Android malware steals your Google Authenticator codes

March 8, 2023

SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:

Fig 1: Malware using famous app icons

 

We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig 2: Latest sample found on VT

 

Infection cycle

The critical permissions used in these apps are mentioned below:

  • READ_SMS
  • READ_CALL_LOG
  • READ_CONTACTS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • CAMERA
  • RECORD_AUDIO
  • ACCESS_FINE_LOCATION
  • REQUEST_INSTALL_PACKAGES
  • CALL_PHONE

After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.

Fig 3: Installed malicious app

 

Fig 4: Accessibility permission

 

The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:

Fig 5: C&C server

 

In web data, it creates a database where it stores the victim’s personal information and card details.

Fig 6: Database created for storing information

 

Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig 7: Stealing Google authenticator code

 

This malware also sends details of current location of the victim to its remote C&C server.

Fig 8: Latest location info

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.


Fig 9: Malware capture screenshots

 

It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.

Fig 10: Network connection

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

0ef96f5ce66266f55d4e17f9985c4c929633a972e587ced8b000b3910ffb3303

115ee615a45d4645e805da20ba3ccb26c7383cc52f3df16506b522ca3a009235

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4

72db4117f73c566a8a98fe27d00dc645e319a98217fa7fc5992138e70af8574a

7e5d28e9663fc6d2c5badc7a660058e2bf69b410791f01709177590c65944db1

ca310362727d0416ce6ec24a90409ad2c8d9cdaf95f6236a759ac31eb2a8cb0f

cea371b7bdd44271b20194248431c45f03bd66c4b7f7abad8404ca611a27565c

f815b1c1b51810bd331eb75d30fabbbad2237011c8cd242c5655bfca304c978a

46a3badfa5682d2d862618933155fa04cc64690d5588ea06089670e222ba36b4