons

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig 2: Latest sample found on VT

 

Infection cycle

The critical permissions used in these apps are mentioned below:

  • READ_SMS
  • READ_CALL_LOG
  • READ_CONTACTS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • CAMERA
  • RECORD_AUDIO
  • ACCESS_FINE_LOCATION
  • REQUEST_INSTALL_PACKAGES
  • CALL_PHONE

After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.

Fig 3: Installed malicious app

 

Fig 4: Accessibility permission

 

The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:

Fig 5: C&C server

 

In web data, it creates a database where it stores the victim’s personal information and card details.

Fig 6: Database created for storing information

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig 7: Stealing Google authenticator code

 

This malware also sends details of current location of the victim to its remote C&C server.

Fig 8: Latest location info

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.


Fig 9: Malware capture screenshots

 

It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.

Fig 10: Network connection

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0ef96f5ce66266f55d4e17f9985c4c929633a972e587ced8b000b3910ffb3303

115ee615a45d4645e805da20ba3ccb26c7383cc52f3df16506b522ca3a009235

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4

72db4117f73c566a8a98fe27d00dc645e319a98217fa7fc5992138e70af8574a

7e5d28e9663fc6d2c5badc7a660058e2bf69b410791f01709177590c65944db1

ca310362727d0416ce6ec24a90409ad2c8d9cdaf95f6236a759ac31eb2a8cb0f

cea371b7bdd44271b20194248431c45f03bd66c4b7f7abad8404ca611a27565c

f815b1c1b51810bd331eb75d30fabbbad2237011c8cd242c5655bfca304c978a

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4

/by
,

Android Adware reappears on third party after being taken down from the Google play store

SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.

Fig1:Application removed from  Google Play Store

 

Fig2: Malicious applications available on third-party store

 

Infection Cycle:

After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.

Fig3: Application icon change

 

Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.

Fig4: Use of activity alias tag

 

After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.

Fig5: Multiple Advertisement

 

This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.

Fig6: Message in the status bar

 

Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.

Fig7: Pop up after new application installation

 

Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.

Fig8: Access device information

 

To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.

 

Fig9: Battery usage

 

The problem caused by Adware:

  • Difficult to identify and uninstall the application.
  • Due to intensive resource usage device speed goes down and applications start crashing.
  • The battery starts draining quickly.
  • Leads to high internet usage.

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

87fb25e1087b14c5da692667000f04615d90525277fcdc316ef7c6f0326c1bcf

b97b648b29f824a2abd3f84484249807ec00acb50d7aa914a059b34f6590a657

f68ca1129a5e57bdad18301100ee7a3f2ee3864362a9d939e78db09d8c10e6a2

87267d97fa3aa3eb55465021ad615ccf28b9f595053980f31ad804df49b2223c

/by
, , , , ,

Android ransomware purports to be a free social media follower application

Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.

 

Figure 1: Ransomware App Icons

 

All these malicious apps are recently submitted over malware sharing platforms like Virus Total.

 

Figure 2: VirusTotal submission history

 

Infection Cycle:

Major permissions used in these apps are mentioned below:

  • SYSTEM_ALERT_WINDOW
  • RECEIVE_BOOT_COMPLETED
  • SET_WALLPAPER
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • READ_CONTACTS
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • WAKE_LOCK
  • INTERNET
  • REQUEST_INSTALL_PACKAGE
  • CAMERA

Permission “SYSTEM_ALERT_WINDOW“  is used to display overlay windows above all activity windows in order to show ransom notes.

After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps

 

Figure 3: Malicious app visible under settings

 

In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.

 

Figure 4: Main activity launcher missing

 

Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.

 

Figure 5: Ransom note

 

On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.

 

Figure 6: Password and Ransom note present in code

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

11a11a11a266f9d3858d1b52aca73b701406cbc587bf52a5256c20452d574d0a

193c8bc1f44cf310e670c0a4a9e19f9ad35afaac63eb549f9cc8dafa240555af

2cd6920661eec231b66ac3601ca380ba846490c8f535b903d3844326084ac490

2da6a8f85888d39c3a45b6d6367492e67243e985ef8bc4dc441fd66ffcbe3d9c

ac70993fb26bd4590d3656a4b6ba1e0787a9c524ed5ed5592663a6d8c05c32a1

ec38798940dbab431f3dacab74267b143e206ed8e3fc406be90125825198576a

/by
, , , , ,

Info Stealers are leveraging betting apps ban over Google Play store

SonicWall Capture Labs Threats Research team has been regularly sharing information about malware threats targeting Android devices. Recently we have observed some fake fantasy league betting applications in the wild.

Google Play store banned all the gambling and sports betting applications but since March 2021 an update in their policies for online gaming ban was lifted in 19 countries while they use external third-party platforms in the rest of the other places.

In India, more than 25 fantasy apps are available, with an app named "Dream11" being the most popular and whose download count reached more than 130 million as per their official website.

As these apps are not present in the Google Play store malware authors are leveraging this fact to host fake malicious apps which look like genuine apps.

Infection cycle:

Once installed on the device, Dream11 application uses the following icons:

 

Fig 1: Malicious App icon

 

Fig 2: Showing the correct match schedule

Once executed it displays a page showing the match schedule as in Figure 2 above, however the app does not respond after this page. During our static investigation, we observed that it performs several malicious activities:

  • Receives commands via SMS
  • Reads and sends SMS
  • Reads and deletes contacts
  • Accesses call log (incoming, outgoing & missed calls)
  • Tracks location
  • Records audio
  • Logs keystrokes
  • Camera Access

 

Fig 3: Reads SMS and Executes command accordingly

Fig 4: Commands Received

Fig 5: Sent SMS

Fig 6: Call log Access

 

Fig 7: Deletes contact details

 

Fig 8: Audio record

Fig 9: Access device Location

Fig 10: Config file

Fig 11: Sending user info using socket connection

We urge our users to always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Fakeapp.FL 

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Indicators of Compromise (IOC):

2ecd9211817021f8a3f3e1f4ad0bf1b7a98b0d82

0a55255e35390f3fed3cd333e0873f0054ff7827

 

 

 

/by
, , , ,

A Github repository exists for AndroSpy spyware for Android

SonicWall Threats Research team identified a version of AndroSpy in the wild. Interestingly, there exists a Github repository for this version of the malware. This repository was created a few months back and appears to be fairly active.

Sample specifics

  • MD5: 1749d7830b1593fbe9eec1946002dee7
  • Application Name: Critical Device Settings
  • Package Name: com.kernel32.criticalprocess

 

This app requests a number of dangerous permissions, few of them are listed below:

  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • CAMERA
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • RECORD_AUDIO
  • READ_CONTACTS
  • WRITE_CONTACTS
  • SEND_SMS
  • BIND_DEVICE_ADMIN
  • RECEIVE_SMS
  • WRITE_SMS
  • PROCESS_OUTGOING_CALLS
  • DELETE_PACKAGES
  • SYSTEM_ALERT_WINDOW
  • ACCESSIBILITYSERVICE

 

This version of AndroSpy boasts a number of functionalities, some of them are listed below:

  • Access camera
  • Access files
  • Live microphone
  • Keylogger
  • SMS manager
  • Shell terminal
  • Access contacts
  • Call Logs
  • Check installed apps
  • Live screen
  • Disable Google Play Protect

 

Similar threats

Searching for this app on Virustotal showed a number of related apps, some with different names and icons:

 

This indicates that this threat is being used and propagated with malicious intent. As mentioned earlier, the attacker server ad other configurations can be viewed under resources>res>values>strings

Additional observation

The github repository shows a BTC wallet address for donations towards this project:

 

Overall this is a spyware that is available on Github as a framework. This spyware is being used as legitimate application in some cases.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androspy.GT

 

Indicators of Compromise:

  • 1749d7830b1593fbe9eec1946002dee7
  • 603b7c441289ff7a15d3a458add66f2d
  • 0e9d6812f7ed7f912fab2f74e143ea76
  • 4f48d7d1258d52db555e0aae4b5136d6
  • 93c0c8c706a219d4194110035898f36d
/by
, , , ,

McAfee themed Android malware spotted

SonicWall Threats Research team received yet another report about an Android malware hosted on Discord. The URL associated with this threat being -

  • https[:]//cdn.discordapp.com/attachments/900818589068689461/948690034867986462/McAfee9412.apk

 

Application specifics

 

The application requests for a number of suspicious permissions, some of them include:

  • READ_PHONE_NUMBERS
  • CAMERA
  • ACCESS_COARSE_LOCATION
  • ACCESS_FINE_LOCATION
  • RECEIVE_SMS
  • READ_CONTACTS
  • WRITE_SMS
  • READ_SMS
  • RECEIVE_SMS
  • SEND_SMS
  • GET_ACCOUNTS
  • RECORD_AUDIO
  • READ_CALL_LOG
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • RECEIVE_BOOT_COMPLETED
  • CALL_PHONE
  • DISABLE_KEYGUARD

 

Infection cycle

The instance of malware that we analyzed masquerades itself as a legitimate McAfee application. Upon installation, the application is visible as below:

 

Once the app is executed, it requests for Accessibility service. If this service is granted, the malware does a number of things in the background as visible in the GIF below:

 

User device related information is sent to the attacker. This acts as an identifier for the infected device, the name of the PHP page further solidifies this:

 

The malware is capable of accepting a number of commands from the attacker, some of them are as listed below:

  • Push CC Injection
  • Take Photo
  • Send SMS
  • Send SMS to All Contacts
  • Inject a web page
  • Download File
  • Kill Bot
  • Push Bank Injection with Time
  • Push Bank Injection
  • Uninstall an app
  • Record Audio
  • Get Google Authenticator Codes
  • Call a number/Run USSD code
  • Start VNC
  • VNCClick
  • VNCHold
  • VNCDrag
  • SWIPE UP
  • SWIPE DOWN
  • RECENTS
  • HOME
  • BACK
  • SCROLL UP
  • SCROLL DOWN
  • NOTIFICATIONS
  • SCREEN OFF
  • SCREEN ON

 

Additional Observations

  • There are a number of hardcoded .PHP pages which indicate their purpose based on the naming convention. Some of them are listed below:
    • /project/apiMethods/register.php?botid=
    • /project/apiMethods/updateLoc.php?botid=
    • /project/apiMethods/updateStat.php?botid=
    • /project/apiMethods/uploadCall.php?botid=
    • /project/apiMethods/uploadFilesList.php?botid=
    • /project/apiMethods/uploadInbox.php?botid=
    • /project/apiMethods/uploadKeylogs.php?botid=
    • /project/apiMethods/uploadLog.php?log=
    • /project/apiMethods/uploadVNC.php?botid=

 

  • The malware contains a large number of classes and strings with random names, these are used to make it difficult for researchers to perform analysis:

 

  • There is a HTML file in assets folder titled startaccessibility.html. However its contains just HTML tags with no real content. There is another file titled welcome.html which contains contents that are showed when asking AccessibilityServices request. This is a sign that probably the malware is still under construction or this might be a test version :

 

  • There is a hardcoded URL within the code - http[:]//melanieparker.42web.io - which has now been taken down

 

Overall this malware contains the capability to do a number of things once it infects a device. The power of Accessibility Services is on display as the malware grants a number of permissions and performs a multitude of actions once the user grants this permission.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Spy.ES

 

Indicators of Compromise:

 

/by
, , , ,

Traces of an Android malware yet again lead to a Github repository

SonicWall Threats Research team identified yet another Github repository that might have been used to create and release an Android malware in the wild, this time its AndroRAT.

Specifics for the sample that was identified in the wild:

  • MD5: f1d83d43b21478c349f2ee515aef4271
  • Application Name: Google Service Framework
  • Package Name: com.IiIiIiIi.IiIiIiIiIiIiiIIIIiIiI

 

Using this repository a malicious app can be configured with the following options:

 

We created a test app using this repository and compared the code of both the applications. The code looks identical:

The application identified was created with the following options as can be seen from the config class:

 

The application requests for a number of permissions, some of them are capable of accessing sensitive user information:

  • Receive_boot_completed
  • Wake_lock
  • Camera
  • Read_external_storage
  • Write_external_storage
  • Read_sms
  • Access_fine_location
  • Access_coarse_location
  • Read_call_log
  • Record_audio
  • System_alert_window

 

This gives a taste of the components in this malware. The  application contains a multitude of malicious functionalities and is capable of accepting commands from the attacker, some of them are listed below:

  • exit
  • camList
  • takepic
  • shell
  • getClipData
  • deviceInfo
  • help
  • clear
  • getSimDetails
  • getIP
  • vibrate
  • getSMS
  • getLocation
  • startAudio
  • stopAudio
  • startVideo
  • stopVideo
  • getCallLogs
  • getMACAddress

Commands are visible in the code as shown:

 

We configured a test AndroRAT sample to understand how this malware works further. Configuring and listening for incoming connections quickly gave a shell once the malware was executed on the infected device:

 

Commands can now be executed on the infected device:

For instance, running 'deviceInfo' gave us details of the infected device:

 

Overall this threat is a potent spyware and Remote Access Tool  (RAT). Though its features are limited, considerable personally identifiable information (PII) can be extracted from an infected device. The fact that this RAT is freely available on Github is a cause of concern.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androrat.PN

 

Indicators of Compromise:

  • f1d83d43b21478c349f2ee515aef4271

 

 

/by
, , , ,

Github hosted Android ransomware being misused in the wild

Github is a platform which is commonly used to host open-source projects, many such projects are security focused. SonicWall Threats Research team recently identified an Android ransomware that was found to be hosted on Github as an educational project.

 

Initial Discovery

We identified an Android apk (MD5: 6dc068db642247295e96437d8aca60a0) as malicious and upon inspecting its code found some interesting breadcrumbs which led us to the Github repository which was the origin for this treat. A simple search for the package name for this threat - com.termuxhackers.id - led us to the following Github repository:

 

One of the repositories hosted here is SARA - Simple Android Ransomware Attack:

 

We identified a number of malicious apps on a number of platforms that were spawned using this codebase. A number of these apps are masquerading as popular legitimate applications, few are listed below:

We identified more than 200 apps that have been created using this codebase.

 

Creating the ransomware

While building the apk, this kit asks the user to enter an unlock code:

 

Once executed, a screen with user entered text is overlayed on the screen and the victim cannot use the phone. Strings present in the strings.xml in the app resource folders are used on the ransom screen.

 

 

The unlock key is hardcoded in plaintext within the apk. The unlock key is added by the user during the app creation:

 

We analyzed a bunch of malicious apks, one instance in particular stood out where the ransom demand was 50BTC:

 

Overall this repository was created and distributed on Github for what appears to be educational purposes. However we identified a high number of apps created using this repository with legitimate app icons and application names. Whether this was created as a prank, with malicious intentions or to legitimately learn how ransomware works is yet to be determined.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Termux.RSM

 

Indicators of Compromise:

  • 00dc92f14326c7b0e87e877bfd12a7df
  • 6b9157e059da44f13843e682ac3bcba7
  • 6dc068db642247295e96437d8aca60a0
/by