Fake Android Apps Ran Adware Campaign For Months

 

Researchers caught a sneaky adware campaign targeting Android users for months. This campaign used several fake Android apps mimicking different utilities like pdf readers, weather apps, VPNs, game cracks, streaming services such as Netflix and YouTube, etc.

Fake Android Apps Deployed Adware

According to a recent report from Bitdefender, they detected 60,000 fake Android apps stealthily running adware campaign since (at least) October 2022.

The researchers caught the malware following the alerts from the anomaly detection technology in the Bitdefender Mobile Security.

Briefly, unlike most adware campaigns exhibiting intrusive behavior, this campaign spread organically. The malicious apps would appear to a target user upon searching for certain apps, such as mod games, free VPNs, etc. Then, owing to their apparent legitimacy, the app ads would lure users into downloading the malicious app.

After reaching the device, the malware relies on the default strategy for Android app installation, requiring user input. Then, once the user taps the “Open” button to launch the newly installed app, the malware executes in the background.

However, on the screen, an error message appears to trick the user into believing that the app failed to install. Yet, the lack of an app icon makes it difficult for the victim to uninstall it.

Upon gaining persistence on the device, the malware remains dormant for some time. Then, after receiving the relevant commands from its servers, the malware starts displaying ads on the device when the user unlocks the phone.

Bitdefender caught this campaign because the malware used the device’s browser to show the malicious ad, which their Mobile Security tool efficiently detected. Similarly, the malware also displays full-screen web view of ads.

The researchers have shared the following demonstration of the malware in action.

As always, to repel such threats, users must avoid interacting with apps or links from unknown sources. Likewise, equipping their devices with robust antimalware solutions is the key to preventing most malware attacks.

Let us know your thoughts in the comments.

CuckooDroid - Automated Android Malware Analysis Tool

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.

CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.

CuckooDroid featured with VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioural signatures. Also provides both static and dynamic APK inspection.

Installation - Easy integration script:

git config --global user.email "you@example.com"

 

 

git config --global user.name "Your Name"
git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2
cd cuckoo
git remote add droid https://github.com/idanr1986/cuckoo-droid
git pull --no-edit -s recursive -X theirs droid master 
cat conf-extra/processing.conf >> conf/processing.conf
cat conf-extra/reporting.conf >> conf/reporting.conf
rm -r conf-extra
echo "protobuf" >> requirements.txt

Download

A Simple Static Malware Analyzer SSMA Tool Written in Python 3

SSMA is a simple malware analyzer written in Python 3. 

Features: 

1. Analyze PE file’s header and sections (number of sections, entropy of sections/PE file, suspicious section names, suspicious flags in the characteristics of the PE file, etc.) 
2. Searches for possible domains, e-mail addresses, IP addresses in the strings of the file. 
3. Checks if domain is blacklisted based on abuse.ch’s Ransomware Domain Blocklist and malwaredomains.com’s blocklist. 
4. Looks for Windows functions commonly used by malware. 
5. Get results from VirusTotal and/or upload files. 
6. Malware detection based on Yara-rules 
7. Detect well-known software packers. 
8. Detect the existence of cryptographic algorithms. 
9. Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis. 
10. Find if documents have been crafted to leverage malicious code. 

Usage: 

git clone https://github.com/secrary/SSMA
cd SSMA
sudo pip3 install -r requirements.txt
python3 ssma.py -h
python3 ssma.py -k api-key file.exe

You can just statically scan the file or upload to VirustTotal using your API-KEY.

python3 ssma.py file.exe
python3 ssma.py -k api-key file.exe

Download

MalTrail: Malicious Traffic Detection System Tool

MalTrail: Malicious Traffic Detection System Tool

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.[com] for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.[exe] for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool).

Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Features

• Uses multiple public blacklists (alientvault, autoshun, badips, sblam etc)
• Has extensive static trails for identification (domain names, URLs, IP addresses or User-Agent values)
• Optional heuristic mechanisms for detection of unknown threats
• Based on Traffic -> Sensor <-> Server <-> Client Architecture
• Web reporting interface.

Architecture

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs).

In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).

Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.

Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.

Quick start

The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):

sudo apt-get install git python-pcapy
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py

To start the (optional) Server on same machine, open a new terminal and execute the following:

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py

To test that everything is up and running execute the following:

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

To stop Sensor and Server instances (if running in background) execute the following:

sudo pkill -f sensor.py
pkill -f server.py

Requirements

To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy (e.g. sudo apt-get install python-pcapy). There are no other requirements, other than to run the Sensor component with the administrative/root privileges.

Download MalTrail