Recently, the cybersecurity researchers of Check Point have detected a new wrench of Android malware that is currently being circulated on the internet. This malware is targeting users that are located in Southeast Asia.
The experts named this malware as WAPDropper and are currently advertised through a malicious app that is being hosted on third-party app stores.
However, the malware downloads and administers a payload, just by dropping a wireless application protocol (WAP) premium dialer, which provides a subscription to its victims regarding the premium services in Thailand and Malaysia outwardly their awareness or permission.
Timeline and Encounter
This malware deals with a URL: https://l[.]facebook1mob[.]com/index.php?r=api/back. The experts asserted that they have noticed a huge number of connections to this URL and created a malware framework with a bird’s eye view that is traced back to IP addresses 126.96.36.199 and 188.8.131.52.
These addresses are being determined to the domain ip.cooktracking[.]com. After knowing all the details regarding the IP address, the experts reported that they believe that these two campaigns are correlated and might be involved the same threat actor.
According to the report, this malware includes two different modules; the initial one is a dropper module that will easily download extra malware modules, and it also has the potential to expand and inaugurate all different kinds of attack vectors.
While the second module is a premium dialer, it is malware, and its main purpose is to force victims to subscribe to the premium services outwardly without their knowledge or consent. And here, the threat actors are using the method that is known as “WAP fraud.”
This method is very popular in the late 2000s and early 2010s, but it faded out with the rise of smartphones but, somehow it made an improvement and comeback in the late 2010s as malware authors understood that many modern phones and telcos still underpins the older WAP standard.
Data Collected by WAPDropper
The data that has been collected by WAPDropper are mentioned below:-
- Device ID
- Mac Address
- Subscriber ID
- Device model
- List of all installed apps
- List of running services
- Topmost activity package name
- Is the screen turned on
- Are notifications enabled for this app
- Can this app draw overlays
- Amount of available free storage space
- The total amount of RAM and available RAM
- List of non-system applications
Payloads that the Dropper Module Downloads
The payloads that the dropper module downloads are mentioned below:-
- The payloads easily download the URL
- MD5 verification of the downloaded file
- The Class Name and Method Name for the reflection call
- Execution frequency
- Maximum number of executions
Capabilities of the Remote Website
- Secure the victim’s phone number.
- Get the victim’s phone information.
- Get an SMS list.
- Transfer SMS to an exact number.
- Transmit POST requests to a specified URL.
This malware also tries to evade detection by dropping its icon to stop all the users from recognizing it on their device and uninstalling the app. The security experts concluded the report by asserting that WAPDropper is administered through unofficial Android stores. But, bypassing these marketplaces generally diminishes the risk of settlements.