Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Go to Source
Author: Gleb Malygin

Drive-by cryptomining campaign targets millions of Android users

Malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people often don’t use web filtering or security applications on their mobile devices.

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive-by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining.

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, but rather real humans.

“Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.”

Until the code (w3FaSO5R) is entered and you press the Continue button, your phone or tablet will be mining Monero at full speed, maxing out the device’s processor.

Redirection mechanism

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of hops to that cryptomining page.

It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, and new domains have been created since then, always with the same template.

Domain name, registration date

Traffic stats

We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January.

We estimate that the traffic combined from the five domains we identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page. To find out the number of hashes that would be produced, we could take a conservative hash rate of 10 h/s based on a benchmark of ARM processors.

It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.

Conclusion

The threat landscape has changed dramatically over the past few months, with many actors jumping on the cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources.

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders. We strongly advise users to run the same security tools they have on their PC on their mobile devices, because unwanted cryptomining is not only a nuisance but can also cause permanent damage.

Malwarebytes mobile users are protected against this threat.

Indicators of compromise

Domains:

rcyclmnr[].com
rcylpd[.]com
recycloped[.]com
rcyclmnrhgntry[.]com
rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com
offerreality[.]com
thewise[.]com
go.bestmobiworld[.]com
questionfly[.]com
goldoffer[.]online
exdynsrv[.]com
thewhizmarketing[.]com
laserveradedomaina[.]com
thewhizproducts[.]com
smartoffer[.]site
formulawire[.]com
machieved[.]com
wtm.monitoringservice[.]co
traffic.tc-clicks[.]com
stonecalcom[.]com
nametraff[.]com
becanium[.]com
afflow.18-plus[.]net
serie-vostfr[.]com
pertholin[.]com
yrdrtzmsmt[.]com
yrdrtzmsmt.com
traffic.tc-clicks[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL
P3IN11cxuF4kf2kviM1a7MntCPu00WTG
zEqkQef50Irljpr1X3BqbHdGjMWnNyCd
rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq

The post Drive-by cryptomining campaign targets millions of Android users appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Skygofree: New Government Malware for Android

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.

We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.

Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.

We named the malware Skygofree, because we found the word in one of the domains*.

Malware Features

Android

According to the observed samples and their signatures, early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since.

Signature of one of the earliest versions

The code and functionality have changed numerous times; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device. We have examined all the detected versions, including the latest one that is signed by a certificate valid from September 14, 2017.

The implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.

After manual launch, it shows a fake welcome notification to the user:

Dear Customer, we’re updating your configuration and it will be ready as soon as possible.

At the same time, it hides an icon and starts background services to hide further actions from the user.

Service Name Purpose
AndroidAlarmManager Uploading last recorded .amr audio
AndroidSystemService Audio recording
AndroidSystemQueues Location tracking with movement detection
ClearSystems GSM tracking (CID, LAC, PSC)
ClipService Clipboard stealing
AndroidFileManager Uploading all exfiltrated data
AndroidPush XMPP С&C protocol (url.plus:5223)
RegistrationService Registration on C&C via HTTP (url.plus/app/pro/)

Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it:

Cybercriminals have the ability to control the implant via HTTP, XMPP, binary SMS and FirebaseCloudMessaging (or GoogleCloudMessaging in older versions) protocols. Such a diversity of protocols gives the attackers more flexible control. In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:

  • ‘geofence’ – this command adds a specified location to the implant’s internal database and when it matches a device’s current location the malware triggers and begins to record surrounding audio.
  • ”social” – this command that starts the ‘AndroidMDMSupport’ service – this allows the files of any other installed application to be grabbed. The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools. The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading.

    Several hardcoded applications targeted by the MDM-grabbing command

  • ‘wifi’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled. So, when a device connects to the established network, this process will be in silent and automatic mode. This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle (MitM) attacks.

    addWifiConfig method code fragments

  • ‘camera’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.

Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices. There is a ‘protected apps’ list in this brand’s smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working once the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and add itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices.

Also, we found a debug version of the implant (70a937b2504b3ad6c623581424c7e53d) that contains interesting constants, including the version of the spyware.

Debug BuildConfig with the version

After a deep analysis of all discovered versions of Skygofree, we made an approximate timeline of the implant’s evolution.

Mobile implant evolution timeline

However, some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection. Below is a list of the payloads used by the Skygofree implant in the second and third stages.

Reverse shell payload

The reverse shell module is an external ELF file compiled by the attackers to run on Android. The choice of a particular payload is determined by the implant’s version, and it can be downloaded from the command and control (C&C) server soon after the implant starts, or after a specific command. In the most recent case, the choice of the payload zip file depends on the device process architecture. For now, we observe only one payload version for following the ARM CPUs: arm64-v8a, armeabi, armeabi-v7a.

Note that in almost all cases, this payload file, contained in zip archives, is named ‘setting’ or ‘setting.o’.

The main purpose of this module is providing reverse shell features on the device by connecting with the C&C server’s socket.

Reverse shell payload

The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘54.67.109.199’ and ‘30010’ in some versions:

Alternatively, they could be hardcoded directly into the payload code:

We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path.

Equipped reverse shell payload with specific string

After an in-depth look, we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github.

Reverse shell payload from update_dev.zip

Exploit payload

At the same time, we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges. According to several timestamps, this payload is used by implant versions created since 2016. It can also be downloaded by a specific command. The exploit payload contains following file components:

Component name Description
run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF
db Sqlite3 tool ELF
device.db Sqlite3 database with supported devices and their constants needed for privilege escalation

‘device.db’ is a database used by the exploit. It contains two tables – ‘supported_devices’ and ‘device_address’. The first table contains 205 devices with some Linux properties; the second contains the specific memory addresses associated with them that are needed for successful exploitation. You can find a full list of targeted models in the Appendix.

Fragment of the database with targeted devices and specific memory addresses

If the infected device is not listed in this database, the exploit tries to discover these addresses programmatically.

After downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to get root privileges on the device by exploiting the following vulnerabilities:

CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636

Exploitation process

After an in-depth look, we found that the exploit payload code shares several similarities with the public project android-rooting-tools.

Decompiled exploit function code fragment

run_with_mmap function from the android-rooting-tools project

As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.

Busybox payload

Busybox is public software that provides several Linux tools in a single ELF file. In earlier versions, it operated with shell commands like this:

Stealing WhatsApp encryption key with Busybox

Social payload

Actually, this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file (‘poc_perm’, ‘arrs_put_user’, ‘arrs_put_user.o’). This is due to the fact that the implant needs to escalate privileges before performing social payload actions. This payload is also used by the earlier versions of the implant. It has similar functionality to the ‘AndroidMDMSupport’ command from the current versions – stealing data belonging to other installed applications. The payload will execute shell code to steal data from various applications. The example below steals Facebook data:

All the other hardcoded applications targeted by the payload:

Package name Name
jp.naver.line.android LINE: Free Calls & Messages
com.facebook.orca Facebook messenger
com.facebook.katana Facebook
com.whatsapp WhatsApp
com.viber.voip Viber

Parser payload

Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications. The case where we observed this involved WhatsApp.

In the examined version, it was downloaded from:

hxxp://url[.]plus/Updates/tt/parser.apk

The payload can be a .dex or .apk file which is a Java-compiled Android executable. After downloading, it will be loaded by the main module via DexClassLoader api:

As mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages:

Note that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.

Windows

We have found multiple components that form an entire spyware system for the Windows platform.

Name MD5 Purpose
msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module, reverse shell
network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data
system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic
update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging
wow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing
skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3

All modules, except skype_sync2.exe, are written in Python and packed to binary files via the Py2exe tool. This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries.

msconf.exe is the main module that provides control of the implant and reverse shell feature. It opens a socket on the victim’s machine and connects with a server-side component of the implant located at 54.67.109.199:6500. Before connecting with the socket, it creates a malware environment in ‘APPDATA/myupd’ and creates a sqlite3 database there – ‘myupd_tmp\\mng.db’:

CREATE TABLE MANAGE(ID INT PRIMARY KEY NOT NULL,Send INT NOT NULL, Keylogg INT NOT NULL,Screenshot INT NOT NULL,Audio INT NOT NULL);
INSERT INTO MANAGE (ID,Send,Keylogg,Screenshot,Audio) VALUES (1, 1, 1, 1, 0 )

Finally, the malware modifies the ‘Software\Microsoft\Windows\CurrentVersion\Run’ registry key to enable autostart of the main module.

The code contains multiple comments in Italian, here is the most noteworthy example:

“Receive commands from the remote server, here you can set the key commands to command the virus”

Here are the available commands:

Name Description
cd Change current directory to specified
quit Close the socket
nggexe Execute received command via Python’s subprocess.Popen() without outputs
ngguploads Upload specified file to the specified URL
nggdownloads Download content from the specified URLs and save to specified file
nggfilesystem Dump file structure of the C: path, save it to the file in json format and zip it
nggstart_screen
nggstop_screen
Enable/disable screenshot module. When enabled, it makes a screenshot every 25 seconds
nggstart_key
nggstop_key
Enable/disable keylogging module
nggstart_rec
nggstop_rec
Enable/disable surrounding sounds recording module
ngg_status Send components status to the C&C socket
*any other* Execute received command via Python’s subprocess.Popen(), output result will be sent to the C&C socket.

All modules set hidden attributes to their files:

Module Paths Exfiltrated data format
msconf.exe %APPDATA%/myupd/gen/ %Y%m%d-%H%M%S_filesystem.zip (file structure dump)
system.exe %APPDATA%/myupd/aud/ %d%m%Y%H%M%S.wav (surrounding sounds)
update.exe %APPDATA%/myupd_tmp/txt/
%APPDATA%/myupd/txt/
%Y%m%d-%H%M%S.txt (keylogging)
wow.exe %APPDATA%/myupd/scr/ %Y%m%d-%H%M%S.jpg (screenshots)
skype_sync2.exe %APPDATA%/myupd_tmp/skype/
%APPDATA%/myupd/skype/
yyyyMMddHHmmss_in.mp3
yyyyMMddHHmmss_out.mp3
(skype calls records)

Moreover, we found one module written in .Net – skype_sync2.exe. The main purpose of this module is to exfiltrate Skype call recordings. Just like the previous modules, it contains multiple strings in Italian.

After launch, it downloads a codec for MP3 encoding directly from the C&C server:

http://54.67.109.199/skype_resource/libmp3lame.dll

The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string:

\\vmware-host\Shared
Folders\dati\Backup\Projects\REcodin_2\REcodin_2\obj\x86\Release\REcodin_2.pdb

network.exe is a module for submitting all exfiltrated data to the server. In the observed version of the implant it doesn’t have an interface to work with the skype_sync2.exe module.

network.exe submitting to the server code snippet

Code similarities

We found some code similarities between the implant for Windows and other public accessible projects.

  • https://github.com/El3ct71k/Keylogger/

It appears the developers have copied the functional part of the keylogger module from this project.

update.exe module and Keylogger by ‘El3ct71k’ code comparison

update.exe module and Xenotix Python Keylogger code comparison

‘addStartup’ method from msconf.exe module

‘addStartup’ method from Xenotix Python Keylogger

Distribution

We found several landing pages that spread the Android implants.

Malicious URL Referrer Dates
http://217.194.13.133/tre/internet/Configuratore_3.apk http://217.194.13.133/tre/internet/ 2015-02-04 to
present time
http://217.194.13.133/appPro_AC.apk 2015-07-01
http://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html 2015-01-20 to
present time
http://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active
http://vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http://vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04
http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14
http://windupdate.serveftp.com/wind/LTE/WIND%20Configuratore%20v5_4_2.apk http://windupdate.serveftp.com/wind/LTE/ 2015-03-31
http://119.network/lte/Internet-TIM-4G-LTE.apk http://119.network/lte/download.html 2015-02-04
2015-07-20
http://119.network/lte/Configuratore_TIM.apk 2015-07-08

Many of these domains are outdated, but almost all (except one – appPro_AC.apk) samples located on the 217.194.13.133 server are still accessible. All the observed landing pages mimic the mobile operators’ web pages through their domain name and web page content as well.

Landing web pages that mimic the Vodafone and Three mobile operator sites

NETWORK CONFIGURATION
** AGG. 2.3.2015 ***
Dear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed!
DOWNLOAD NOW
Do you doubt how to configure your smartphone?
Follow the simple steps below and enter the Vodafone Fast Network.
Installation Guide
Download
Click on the DOWNLOAD button you will find on this page and download the application on your smartphone.
Set your Smartphone
Go to Settings-> Security for your device and put a check mark on Unknown Sources (some models are called Sources Unknown).
Install
Go to notifications on your device (or directly in the Downloads folder) and click Vodafone Configuration Update to install.
Try high speed
Restart your device and wait for confirmation sms. Your smartphone is now configured.

Further research of the attacker’s infrastructure revealed more related mimicking domains.

Unfortunately, for now we can’t say in what environment these landing pages were used in the wild, but according to all the information at our dsiposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim’s device connects to a Wi-Fi access point that is infected or controlled by the attackers.

Artifacts

During the research, we found plenty of traces of the developers and those doing the maintaining.

  • As already stated in the ‘malware features’ part, there are multiple giveaways in the code. Here are just some of them:
ngglobal – FirebaseCloudMessaging topic name
Issuer: CN = negg – from several certificates
negg.ddns[.]net, negg1.ddns[.]net, negg2.ddns[.]net – C&C servers
NG SuperShell – string from the reverse shell payload
ngg – prefix in commands names of the implant for Windows

Signature with specific issuer

    • Whois records and IP relationships provide many interesting insights as well. There are a lot of other ‘Negg’ mentions in Whois records and references to it. For example:

Conclusions

The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.

Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam.

Notes

*Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.

 Skygofree Appendix — Indicators of Compromise (PDF)

Go to Source

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.

Fig. 1. The structure of the HijackRAT malware.
Fig. 1. The structure of the HijackRAT malware.

The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.

Fig. 2. The Virus Total detection of the malware
sample. [1]
Fig. 3. The fake “Google Service Framework” icon
in home screen.

A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show “App isn’t
installed.” when the user tries to click it again and removes
itself from the home screen.

Fig. 4. The background service of the malware.
Fig. 4. The background service of the malware.

The malware has plenty of malicious actions, which the RAT can
command, as shown below.

8commands

Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:

get

The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {“task”: {“0”: 0}}, when decoded. The
server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:

code-get

– “UPLOAD PRIVACY DETAILS”

The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:

post

When decoded, the content in the red and blue part of the PCap are
shown below respectively:

1. The red part:

post-pcap-decrypt1

2. The blue part:

post-pcap-decrypt2

The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.

In a testing device, we installed the eight Korean bank apps as
shown below:

Fig. 5. The eight banking apps.
Fig. 5. The eight banking apps.

When this was done,  we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:

8banks-pcap

The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:

table

The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.

– “POP WINDOW”

In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.

killav

Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:

db8banks

Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”

code-popwindow

The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.

code-install

In the code shown above, “mpath” contains the CNC server IP
(103.228.65.101) and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
“updateBH.apk”) is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.

– “UPDATE”

When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:

code-update

– “UPLOAD SMS”

When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:

code-uploadsms

code-savesms

Then the SMS is read from the database and uploaded to the CNC server
once the command is received:

code-uploadsmscnc

– “SEND SMS”

Similarly, when the sending SMS command is received, the contact list
is sent through SMS.

code-sendsms

– “BANK HIJACK”

Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.

code-hijack

So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.

code-hijack-half

As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.

REFERENCE

__________________________________________________

[1] https://www.virustotal.com/intelligence

Go to Source
Author: Jinjian Zhai

Skygofree — a Hollywood-style mobile spy

Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.

We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.

Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.

The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.

The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.

Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.

However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.

The promise of fast Internet

We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.

The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.

Forewarned is forearmed

To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:

  1. Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
  2. If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
  3. Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.

  1. We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.

Go to Source
Author: Anna Markovskaya

Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser

same-origin-policy-bypass

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.

Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version 5.4.02.3 and earlier.

The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other.

In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin.

The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in different tabs.

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” researchers from security firm Rapid7 explained.

“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”

Attackers can even snag a copy of your session cookie or hijack your session and read and write webmail on your behalf.

Mishra reported the vulnerability to Samsung, and the company replied that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.

Meanwhile, Mishra, with the help of Tod Beardsley and Jeffrey Martin from Rapid7 team, also released an exploit for Metasploit Framework.

Rapid7 researchers have also published a video demonstrating the attack.

Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.

Go to Source

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

Go to Source
Author: Nathan Collier

Loapi — this Trojan is hot!

Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it’s here.

How does jack-of-all-trades Loapi operate

Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights — and it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.

If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.

Icons of fake apps in which Loapi conceals itself

Because of Loapi’s modular structure, it can switch functions on the fly at a remote server’s command, downloading and installing the necessary add-ons all by itself. Let’s take a look at some consequences of an encounter with the new Trojan.

1. Unwanted ads

Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte — apparently to drive up various ratings.

2. Paid subscriptions

Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS — but that doesn’t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What’s more, all messages (both outgoing and incoming) are immediately deleted.

3. DDoS attacks

The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.

4. Cryptomining

Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.

5. Downloading new modules

Now for the most interesting bit. At the command of a remote center, the malware can download new modules — that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.

How to protect yourself from the Loapi Trojan

As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.

  • Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
  • Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.

  • Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
  • Get a reliable and proven AV for Android and regularly scan your device with it. Even free applications, such as the basic version of Kaspersky Internet Security for Android, offer good protection.

Go to Source
Author: Anna Markovskaya

Password Stealing Apps With Over A Million Downloads Found On Google Play Store

Even after so many efforts by Google like launching bug bounty program and preventing apps from using Android accessibility services, malicious applications somehow manage to get into Play Store and infect people with malicious software.

The same happened once again when security researchers discovered at least 85 applications in Google Play Store that were designed to steal credentials from users of Russian-based social network VK.com and were successfully downloaded millions of times.

The most popular of all masqueraded as a gaming app with more than a million downloads. When this app was initially submitted in March 2017, it was just a gaming app without any malicious code, according to a blog post published Tuesday by Kaspersky Lab.

However, after waiting for more than seven months, the malicious actors behind the app updated it with information-stealing capabilities in October 2017.

Besides this gaming app, the Kaspersky researchers found 84 such apps on Google Play Store—most of them were uploaded to the Play Store in October 2017 and stealing credentials for VK.com users.

Other popular apps that were highly popular among users include seven apps with between 10,000 and 100,000 installations, nine with between 1,000 and 10,000 installations, and rest of all had fewer than 1,000 installations.

Here’s How Cyber Criminals Steal Your Account Credentials:

The apps used an official SDK for VK.com but slightly modified it with malicious JavaScript code in an effort to steal users’ credentials from the standard login page of VK and pass them back to the apps.

Since these apps looked like they came from VK.com – for listening to music or for monitoring user page visits, requiring a user to login into his/her account through a standard login page did not look suspicious at all.

The stolen credentials were then encrypted and uploaded to a remote server controlled by the attackers.

“The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too,” Kaspersky said.

Researchers believe that the cybercriminals use stolen credentials mostly for promoting groups in VK.com, by silently adding users to promote various groups and increase their popularity by doing so, since they received complaints from some infected users that their accounts had been silently added to unknown groups.

The cybercriminals behind these apps had been publishing their malicious apps on the Play Store for more than two years, so all they had to do is modify their apps to evade detection.

Since VK.com is popular mostly among users in CIS countries, the malicious apps were targeting Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Romanian, Belarusian, Kyrgyz, Tajik, and Uzbek users.

The apps did so by first checking the device language and asked for login credentials from users with one of the above-mentioned languages.

In addition, researchers also noted that they found several other apps on Google Play Store that were submitted by the same cyber criminals and published as unofficial clients for the popular messaging app Telegram.

“These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app,” the researchers said, adding that these apps also add infected users to promoted groups/chats based on a list received from their server.

How to Protect Your Device From Such Malicious Apps

All the apps, including the credential-stealing apps (detected as Trojan-PSW.AndroidOS.MyVk.o) and malicious Telegram clients (detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a), have since been removed by Google from the Play Store.

However, those who have already installed one of the above apps on their mobile devices should make sure their devices have Google Play Protect enabled.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps from Google’s official Play Store, and always verify app permissions and reviews before you download one.

Moreover, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block such malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Go to Source

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.

Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.

However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.

The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).

Explained: How Android Janus Vulnerability Works?

android-malware-hacking

The vulnerability resides in the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application’s signature.

Before proceeding further, you need to know some basics about an APK file.

A valid APK file is a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, and manifest file.

Earlier versions of Android operating system 5.0 (Lollipop) and 6.0 (Marshmallow) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.

While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files.

If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.

It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.

Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.

In other words, the hack doesn’t require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.

Attack Scenarios

After creating malicious but valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.

According to the researchers, it may be “relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature.”

I find man-in-the-middle attack more interesting, as it could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.

“When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update,” GuardSquare explains.

“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users.”

“For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates,” the security firm added.

Since this vulnerability does not affect Android 7 (Nougat) and latest, which supports APK signature scheme version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).

It’s unfortunate, but if your device manufacturer neither offers security patches nor the latest Android version, then you should not install apps and updates from outside of Google Play Store to minimise the risk of being hacked.

Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.

Go to Source