Security Analysts Identify a Trojan that Quietly Purchase Apps, a Rootkit that takes over your Device, and Ransomware that Locks your Device
For the average user on our forums, you are probably safe from most malicious threats to your device. After all, you are more likely to be running on the latest Android version with the latest security patches thanks to the effort of developers on our forums. Furthermore, you are likely more conscious of what permissions each application requests and actively avoid applications where the permissions don’t match its functionality.
But for every member here who stays on top of their own cyber security, we have friends and family who don’t. You might know a few people who are still rocking those Android Jellybean or KitKat phones, or perhaps they do use the latest flagship devices but they don’t really care about what applications they install so long as it works for them. For the average Android user out there with nary a care in the world as to what software they are running, they are far more likely to be susceptible to security threats. And so, malicious actors take advantage of that fact, and develop software to steal information or force unwanted purchases on an end user’s device.
Fortunately, we have various security companies out there whose job it is to identify, inform, and protect users from these threats. Two such firms, Doctor Web and Check Point, have identified several threats this week that we at XDA would like to share so you can ensure your friends and family don’t fall for these tricks.
While we are providing the summary of the security findings outlined by these two companies, we implore you to follow the links within to see the full list of affected applications so you can see what you will need to avoid.
This software, identified by Doctor Web earlier this week, acts as a Trojan on your device. Masquerading as a seemingly legitimate application, this Trojan can inject additional code into the Play Store’s running process in order to steal your information and subsequently make covert installations and purchases behind your back. The module can simulate many functions of a regular Play Store query, including searching, purchasing, and rating, in order to artificially inflate any Play Store app listing.
The trojan is typically found within packages from third-party (non-Google) sources on the web, such as cracked game APKs. Once installed, the Android.Skyfin.1.origin implements an additional Trojan module called Android.Skyfin.2.origin into the Play Store process so it can collect the necessary information it needs to authenticate to the Play Store on your behalf. The malicious software also sends back uniquely identifying information about your device, such as the IMEI, device model, geolocation, and system language, so it will be notified that your device has been successfully compromised.
The criminals can then direct your device to download any application of their choosing on the Play Store. The downloaded app is not actually installed, but rather stored on the external storage directory so as to avoid detection. As the malware installs itself in the system directory (using a rootkit which should be noted does not affect Android devices running Marshmallow or later), it cannot be removed without root access.
The Return of HummingBad
A malware discovered last year named HummingBad is making a return, according to Check Point. This new variant which they are naming HummingWhale seems to be much more potent than its predecessor. HummingWhale, unlike HummingBad, has found a way to hide its malicious package and has accordingly sneaked its way into the Google Play Store. Check Point identified over 20 applications that were infected by this malware, with the infected apps attaining several million installations prior to Google removing them after being notified by Check Point.
To recap, HummingBad was a malware which employed a chain-attack tactic (successively installing additional malicious packages) and a rootkit to gain elevated privileges on a user’s device. The malware had widespread penetration – over 10 million victims – until third-party application stores began to catch on. But now, its successor HummingWhale has been identified in several malicious applications that were uploaded under fake Chinese pseudonyms. Check Point identified a suspiciously large asset in the APK files of these malicious apps – a 1.3MB encrypted file which is actually an APK file itself that contains the main payload of the malware.
This payload acts as a dropper which downloads additional malicious packages, but also employed something new called DroidPlugin to upload apps on a virtual machine. The malicious actor’s server would feed the user fake ads and apps. When the user tries to close the advertisement, the app which was already installed quietly is uploaded to the virtual machine and run as if it was running on the actual device. This generates a false referrer ID for the ad, which generates ad revenue for the malicious actor.
The developers behind HummingWhale also went further in their malicious endeavors. The malware would hide the original app downloaded from the Play Store after it was installed, and the team would use fraudulent ratings to boost the reputation of the malicious applications. In the end, it’s simply not enough to rely on Play Store reviews to vouch for the authenticity of an application.
The last malware that we will discuss, and which was also disclosed by Check Point, is the Charger malware. This malware was found embedded within a Play Store application called EnergyRescue. Once installed, the application mines your SMS messages and contact information. But what’s most concerning is what happens after it requests (and if the user grants) administrator privileges. The ransomware locks the device and demands that you send the criminals payment if you do not want them to sell your information:
You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER!TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.
The user is asked to send 0.2 BTC (bitcoins), roughly $180, to disable the ransomware. The ransomware seemingly does not target users living in Ukraine, Russia, or Belarus which are locations likely where the attackers may be located.
Given the permissions and possible information that the application can extract, it is of course far fetched that this ransomware can do any real damage to your well-being. However, the mere threat presented may scare an unwitting user into acquiescing to its demands. Fortunately, the malware was quickly identified by Check Point who states there is no evidence it has yet infected any devices. Google has already been notified and has removed the offending application from the Play Store as well as added the identifying strings to its own malware database.
We would like to state that we aren’t suggesting that Android is insecure, or that we are trying to scare you into believing that your device may be compromised. As we mentioned in the beginning, you are likely among the group of users who are less prone to falling for these tricks, but that doesn’t mean you are entirely safe. In addition, you may have friends and family who do not pay attention to what they install, so we hope that by informing you of the existence of these threats you can better identify them to keep yourself and your close ones safe from malicious attacks.