This time cybercriminals used Google’s play store as a playground to carry out the attacks on millions of Android users. Researchers uncovered nine fake apps on the play store which can hijack SMS notifications to carry out billing fraud. Let’s see more details about the apps and the malware used to carry out the billing fraud.
Table of Contents
- Who Can Be The Victim Of The Fake Apps On The Play Store?
- List of 9 fake apps on the play store which is reported malicious:
- How Cybercriminals Managed To Publish These Fake Apps On The Play Store To Carry Out These Attacks?
- How Does This Malware Work?
- Identified Indicator Of Compromise (IoC) During Malware Analysis Process:
Who Can Be The Victim Of The Fake Apps On The Play Store?
As per the research from Trend Micro and McAfee, Android users from Southwest Asia and the Arabian Peninsula have become victims of these malicious apps. It has been said that more than 750,000 users have downloaded these fake apps from the Googal’s play store.
List of 9 fake apps on the play store which is reported malicious:
Here are the nine apps McAfee researchers found malicious on the Play store. Please check your phone for these apps if you spot any of these apps on your phone. Immediately remove those and check for any bank account, credit card, debit card, or any unauthorized transactions.
- Keyboard Wallpaper
- PIP Photo Maker
- 2021 Wallpaper and Keyboard
- Barber Prank Hair Dryer, Clipper, and Scissors
- Picture Editor
- PIP Camera
- Keyboard Wallpaper
- Pop Ringtones for Android
- Cool Girl Wallpaper/SubscribeSDK
How Cybercriminals Managed To Publish These Fake Apps On The Play Store To Carry Out These Attacks?
- Android Joker Malware: Cybercriminals fooled Google with a malware strain called ‘joker‘, which has successfully bypassed Google’s security several times for four years.
- Versioning: defence is that Cybercriminals used a unique technique called versioning. In this technique, malware authors first upload the clean apps to the Play store to build the among the users. In the later stage, deliver malware codes to the users’s app in the form of app updates.
- Dynamic Encrypted payloads: The dynamic code update function with encrypted payloads helps the malware to cover itself from the Google’s defence system.
- Most downloaded app categories: These fake apps on the play store impersonate themselves as legitimate photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, which was found to be the most downloaded app categories by users.
How Does This Malware Work?
- At first, app servers send the malicious codes to the Android device in the form of updates. These files will be stored inside the ‘assets’ folder in the names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files.
- Malicious code opens the ‘1.png’ file saved inside the ‘assets’ folder. Malicious code will decrypt the file using the RC4 protocol with package name as the key. It stores the decrypted file in the mane of ‘loader.dex’ file.
- The loader.dex file creates an HTTP request to the C2 server requesting AES keys to decrypt the second payload ‘2.png’.
- The C2 server sends the keys to decrypt the second payload for execution.
- As we said in the previous section, this malware is loaded with a dynamic code loading function. Malicious code will either execute the ‘2.png‘ or it will download the new content from the URL and execute that whenever it receives the URL from the C2 server. Note: the server doesn’t respond to all the requests and shares the key.
- The payload tries to hijacks the Notification listener service to read the SMS like Android Joker malware. The malware then processes the SMS data to the final stage and send the data to the C2 server.
- Upon further analysis, it was found that the malware can send this information, including carrier, phone number, SMS message, IP address, country, network status, along with auto-renewing subscriptions information.
Identified Indicator Of Compromise (IoC) During Malware Analysis Process:
IoCs are nothing but indicators of compromise. If you found any files which have these hashes. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our responsibility to give the details as much as we can.
Please share this article to other and make them aware about these new fake apps on the play store. If you find this article interesting read more such articles here: