Christmas themed Android malware/adware for 2019

December 23, 2019

The Christmas season brings new targets and themes for malware writers, they use these themes to lure and infect new victims. SonicWall Capture Labs Threats Research team searched for Christmas themed Android samples with malicious intentions.

We scanned popular threat portals for Android samples with keywords like ‘Christmas’, ‘Santa Claus’, ‘Holidays’, etc.  We observed the following trends among Android samples with detection. The number of Christmas themed samples increases as we near the month of December:

 

 

  • MD5: dec0a7b5e450139ae1bfcf7e80e9fc8e
  • Package Name: com.amphibius.santa_vs_zombies1

After installation and execution the app displays the menu screen, in the background it communicates with the domain apir.direct-tap.com:

VirusTotal relations show a number of apps with malicious rating communicate with the domain apir.direct-tap.com:

Once we exit from the app, we observed a shortcuts created on the homescreen:

We observed this app was present in the assets folder and are locally stored at /storage/emulated/0/temp1/:

Once the app shortcut is clicked, a Google Play Protect prompt that requests the user to grant permission to allow the installation of this app from a custom source:

This is dangerous as it is a security risk to install apps from sources other than the Play store.

 

  • MD5: 26fbbe52012d9ba69215892fa32d9fee
  • Package Name:com.infovine.yo.app

After installation and execution this app displays a screen with very few options to click:

In the background the app sends sensitive information about the device to the domain gamedroid.pm. This domain has been observed to communicate with malicious Android apps:

On clicking the ‘proceed’ button a GET request goes out to despfans.com/minionrushcheats.apk. This domain is currently down so the apk was not downloaded:

Like the previous app that was analyzed, this app shows a shortcut on the screen as well. Upon clicking this shortcut an attempt is made to download an apk from the domain antivirus-pro.us. Since this domain is currently unregistered the app is not downloaded:

This domain was scanned in the past to host malicious apps:

 

 

  • MD5: 63b99543b9f87e7718fe5804868fa8c5
  • Package Name: com.gogyimogyi.livewallpaper.goldchristmas3d 

We encountered a number of samples with high number of detection ratio on VirusTotal as AirPush adware. These samples contain the AirPush advertisement library which likely triggered detections for these samples.

VirusTotal graph below for the domain api.airpush.com shows a large number of samples with high detection ratio communicating with this domain:

Malware writers hide malicious applications under the guise of what is popular currently. With Christmas almost upon us, we are seeing increasing number of malicious Christmas themed Android apps.

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.InstallApk.GM
  • AndroidOS.Downloader.DN
  • AndroidOS.Airpush.AD_2