Many fraudulent apps have made their way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula to the tune of more than 700,000 downloads. These malicious App in Google Play Store hijack SMS message notifications to commit Billing Fraud.
What are these Fraudulent apps up to?:
Pretending as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases. These Apps are found to be fraudulent after validations.
Technical Analysis
The malware embedded in these apps takes advantage of dynamic code loading. Encrypted payloads of malware appear in the assets folder associated with the app, using names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files, as illustrated below.
The hidden malicious code in the main .apk opens “1.png” file in the assets folder, decrypts it to “loader.dex,” and then loads the dropped .dex. The “1.png” is encrypted using RC4 with the package name as the key. The first payload creates HTTP POST request to the C2 server. When the server responds “URL” value, the content in the URL is used instead of “2.png.
Workflow of notification:
The malware seizes the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission. The malware then passes the notification object to the final stage. The message is sent out using WebView JavaScript Interface.
Technical Data and IOCs
MITRE ATT&CK Matrix
IoCs
| 08C4F705D5A7C9DC7C05EDEE3FCAD12F345A6EE6832D54B758E57394292BA651 | com.studio.keypaper2021 |
| CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C | com.pip.editor.camera |
| 007587C4A84D18592BF4EF7AD828D5AAA7D50CADBBF8B0892590DB48CCA7487E | org.my.favorites.up.keypaper |
| 08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 | com.super.color.hairdryer |
| 9E688A36F02DD1B1A9AE4A5C94C1335B14D1B0B1C8901EC8C986B4390E95E760 | com.ce1ab3.app.photo.editor |
| 018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C | com.hit.camera.pip |
| 0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 | com.daynight.keyboard.wallpaper |
| 50D498755486D3739BE5D2292A51C7C3D0ADA6D1A37C89B669A601A324794B06 | com.super.star.ringtones |
Conclusion:
These threats that take advantage of Notification Listener will continue to flourish. However, it’s essential to pay attention to apps that request SMS-related permissions and Notification Listener permissions. Simply put, legitimate photo and wallpaper apps won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.
Also Read
Hackers Compromised APKPure Android App Store to Deliver Malware
