Android Malware impersonates Google Update Application with old traits
SonicWall Capture Labs Threats Research team has been regularly sharing information about malwares including spyware targeting Android devices. SonicWall has tracked down a huge number of fake applications disguised as legitimate Google update applications.
Fig 1. Fake Google Update applications
The new version of the spyware is recently available on malware-sharing platforms like VirusTotal.
Fig 2. VirusTotal submission history
Most of the fake malicious google updater apps have some common activities of spyware and a few of them work as banking trojan as well.
After installation, the apps ask for Accessibility permission and then hide from the app drawer.
Fig 3: App Installation & Accessibility permission
It accesses the following activities on the device and tracked information is saved in the corresponding .json file and establishes a socket connection with C&C server “help.domainoutlet.site” and shares the device information in JSON file.
- Call logs
- Call Recording
- Device Info
- Device Contact
Fig 4: Storing contact details in JSON file
In some cases, along with spyware activities it also acts as a Banking Trojan, like SHA-256 fb3837dc602c3f51939891b75a34d706bbefa73f822cffffeb1b863a6526bf95 .
Dex file is dynamically loaded which contains the malicious banking trojan code.
Fig 5: Load Dex file
It checks for installed applications and compares them against specific package names preferably banking and Cryptocurrency apps (350+ apps). Once it determines that one of these apps is being used, it can carry out an overlay attack. In order to carry out an overlay attack, it places fake page over legitimate apps which looks similar to steal credentials.
Fig 6: Checking installed apps
Fig 7 : Load WebView for overlay attack
Fig 8: List of targeted apps
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):