RiskIQ Connects Infrastructure Serving Fake Adobe Flash Mobile Apps

RiskIQ Research Connects Large Infrastructure Serving Fake Adobe Flash Mobile Apps

October 12, 2017, Steve Ginty

mm

RiskIQ research continues to affirm that Trojans are dominating the malicious app market as they find enduring success with evolving tactics that make them harder to detect. In Q2, RiskIQ discovered 10,934 Trojans in the wild, many of which target financial and banking institutions.

Now, RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps, first blogged about by SyfLabs, targeting financial institutions and media organizations. Serving malicious Adobe Flash Android apps to unsuspecting users, research shows the campaign leveraging this infrastructure began in July and is still active as of publishing.

Querying for malware hashes associated with Red Alert and looking for more information on this attack campaign, analysts found the following data connection on this URL query:

Update Flash Player
Package name: com.aox.exsoft
SHA-256: a5db9e4deadb2f7e075ba8a3beb6d927502b76237afaf0e2c28d00bb01570fae

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-1 Data connected to Red Alert 2

Querying for the host in RiskIQ’s PassiveTotal platform shows that the domain was registered in late July and resolves to a single IP address, 185.48.56.83—the same IP address seen in the above URL query scan:

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-2 Passive DNS data for the domain returned in the URL query

Conducting a pivot off of the email address, loadingexe@yandex.ru, used to register the above domain, reveals an additional eight domains of interest:

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-3 Other domains registered with loadingexe@yandex.ru

Additionally, querying RiskIQ’s rogue mobile database reveals two malicious apps purporting to be Adobe Flash Player updates being hosted by g-shoock[.]xyz and g-shoock[.]ru:

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-4 A malicious app purporting to be Adobe Flash Player update

 

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-5 A malicious app purporting to be Adobe Flash Player update

When downloaded the malicious apps above can:

  • ACCESS_NETWORK_STATE
  • GET_TASKS
  • INTERNET
  • READ_PHONE_STATE
  • READ_SMS
  • RECEIVE_BOOT_COMPLETED
  • RECEIVE_SMS
  • SEND_SMS
  • SYSTEM_ALERT_WINDOW
  • WAKE_LOCK
  • WRITE_SMS

As seen in the screenshots above, both mobile apps were identified via RiskIQ’s crawler on domains registered using the same email address used to register our initial starting point. Exploring both of these domains in RiskIQ’s PassiveTotal platform highlights connections to a larger actor-owned infrastructure.

Both entities, which now appear on the RiskIQ Blacklist, started resolving around the beginning of June 2017. A quick pivot around RiskIQ’s data shows that the entities overlap via passive DNS on the IP address, 185.48.56.83, the same IP we observed from our first query.

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-6 Passive DNS data shows both malicious apps began resolving around the same time

Continued monitoring of this infrastructure shows that the attack campaign is still active, and in recent days, additional Adobe Flash typosquatting domains have been registered by this actor group. Querying our crawler for this new infrastructure reveals that these domains are also observed downloading APK files:

While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious:

RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps serving fake Adobe Flash mobile apps.

Fig-7 The APK file in VirusTotal

Signing up for RiskIQ Community Edition gives you access to the RiskIQ PassiveTotal public project, which provides you with full visibility into the list of infrastructure associated with this fake mobile Adobe update campaign.

Share This