Table of Contents
April 24, 2021
|4m
9 New Fake Apps on the Play Store Which Can Hijack SMS Notifications to Carry Out Billing Fraud
This time cybercriminals used Google’s play store as a playground to carry out attacks on millions of Android users. Researchers uncovered nine fake apps on the play store which can hijack SMS notifications to carry out billing fraud. Let’s see more details about the apps and the malware used to carry out the billing fraud.
Who Can Be the Victim of the Fake Apps on the Play Store?
As per the research from Trend Micro and McAfee, Android users from Southwest Asia and the Arabian Peninsula have become victims of these malicious apps. It has been said that more than 750,000 users have downloaded these fake apps from Google’s play store.
List of 9 fake apps on the play store which is reported malicious:
Here are the nine apps McAfee researchers found malicious on the Play store. Please check your phone for these apps if you spot any of these apps on your phone. Immediately remove those and check for any bank account, credit card, debit card, or any unauthorized transactions.
Keyboard Wallpaper
PIP Photo Maker
2021 Wallpaper and Keyboard
Barber Prank Hair Dryer, Clipper, and Scissors
Picture Editor
PIP Camera
Keyboard Wallpaper
Pop Ringtones for Android
Cool Girl Wallpaper/SubscribeSDK
How Cybercriminals Managed to Publish These Fake Apps on the Play Store to Carry Out These Attacks?
Android Joker Malware: Cybercriminals fooled Google with a malware strain called ‘joker‘, which has successfully bypassed Google’s security several times over four years.
Versioning: defense is that Cybercriminals use a unique technique called versioning. In this technique, malware authors first upload the clean apps to the Play store to build the among the users. In the later stage, deliver malware codes to the user’s app in the form of app updates.
Dynamic Encrypted payloads: The dynamic code update function with encrypted payloads helps the malware to cover itself from Google’s defense system.
Most downloaded app categories: These fake apps on the play store impersonate themselves as legitimate photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, which were found to be the most downloaded app categories by users.
How Does This Malware Work?
At first, app servers send malicious codes to the Android device in the form of updates. These files will be stored inside the ‘assets’ folder in the names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files.
Malicious code opens the ‘1.png’ file saved inside the ‘assets’ folder. Malicious code will decrypt the file using the RC4 protocol with the package name as the key. It stores the decrypted file in the mane of ‘loader.dex’ file.
The loader.dex file creates an HTTP request to the C2 server requesting AES keys to decrypt the second payload ‘2.png’.
The C2 server sends the keys to decrypt the second payload for execution.
As we said in the previous section, this malware is loaded with a dynamic code-loading function. Malicious code will either execute the ‘2.png’ or it will download the new content from the URL and execute that whenever it receives the URL from the C2 server. Note: the server doesn’t respond to all the requests and shares the key.
The payload tries to hijack the Notification listener service to read the SMS like Android Joker malware. The malware then processes the SMS data to the final stage and sends the data to the C2 server.
Upon further analysis, it was found that the malware can send this information, including carrier, phone number, SMS message, IP address, country, and network status, along with auto-renewing subscription information.
Identified Indicator of Compromise (IoC) During Malware Analysis Process:
IoCs are nothing but indicators of compromise. Suppose you found any files which have these hashes. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our responsibility to give the details as much as we can.
IoCs
08C4F705D5A7C9DC7C05EDEE3FCAD12F345A6EE6832D54B758E57394292BA651 com.studio.keypaper2021
CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C com.pip.editor.camera
007587C4A84D18592BF4EF7AD828D5AAA7D50CADBBF8B0892590DB48CCA7487E org.my.favorites.up.keypaper
08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 com.super.color.hairdryer
9E688A36F02DD1B1A9AE4A5C94C1335B14D1B0B1C8901EC8C986B4390E95E760 com.ce1ab3.app.photo.editor
018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C com.hit.camera.pip
0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 com.daynight.keyboard.wallpaper
50D498755486D3739BE5D2292A51C7C3D0ADA6D1A37C89B669A601A324794B06 com.super.star.ringtones
URLs
d37i64jgpubcy4.cloudfront.net
d1ag96m0hzoks5.cloudfront.net
dospxvsfnk8s8.cloudfront.net
d45wejayb5ly8.cloudfront.net
d3u41fvcv6mjph.cloudfront.net
d3puvb2n8wcn2r.cloudfront.net
d8fkjd2z9mouq.cloudfront.net
d22g8hm4svq46j.cloudfront.net
d3i3wvt6f8lwyr.cloudfront.net
d1w5drh895wnkz.cloudfront.net
Please share this article with others and make them aware of these new fake apps on the play store. If you find this article interesting, read more such articles here:
You may also like these articles:
9 Android Apps Stealing Facebook Password Found On The Play Store!
How To Protect Your Android Device From The New BrazKing Android Malware?
How To Protect Your Android Device From The New DawDropper Banking Dropper?
Protect Your Android Device From These Critical Flaws In Pre-Installed Apps
New WhatsApp Verification Code Scam: How to Protect WhatsApp Account From Hackers?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
