
Android malware steals your Google Authenticator codes
SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:
Fig 1: Malware using famous app icons
We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.
Fig 2: Latest sample found on VT
Infection cycle
The critical permissions used in these apps are mentioned below:
- READ_SMS
- READ_CALL_LOG
- READ_CONTACTS
- READ_EXTERNAL_STORAGE
- WRITE_EXTERNAL_STORAGE
- CAMERA
- RECORD_AUDIO
- ACCESS_FINE_LOCATION
- REQUEST_INSTALL_PACKAGES
- CALL_PHONE
After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.
Fig 3: Installed malicious app
Fig 4: Accessibility permission
The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:
In web data, it creates a database where it stores the victim’s personal information and card details.
Fig 6: Database created for storing information
Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.
Fig 7: Stealing Google authenticator code
This malware also sends details of current location of the victim to its remote C&C server.
This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.
Fig 9: Malware capture screenshots
It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):
0ef96f5ce66266f55d4e17f9985c4c929633a972e587ced8b000b3910ffb3303
115ee615a45d4645e805da20ba3ccb26c7383cc52f3df16506b522ca3a009235
46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4
72db4117f73c566a8a98fe27d00dc645e319a98217fa7fc5992138e70af8574a
7e5d28e9663fc6d2c5badc7a660058e2bf69b410791f01709177590c65944db1
ca310362727d0416ce6ec24a90409ad2c8d9cdaf95f6236a759ac31eb2a8cb0f
cea371b7bdd44271b20194248431c45f03bd66c4b7f7abad8404ca611a27565c
f815b1c1b51810bd331eb75d30fabbbad2237011c8cd242c5655bfca304c978a
46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4