This year we have seen many different malware campaigns trying to infect users with malicious apps found in the Google Play store. Even though these apps are often removed within days after being reported to Google, they still manage to infect thousands of users. Google scans all apps that are submitted to the Play Store to try and block malicious applications, but the latest campaigns we have seen use techniques such as legitimate applications containing malicious behaviour on a long timer (in this case 2 hours), to circumvent automated detection solutions.
Because our friends Nikolaos Chrysaidos (Avast) and Lukas Stefanko (Eset) also ran into these
droppers, we decided to share our knowledge and make this writeup together. You can find
their blogs here
In October and November we ran into two new campaigns using droppers in the Play Store through our own detection solution CSD and the Avast mobile detection solution. The first campaign seems to drop the BankBot banking malware. The second campaign drops different kinds of malware, such as the same BankBot banker as the first campaign, but also Mazar and Red Alert. This second campaign has recently been described by Lukas and we will therefore not go into it here, except for adding some additional IOC's we found related to this campaign at the end of this blog.
BankBot dropper on Google Play (com.andrtorn.app)
BankBot dropper detected by Client Side Detection
The droppers in the BankBot campaign have a slightly different MO compared to the ones we found in August. The previous droppers were far more sophisticated using techniques such as performing clicks in the background through use of an Accessibility Service to enable the installation from unknown sources. This new dropper does not have such trickery and relies on the user having unknown sources already enabled. If this is not the case, the dropper will fail to install the BankBot malware resulting in no threat to the user. If unknown sources is enabled however, the user will be prompted to install the BankBot malware. This malware seems to be pretty much the same as the kind Trend Micro blogged about in September.
Interestingly enough, even though the Tornado FlashLight dropper (com.andrtorn.app) has been removed from Google Play, it is not detected by Play Protect. The same goes for the malware that is dropped by the dropper (com.vdn.market.plugin.upd).
Installed apps list
No detections by Play Protect
When the dropper is first started, it will check the installed applications against a hardcoded list of 160 apps. We’ve only been able to identify 140 of them, since the package names are hashed. The list of targeted packages has remained the same since the campaign described by Trend Micro. If one or more of the targeted apps are installed when the dropper app is closed, it will start the service with dropper functionality.
Code sample: only start dropper functionality when target is available
The dropper will run the same check on device boot and if it succeeds will also start the service. The service will first request the user for device administrator permissions and after obtaining those will continue to the download routine. The BankBot APK, which is the same for all dropper samples, is downloaded from hxxp://220.127.116.11/kjsdf.tmp. The download is only triggered two hours after device admin has been granted to the dropper.
Code sample: get device admin and download malware after 2 hours
Once the download is completed the dropper will try to install the APK using the standard Android mechanism to install applications from outside the Google Play store. Besides requiring unknown sources to be already enabled, this install method requires the user to press a button to continue the installation.
Code sample: malware installation routine
Unknown sources disabled: install is blocked
Unknown sources enabled: user has to acknowledge the install
After installation, the dropped malware will be started by the dropper. This malware targets the listed banking apps with overlays trying to steal user credentials to perform fraud. Further details on the dropped malware can be found in the Trend Micro blog.
How to prevent infection?
As a user it can be difficult to figure out whether an app is malicious. First off it is always good to only install applications from the Google Play Store, since most malware is still spread through alternative stores. Second, unless you know exactly what you are doing, do not enable 'unknown sources'. If you are asked to do this by an app or some party you do not know personally, it is most likely malware related. But what if you want to install an app from the Play Store? For the average user it could be a good idea to use an antivirus app to catch the already known malware that has not yet been blocked by Google. It seems the antivirus vendors are usually faster in detecting malware than Google is.
Besides installing an AV app you can check some things yourself to decrease your infection chances: First make sure the app has many users and good reviews. Most malware will not have been in the store for a very long time (years) and will not have millions of users. Then, after you install the app, take note of several things: Most malware will ask to become device administrator to prevent being removed at a later time or possibly lock or wipe your device. Do not give this permission! Some other malware will ask for accessibility service permission, which enables it to simulate user interaction with the device, basically taking over the whole thing. A third indicator is the app icon disappearing from your app drawer after the first time you start the app. The malware does this to hide itself. If this happens to you, it's probably best to backup your data and do a factory reset to make sure the malware is gone.
Package name: com.andrtorn.app
Package name: com.sysdriver.andr
Package name: com.sysmonitor.service
Lamp For DarkNess
Package name: com.wifimodule.sys
Package name: com.seafl.andr
Package name: com.sarniaps.deew
Package name: com.vdn.market.plugin.upd
All apps communicate with 18.104.22.168.
IOC (campaign #2)
Package name: com.sdssssd.rambooster
Package name: com.jkclassic.solitaire12334
Package name: com.urbanodevelop.solitaire
Package name: com.jduvendc.solitaire
Package name: com.vdn.market.plugin.upd
Package name: com.hqzel.zgnlpufg
All droppers communicate with 22.214.171.124. The different vhosts used are:
The two malware samples communicate with 126.96.36.199 and 188.8.131.52.