RiskIQ research continues to affirm that Trojans are dominating the malicious app market as they find enduring success with evolving tactics that make them harder to detect. In Q2, RiskIQ discovered 10,934 Trojans in the wild, many of which target financial and banking institutions.
Now, RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps, first blogged about by SyfLabs, targeting financial institutions and media organizations. Serving malicious Adobe Flash Android apps to unsuspecting users, research shows the campaign leveraging this infrastructure began in July and is still active as of publishing.
Querying for malware hashes associated with Red Alert and looking for more information on this attack campaign, analysts found the following data connection on this URL query:
Update Flash Player
Package name: com.aox.exsoft
Querying for the host in RiskIQ’s PassiveTotal platform shows that the domain was registered in late July and resolves to a single IP address, 18.104.22.168—the same IP address seen in the above URL query scan:
Conducting a pivot off of the email address, firstname.lastname@example.org, used to register the above domain, reveals an additional eight domains of interest:
When downloaded the malicious apps above can:
As seen in the screenshots above, both mobile apps were identified via RiskIQ’s crawler on domains registered using the same email address used to register our initial starting point. Exploring both of these domains in RiskIQ’s PassiveTotal platform highlights connections to a larger actor-owned infrastructure.
Both entities, which now appear on the RiskIQ Blacklist, started resolving around the beginning of June 2017. A quick pivot around RiskIQ’s data shows that the entities overlap via passive DNS on the IP address, 22.214.171.124, the same IP we observed from our first query.
Continued monitoring of this infrastructure shows that the attack campaign is still active, and in recent days, additional Adobe Flash typosquatting domains have been registered by this actor group. Querying our crawler for this new infrastructure reveals that these domains are also observed downloading APK files:
While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious:
Signing up for RiskIQ Community Edition gives you access to the RiskIQ PassiveTotal public project, which provides you with full visibility into the list of infrastructure associated with this fake mobile Adobe update campaign.