[ad_1]
Authored by Dexter Shin
McAfee Cell Analysis Group discovered an Android banking trojan signed with a key utilized by professional apps in South Korea final yr. By design, Android requires that each one functions have to be signed with a key, in different phrases a keystore, to allow them to be put in or up to date. As a result of this key can solely be utilized by the developer who created it, an utility signed with the identical key’s assumed to belong to the identical developer. That’s the case of this Android banking trojan that makes use of this professional signing key to bypass signature-based detection methods. And these banking trojans weren’t distributed on Google Play or official app shops till now. This risk had been disclosed to the corporate that owns the professional key final yr and the corporate has taken precautions. The corporate has confirmed that they’ve changed the signing key and at the moment, all their professional apps are signed with a brand new signing key.
Android malware utilizing a professional signing key
Whereas monitoring the Android banking trojan Fakecalls we discovered a pattern utilizing the identical signing key as a nicely–recognized app in Korea. This app is developed by a good IT providers firm with intensive companies throughout varied sectors, together with however not restricted to IT, gaming, cost, and promoting. We confirmed that many of the malicious samples utilizing this key faux to be a banking app as they use the identical icon as the true banking apps.
Determine 1. Malware and legit app on Google Play
Distribution methodology and newest standing
Domains verified final August after we first found the samples at the moment are down. Nevertheless, we investigated URLs associated to this malware and we discovered comparable ones associated to this risk. Amongst them, we recognized a phishing website that’s nonetheless alive throughout our analysis. The positioning can be disguised as a banking website.
Determine 2. A phishing web page disguised as a Korean banking website
We additionally discovered that they up to date the area info of this internet web page a number of days earlier than our investigation.
So we took a deeper look into this area and we discovered extra uncommon IP addresses that led us to the Command and management(C2) server admin pages utilized by the cybercriminals to regulate the contaminated units.
Determine 3. Fakecalls Command and management(C2) admin pages
How does it work
Once we test the APK file construction, we are able to see that this malware makes use of a packer to keep away from evaluation and detection. The malicious code is encrypted in one of many recordsdata beneath.
Determine 4. Tencent’s Legu Packer libraries
After decrypting the DEX file, we discovered some uncommon performance. The code beneath will get the Android package deal info from a file with a HTML extension.
Determine 5. Questionable code within the decrypted DEX file
This file is in truth one other APK (Android Utility) moderately than a standard HTML file designed to be displayed in an online browser.
Determine 6. APK file disguised as an HTML file
When the person launches the malware, it instantly asks for permission to put in one other app. Then it tries to put in an utility saved within the “property” listing as “introduction.html”. The “introduction.html” is an APK file and actual malicious conduct occurs right here.
Determine 7. Dropper asks you to put in the principle payload
When the dropped payload is about to be put in, it asks for a number of permissions to entry delicate private info.
Determine 8. Permissions required by the principle malicious utility
It additionally registers a number of providers and receivers to regulate notifications from the system and to obtain instructions from a distant Command and Management server.
Determine 9. Companies and receivers registered by the principle payload
Against this, the malware makes use of a professional push SDK to obtain instructions from a distant server. Listed below are the entire record of instructions and their goal.
Command identify
Objective
observe
sms message add
incoming_transfer
caller quantity add
del_phone_record
delete name log
zhuanyi
set name forwarding with parameter
clear_note
delete sms message
assign_zhuanyi
set name forwarding
file
file add
lanjie
block sms message from specified numbers
allfiles
discover all attainable recordsdata and add them
email_send
ship e mail
record_telephone
name recording on
inout
re-mapping on C2 server
blacklist
register as blacklist
listener_num
no operate
no_listener_num
disable monitoring a selected quantity
rebuild
reset and reconnect with C2
deleteFile
delete file
num_address_list
contacts add
addContact
add contacts
all_address_list
name report add
deleteContact
delete contacts
note_intercept
intercept sms message from specified numbers
intercept_all_phone
intercept sms message from all
clear_date
delete all file
clear_phone_contact
delete all contacts
clear_phone_record
delete all name log
per_note
fast sms message add
soft_name
app identify add
Cybercriminals are continuously evolving and utilizing new methods to bypass safety checks, similar to abusing professional signing keys. Thankfully, there was no harm to customers because of this signing key leak. Nevertheless, we advocate that customers set up safety software program on their units to answer these threats. Additionally, customers are really helpful to obtain and use apps from the official app shops.
McAfee Cell Safety detects this risk as Android/Banker whatever the utility, is signed with the beforehand professional signing key.
Indicators of Compromise
SHA256
Identify
Kind
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
신한신청서
Dropper
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda
신한신청서
Dropper
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc
신한신청서
Dropper
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579
신한신청서
Dropper
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2
보안인증서
Banker
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6
보안인증서
Banker
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6
보안인증서
Banker
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b
보안인증서
Banker
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12
보안인증서
Banker
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3
보안인증서
Banker
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f
보안인증서
Banker
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92
보안인증서
Banker
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24
보안인증서
Banker
Domains:
http[://]o20-app.dark-app.web
http[://]o20.orange-app.right now
http[://]orange20.orange-app.right now
x3Cimg top=”1″ width=”1″ type=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]