[ad_1]
Authored by Dexter Shin
McAfee Mobile Research Team discovered an Android banking trojan signed with a key utilized by professional apps in South Korea final 12 months. By design, Android requires that every one purposes should be signed with a key, in different phrases a keystore, to allow them to be put in or replaced. Because this key can solely be utilized by the developer who created it, an software signed with the identical key is assumed to belong to the identical developer. That is the case of this Android banking trojan that makes use of this professional signing key to bypass signature-based detection strategies. And these banking trojans weren’t distributed on Google Play or official app shops till now. This menace had been disclosed to the firm that owns the professional key final 12 months and the firm has taken precautions. The firm has confirmed that they’ve substituted the signing key and at the moment, all of their professional apps are signed with a brand new signing key.
Android malware utilizing a professional signing key
While monitoring the Android banking trojan Fakecalls we discovered a pattern utilizing the identical signing key as a effectively–recognized app in Korea. This app is developed by a respected IT companies firm with intensive enterprisees throughout varied sectors, together with however not restricted to IT, gaming, fee, and advertising. We confirmed that a lot of the malicious samples utilizing this key faux to be a financial institutioning app as they use the identical icon as the actual banking apps.
Figure 1. Malware and professional app on Google Play
Distribution methodology and newest status
Domains verified final August once we first found the samples at the moment are down. However, we investigated URLs associated to this malware and we discovered comparable ones associated to this menace. Among them, we recognized a phishing website that is nonetheless alive throughout our analysis. The website can be disguised as a banking website.
Figure 2. A phishing web page disguised as a Korean banking website
We additionally discovered that they up to date the area data of this internet web page a number of days earlier than our investigation.
So we took a deeper look into this area and we discovered further uncommon IP addresses that led us to the Command and control(C2) server admin pages utilized by the cybercriminals to regulate the contaminated gadgets.
Figure 3. Fakecalls Command and management(C2) admin web pages
How does it work
When we examine the APK file construction, we will see that this malware makes use of a packer to keep away from evaluation and detection. The malicious code is encrypted in one of many recordsdata under.
Figure 4. Tencent’s Legu Packer libraries
After decrypting the DEX file, we discovered some uncommon performance. The code under will get the Android bundle data from a file with a HTML extension.
Figure 5. Questionable code within the decrypted DEX file
This file is the truth is one other APK (Android Application) fairly than a standard HTML file designed to be displayed in an internet browser.
Figure 6. APK file disguised as an HTML file
When the consumer launches the malware, it instantly asks for permission to put in one other app. Then it tries to put in an software saved in the “assets” listing as “introduction.html”. The “introduction.html” is an APK file and actual malicious conduct occurs right here.
Figure 7. Dropper asks you to put in the principle payload
When the dropped payload is about to be put in, it asks for a number of permissions to entry delicate private data.
Figure 8. Permissions required by the principle malicious software
It additionally registers a number of companies and receivers to regulate notifications from the gadget and to obtain instructions from a distant Command and Control server.
Figure 9. Services and receivers registered by the principle payload
By distinction, the malware makes use of a professional push SDK to obtain commands from a distant server. Here are the full checklist of instructions and their objective.
| Command identify | Purpose |
| observe | sms message add |
| incoming_transfer | caller quantity add |
| del_phone_record | delete name log |
| zhuanyi | set name forwarding with parameter |
| clear_note | delete sms message |
| assign_zhuanyi | set name forwarding |
| file | file add |
| lanjie | block sms message from specified numbers |
| allfiles | discover all attainable recordsdata and add them |
| email_send | ship e-mail |
| record_telephone | name recording on |
| inout | re-mapping on C2 server |
| blacklist | register as blacklist |
| listener_num | no perform |
| no_listener_num | disable monitoring a selected quantity |
| rebuild | reset and reconnect with C2 |
| deleteFile | delete file |
| num_address_list | contacts add |
| addContact | add contacts |
| all_address_list | name file add |
| deleteContact | delete contacts |
| note_intercept | intercept sms message from specified numbers |
| intercept_all_phone | intercept sms message from all |
| clear_date | delete all file |
| clear_phone_contact | delete all contacts |
| clear_phone_record | delete all name log |
| per_note | fast sms message add |
| soft_name | app identify add |
Cybercriminals are consistently evolving and utilizing new methods to bypass safety checks, resembling abusing professional signing keys. Fortunately, there was no injury to customers as a result of this signing key leak. However, we advocate that customers set up safety software program on their gadgets to reply to these threats. Also, customers are beneficial to obtain and use apps from the official app shops.
McAfee Mobile Security detects this menace as Android/Banker whatever the software, is signed with the beforehand professional signing key.
Indicators of Compromise
| SHA256 | Name | Type |
| 7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 | 신한신청서 | Dropper |
| 9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda | 신한신청서 | Dropper |
| 21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc | 신한신청서 | Dropper |
| 9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579 | 신한신청서 | Dropper |
| 60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2 | 보안인증서 | Banker |
| 756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6 | 보안인증서 | Banker |
| 6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6 | 보안인증서 | Banker |
| 52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b | 보안인증서 | Banker |
| 125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12 | 보안인증서 | Banker |
| a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3 | 보안인증서 | Banker |
| c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f | 보안인증서 | Banker |
| dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92 | 보안인증서 | Banker |
| e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24 | 보안인증서 | Banker |
Domains:
- http[://]o20-app.dark-app.web
- http[://]o20.orange-app.at present
- http[://]orange20.orange-app.at present