Android malware spreads through compromised legitimate Web sites

by

Share this news now.

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.

More details:

Sample screenshot of the executed Android malware:

Android_Malware_Fake_Adobe_Flash_Player_Fake_Android_Browser_Fake_Google_Play_Applications

The first variation of the campaign attempts to trick Russian-speaking users into installing a fake version of Adobe’s Flash Player, followed by a second campaign using a fake Android browser as a social engineering theme, and a third campaign which is attempting to trick mobile users into thinking that it’s a new version of Google Play.

Sample malicious URLs displayed to Android users:
hxxp://adobeflashplayer-up.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp://browsernew-update.ru/?a=RANDOM_CHARACTERS – 93.170.107.184

Responding to the same IP (93.170.107.184) are also the following domains part of the campaign’s infrastructure:
flashupdate.org
mobiserver-russia.com
flash-news-systems1.net
bruser-2012.net
erovideo2.net
file-send09.net
tankonoid.net
oneiclick.net
free3porn.net
nashe9porevo.net
filemoozo.net
flashupdates.net
yandexfilyes.net
erovidoos.net
yandexfiloys.net
anindord-market.net
api-md-new.net
girlsexx.net
1jan-unilo55.ru
officemb56.ru
brwsrupdate.ru
android-mk.ru
android-gt.ru

Detection rate for the malicious .apk files:
flash_player_installer.apkMD5: 29e8db2c055574e26fd0b47859e78c0e – detected by 5 out of 46 antivirus scanners as Android.SmsSend.212.origin.
Android_installer-1.apkMD5: e6be5815a05c309a81236d82fec631c8 – detected by 5 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Opfake.bo.

Required permissions for flash_player_installer.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW
android.permission.WRITE_SETTINGS
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_WIFI_STATE
android.permission.UPDATE_DEVICE_STATS
android.permission.CHANGE_WIFI_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_SMS
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_CONTACTS
android.permission.DELETE_PACKAGES
android.permission.GET_PACKAGE_SIZE
android.permission.INSTALL_PACKAGES
android.permission.MANAGE_APP_TOKENS
android.permission.PERSISTENT_ACTIVITY
android.permission.GET_ACCOUNTS
android.permission.WAKE_LOCK
android.permission.WAKE_LOCK

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

Upon execution, the Android sample phones back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Required permissions for Android_installer-1.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

It also connects back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Android users of Webroot’s mobile products are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Android malware spreads through compromised legitimate Web sites by
0 comments

Trackbacks

  1. [...] More information and a technical data of these campaigns might be found here: blog.webroot.com. [...]

  2. [...] You can see the laundry list of other domains responding to that same IP address (93.170.107.184) along with the rest of the WebRoot write-up. [...]

  3. [...] ασφαλείας από το  Webroot έχουν βρεί ότι οι εγκληματίες του κυβερνοχώρου [...]

  4. [...] Las otras campañas incluyen falso navegador de Android como tema la ingeniería social y falso Google Play. Cuando la aplicación malicioso es ejecutado, el malware contiene información tal como IMEI, marca, operador, IMSI y lo envía de vuelta al servidor remoto. E hacking Noticias [NHE] – The Best IT Security News | Hacker News [...]

  5. […] tools — and instead of monetizing the traffic by serving client-side exploits, they can filter and redirect all the mobile device traffic to a fraudulent/malicious Android application. We’ve already seen and profiled a similar situation, that was affecting a popular Bulgarian […]

  6. […] Dorks tools — and instead of monetizing the traffic by serving client-side exploits, they can filter and redirect all the mobile device traffic to a fraudulent/malicious Android application. We’ve already seen and profiled a similar situation, that was affecting a popular Bulgarian Web […]