Google Play Store is typically considered to be one of the safest sources for users to find and install android apps. However, threat actors continue to evolve their tactics and are able to successfully upload dangerous apps laced with malware on the Google play store.
Recently, the Zscaler ThreatLabz team discovered apps involving multiple instances of the Joker, Facestealer, and Coper malware families spreading in the virtual marketplace. The ThreatLabz team immediately notified the Google Android Security team of these newly identified threats, and they promptly removed the malicious apps from the Google Play Store.
The following is the technical analysis of these three malware family payloads that were recently discovered in the Play Store:
Joker Malware
Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques. This malware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Over the past two months, our ThreatLabz researchers discovered the following malicious Joker downloader apps in the Google Play Store:
|
|
Simple Note Scanner - com.wuwan.pdfscan |
|
|
Universal PDF Scanner - com.unpdf.scan.read.docscanuniver |
|
|
Private Messenger - com.recollect.linkus |
|
|
Premium SMS - com.premium.put.trustsms |
|
|
Smart Messages - com.toukyoursms.timemessages |
|
|
Text Emoji SMS - messenger.itext.emoji.mesenger |
|
|
Blood Pressure Checker - com.bloodpressurechecker.tangjiang |
|
|
Funny Keyboard - com.soundly.galaxykeyboard |
|
|
Memory Silent Camera - com.silentmenory.timcamera |
|
|
Custom Themed Keyboard - com.custom.keyboardthemes.galaxiy |
|
|
Light Messages - com.lilysmspro.lighting |
|
|
Themes Photo Keyboard - com.themes.bgphotokeyboard |
|
|
Send SMS - exazth.message.send.text.sms |
|
|
Themes Chat Messenger - com.relish.messengers |
|
|
Instant Messenger - com.sbdlsms.crazymessager.mmsrec |
|
|
Cool Keyboard - com.colate.gthemekeyboard |
|
|
Fonts Emoji Keyboard - com.zemoji.fontskeyboard |
|
|
Mini PDF Scanner - com.mnscan.minipdf |
|
|
Smart SMS Messages - com.sms.mms.message.ffei.free |
|
|
Creative Emoji Keyboard - com.whiteemojis.creativekeyboard.ledsloard |
|
|
Fancy SMS - con.sms.fancy |
|
|
Fonts Emoji Keyboard - com.symbol.fonts.emojikeyboards |
|
|
Personal Message - com.crown.personalmessage |
|
|
Funny Emoji Message - com.funie.messagremo |
|
|
Magic Photo Editor - com.amagiczy.photo.editor |
|
|
Professional Messages - com.adore.attached.message |
|
|
All Photo Translator - myphotocom.allfasttranslate.transationtranslator |
|
|
Chat SMS - com.maskteslary.messages |
|
|
Smile Emoji - com.balapp.smilewall.emoji |
|
|
Wow Translator - com.imgtop.camtranslator |
|
|
All Language Translate - com.exclusivez.alltranslate |
|
|
Cool Messages - com.learningz.app.cool.messages |
|
|
Blood Pressure Diary - bloodhold.nypressure.mainheart.ratemy.mo.depulse.app.tracker.diary |
|
|
Chat Text SMS - com.echatsms.messageos |
|
|
Hi Text SMS - ismos.mmsyes.message.texthitext.bobpsms |
|
|
Emoji Theme Keyboard - com.gobacktheme.lovelyemojikeyboard |
|
|
iMessager - start.me.messager |
|
|
Text SMS - com.ptx.textsms |
|
|
Camera Translator - com.haixgoback.outsidetext.languagecameratransla |
|
|
Come Messages - com.itextsms.messagecoming |
|
|
Painting Photo Editor - com.painting.pointeditor.photo |
|
|
Rich Theme Message - com.getmanytimes.richsmsthememessenge |
|
|
Quick Talk Message - mesages.qtsms.messenger |
|
|
Advanced SMS - com.fromamsms.atadvancedmmsopp |
|
|
Professional Messenger - com.akl.smspro.messenger |
|
|
Classic Game Messenger - com.classcolor.formessenger.sic |
|
|
Style Message - com.istyle.messagesty |
|
|
Private Game Messages - com.message.game.india |
|
|
Timestamp Camera - allready.taken.photobeauty.camera.timestamp |
|
|
Social Message - com.colorsocial.message |
ThreatLabz has discovered over 50 unique Joker downloader apps on the Play Store till now. All of these apps were downloaded over 300k times combined and they typically fall into one of the following common categories:
- Communication
- Health
- Personalization
- Photography
- Tools
The following is the breakdown of the number of apps per category:
The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group. Consistent with previous findings, ThreatLabz latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques. Check out our previous blog Joker Joking in Google Play for a more in-depth analysis of this specific campaign.
The following is the technical analysis of the Enjoy Message Joker app:
- App Name: Enjoy Message
- Package Name: sms.ienjoy.joysms.message
The Joker malware authors develop and release a range of apps from the very complex to incredibly simple. Instead of waiting for apps to gain a specified volume of installs and reviews before swapping for a malware-laced version, the Joker developers have taken to hiding the malicious payload in a common asset file and package application using commercial packers. Serving as one of the primary reasons why these malicious apps often go undetected by antivirus softwares and during evaluation by the Play Store.
Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user's phone. The malware uses these advanced permissions to carry out its operations.
In the Enjoy SMS application, the payload is hidden in the known path but the path itself is obfuscated in the application's class.
Fig 1: Obfuscated path of the payload
Upon deobfuscation, the path becomes visible in the asset directory "io/michaelrocks/libphonenumber/android/data/PhoneNumberAlternateFormatsProto_53" where payload is residing.
The package name of the application is used to derive the hash which is used as the AES decryption key. This key is used to decrypt the payload with an executable(.so) file which should contain the following declared functions.
Fig 2: Function/class names of similar known SDKs
To deter investigation, the class and method names of the functions appear similar to known SDKs.
"onInstall" function in the hidden dropped executable is called at runtime after loading executable by the "system.loadlibrary" function.
Fig 3: Implementation of malicious code inside executable
As shown above, the executable loads the method ‘Wnjre’ from the ‘com.Brling’ class. The dropped executable hides the payload with Base64 encryption.
Fig 4: Base64 encrypted content
The second payload downloads a known weaponized Java ARchive (JAR) file as a third payload as shown below.
Fig 5: Decrypted payload
The following are some examples of common techniques used by Joker Malware:
1. The app confirms if its package is still live on the Google Play Store.
Fig 6: Checks Google Play Store to confirm the app is still live.
2. Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture.
3. Joker malware hides payloads with different types of encryption including, XOR, AES, DES, ElGamal which are also commonly used with fake known asset files. Few of them have extensions like JSON, TTF, PNG or database files. In several examples, apps encrypted and hide the malicious payload in the meta-data of the app manifest file. More often, the decryption key is derived from the package name of the app possibly to avoid the additional effort of customizing decryption routines.
Fig 7: ELGAMAL encryption
Fig 8: DES key derivation from the package name
IOCs:
- http://givehotdog[.]com
- https://trustcats[.]com
- http://giveme8[.]com/
- https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/xjuys
- http://139[.]177[.]180[.]78/hell
- https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/fbhx1
- https://xjuys.oss-accelerate[.]aliyuncs[.]com/fbhx2
FaceStealer Malware
Facestealer malware was also discovered on the Google Play Store, known for targeting Facebook users with fake Facebook login screens. Once the device is infected, the user is prompted to login to Facebook and can’t use the app without entering their credentials. Upon successful login, the credentials as well as auth tokens are stolen by the malware author.
- App Name: cam.vanilla.snapp
- Downloads: 5000
- Category: Tools
Fig 9: Fake Facebook login screen
The fake page shown above, opened by the app injects downloaded javascript from the server using WebView.
Fig 10: URL for downloading malicious JavaScript
Once enabled, the malware app reaches out to the command and control (C2) server to download the malicious javascript. The URL, https://busynow[.]store/config, is still active and in the latest update, the malware authors added a character to fail the automatic decode of the Base64 encoded string. In the following screenshots, the added extra “W” character will cause the decode failure and revert to plaintext.
Fig 11: Base64 decoded
As shown in the screenshotbelow, stolen credentials and tokens are sent to the C2 serverwith the help of javascript loaded with malicious code.
Fig 12: Shows the "c_url" parameter for a remote C2 stealing facebook credentials.
IOCs:
- busynow[.]store
- Zs8668[.]com
- kcoffni[.]xyz
Coper Malware
Coper is a well known trojan that targets banking applications in Europe, Australia, and South America disguised as a legitimate app in the Google Play Store. Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server. The result of these activities ultimately leads to attackers gaining information and access they can leverage to steal money from victims.
- App Name: Unicc QR Scanner
- Package name: com.qrdscannerratedx
- Sha256: 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4
Fig 13: Unicc QR Scanner app laced with Coper malware on Google Play Store
This app disguises itself as a free QR scanner. Once installed, the app immediately prompts the user to update the app.
Fig 14: Screenshots show the process of enabling the malware infection by asking the user to upgrade the app, then prompting them to further grant advanced access permissions to the app in their device settings.
Next, the threat actors use a trojan dropper designed to install malware or a backdoor to a device, by leveraging the Google Firebase app developer tool to call-out and receive the URL that will deliver the malicious payload as shown in the screenshot below.
Fig 15: Firebase call-out
The malware downloads a configuration that includes the URL hosting the new and malicious payload. As shown in the screenshot below, the name of the new payload is set by the android Shared Preferences file. The name of the installed payload also continues to change as well.
Fig 16: Shared preferences
The newly installed file is a fake Google Play Store app on the device with the package name “com.fromtoo2” that immediately prompts the user to grant escalated accessibility permission and gain full control of the user's phone.
In the background, the fake Google Play Store app loads the libWeEq.so executable file and calls the predefined MvsEujZ function as further shown and described below.
Fig 17: MvsEujZ function called from executable file
The MvsEujZ function shown above decrypts a runnable file with a static key found in the executable and prompts the user to grant escalated accessibility permissions at launch. After decrypting with libWeEq.so, the Coper code base becomes visible, as shown in the below screenshot.
Fig 18: Coper codebase
This final payload uses Rivest Cipher 4 (RC4) encryption to hide its malicious signatures and avoid detection. The following screenshot shows the decrypted C2 server addresses used by the Coper malware.
Fig 19: Screenshot shows the decoded contents of the payload
In the case that the Virtual Network Computing (VNC) service for remote-control access is not available, the malware authors leverage the android TeamViewer app to monitor the screen of the infected device as shown in the screenshot below.
Fig 20: Screenshot shows the code enabling attackers to use TeamViewer to monitor the screen of a device remotely
Finally, this last screenshot shows the backend of WebView where malicious javascript is loadedto enable the attackers to take full control through a C2 server connection and execute the actions they need to compromise and ultimately extort the victim.
Fig 21: Shows attackers leveraging the android developer app WebView
IOCs:
- raw[.]githubusercontent[.]com/k6062019/qq/main/porc[.]apk
- abashkinokabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/
- asqwnbvb[.]shop/ZmEwY2ZmZWYzN2Mw/
- barabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/
- ccnfddbvb[.]pics/ZmEwY2ZmZWYzN2Mw/
- eendfbvb[.]sbs/ZmEwY2ZmZWYzN2Mw/
- nbervbwe[.]monster/ZmEwY2ZmZWYzN2Mw/
- nbrtvbsd[.]mom/ZmEwY2ZmZWYzN2Mw/
- nbvb3954[.]fun/ZmEwY2ZmZWYzN2Mw/
- nbvbvber[.]makeup/ZmEwY2ZmZWYzN2Mw/
- nbvmnbbn[.]lol/ZmEwY2ZmZWYzN2Mw/
- nbvvvb[.]hair/ZmEwY2ZmZWYzN2Mw/
- nterospbnvdos[.]site/ZmEwY2ZmZWYzN2Mw/
- nterospusios[.]shop/ZmEwY2ZmZWYzN2Mw/
- ntospusios[.]top/ZmEwY2ZmZWYzN2Mw/
- nytbvb[.]one/ZmEwY2ZmZWYzN2Mw/
- qqnnffbvb[.]space/ZmEwY2ZmZWYzN2Mw/
- qwnnnbvb[.]skin/ZmEwY2ZmZWYzN2Mw/
- vbfdnbvb[.]online/ZmEwY2ZmZWYzN2Mw/
- vntososupplsos[.]live/ZmEwY2ZmZWYzN2Mw/
- wwereffnbvb[.]store/ZmEwY2ZmZWYzN2Mw/
- xxfdnbvb[.]quest/ZmEwY2ZmZWYzN2Mw/
What Android user’s can do to avoid infection by these malwares:
Don’t install unnecessary, untrusted, and un-vetted apps on your mobile device. Stick to the sources and providers you know and trust. Look for apps with very high install numbers and positive reviews. Seek out apps that are recommended by sources you trust and also feature lots of installs and positive reviews.
Don't grant notifications listener permissions and escalated accessibility permissions to apps you don't fully trust. The notification listener service enables the package name of the app to be added to the enabled_notification_listeners provider. This enables read notifications and it includes critical access notifications like auto-generated one-time password/pin (OTP).
Avoid installing messaging apps if possible or use extreme caution and take the time to research and ensure that the app is well known and reviewed. Even when a link comes from a trusted friend asking you to download a messaging app, consider the possibility that your friend’s device may be compromised by malware and stop to confirm with them first, and then still take the time to conduct your own research and verify the app has a well-established and safe reputation before installing. Messaging apps require Read_SMS permission as their functionality and can easily leverage that permission to gain information including a key OTP they can use to further compromise victims.
If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app. It is important that we work together to identify, flag, and remove malicious apps from our preferred app stores as soon as possible to limit the spread of malware and inhibit the success of threat actors.
If you are responsible for protecting your corporate network, deploy Zscaler’s zero trust architecture to protect your users and prevent further compromise if a malicious app is downloaded by a user on their personal device.
