Category Archives: Android

Cyber News Rundown: WHO Under Cyberattack

Reading Time: ~ 2 min.

World Health Organization Sees Rise in Cyberattacks

Officials for the World Health Organization (WHO) have announced that many of their sites and servers have been under attack by unsuccessful hackers trying to capitalize on the latest health scare. The attack stemmed from the use of several malicious domains that attempted to gain sensitive information and credentials from WHO employees. Thousands of other malicious domains have been created over the last few weeks to exploit the uninformed victims of the Coronavirus outbreak.

TrickBot Sidesteps 2FA on Mobile Banking Apps

The creators of TrickBot have developed a new mobile app called TrickMo, that can silently circumvent two-factor authentication that is used by various mobile banking apps. The malicious app is used mainly to intercept authentication tokens, once it is installed on the victim’s device. Currently, the TrickMo app is targeting German individuals and using the name “Security Control” to disguise any ulterior motives, and even sets itself as the default SMS app, in order to steal additional information.

Google Play Finds 56 New Malicious Apps

Over 56 new malicious apps have been spotted on the Google Play store, with a combined 1.7 million installations on devices across the globe. To make matters worse, a large portion of the apps were targeted specifically at children and used native Android functionality to imitate typical user actions to boost ad revenue. Many of the apps took extreme measures to avoid being uninstalled by the users, though Google itself has since removed all of the related apps from the Play Store.

Fake Coronavirus Vaccine Sites Shutdown

A website offering fake Coronavirus vaccine kits that were claiming to be approved by the WHO has been shutdown following a ruling by a federal court. The operator of the site has been accused of committing fraud and the hosting service has received a restraining order to stop public access to the site. The site in question, “coronavirusmedicalkit.com” offered the fake kits with users only paying for shipping and entering their payment card data.

Tupperware Website Breached

The main website for Tupperware was recently hacked and used to host Magecart code to steal payment card information. The malicious code was first discovered at the end of last week, but was still active nearly a week later, even after multiple attempts to contact the company. Magecart has been a wide-spread issue for online retailers over the last couple years, and still maintains a large presence due to their ease of use and continuing success.

The post Cyber News Rundown: WHO Under Cyberattack appeared first on Webroot Blog.

Huawei P40 Pro+ features 10x periscope camera and stunning quad-curved display

Huawei today held the global launch event for its P40 series smartphones, releasing the devices for European, Chinese, and Canadian markets.

Colour options for the P40 Pro and P40 Pro+

 

Name Huawei P40 Huawei P40 Pro Huawei P40 Pro+
Display 6.1-inch OLED 2,340 x 1,080p quad-curve overflow display 6.58-inch OLED 2,640 x 1,200p 90Hz DCI-P3 HDR quad-curve overflow display 6.7-inch OLED 2,640 x 1,200p 90Hz DCI-P3 HDR quad-curve overflow display
Rear camera Main camera: 50MP RYYB Ultra Vision, f/ 1.9

Ultra-wide: 16MP f/ 2.2

Telephoto: 8MP f/2.4 OIS, 3x optical zoom

Main camera: 50MP RYYB Ultra Vision, f/ 1.9

Ultra-wide: 40MP f/ 1.8

Telephoto: 12MP periscope RYYB f/ 3.4 OIS, 5x optical zoom

ToF sensor

Main camera: 50MP RYYB Ultra Vision, f/ 1.9

Ultra-wide: 40MP f/ 1.8

Telephoto: 8MP f/ 2.4, 3x optical zoom

SuperZoom: 8MP f/ 4.4 periscope dual-axis OIS 240mm, 10x optical zoom

ToF sensor

Front camera 32MP selfie camera 32MP selfie camera and ToF sensor 32MP selfie camera and ToF sensor
Processor Huawei Kirin 990 5G Huawei Kirin 990 5G Huawei Kirin 990 5G
RAM 6GB/8GB 8Gb 12GB
Storage 128GB/256GB 256GB/512GB 256 / 512GB
Durability IP53 IP68 IP68
Battery 3,800 mAh, 22.5W charging 4,200 mAh, 40W wired charging, 27W wireless charging 4,200 mAh, 40W wired and wireless charging
OS EMUI 10.1 based on Android 10 EMUI 10.1 based on Android 10 EMUI 10.1 based on Android 10
Colours Ice White, Deep Sea Blue, Silver Frost, Blush Gold, Black  Ice White, Deep Sea Blue, Silver Frost, Blush Gold, Black Ice White, Deep Sea Blue, Silver Frost, Blush Gold, Black, Ceramic White and Ceramic Black
Price €799

Apr 7, 2020

€999

Apr 7, 2020

€1,399

June 2020

The curve is in. Huawei’s new P40 series feature a quad-curve display, meaning that the glass is curved on all four edges. Huawei says that the added curvature would provide a better swiping experience from the edge.

With photography as its guiding focus, this year’s P40 Pro once again sees major upgrades to its camera. The main sensor has been updated on all three models to the new 50MP RYYB sensor. In addition to the resolution increase over last year, the sensor size has been increased to allow for larger pixels and better low-light capturing mode. Huawei has also enabled four-to-one pixel binning for low light conditions, combining the image data from four pixels to enhance detail at the cost of a lower resolution. When shooting video, the binning count can be increased to 16-to-1.

Whereas the lowest-end P40 has a 3x telephoto camera, both the P40 Pro and the P40 Plus include Huawei’s periscope cameras. The P40 Pro’s periscope camera has a 5x optical zoom range, while the highest-end P40 Pro+ extends that to 10x optical zoom. Their sensors have been upgraded to the RYYB sensors for better low-light capabilities. The image sensors also now feature a new OCTA phase-detection autofocus for faster focusing in low light.

Specifications for the P40 Pro+’s periscope camera.

The P40 Pro and P40+ Pro have a depth sensor on the front as well as the rear. This enables gesture controls and facial recognition. The P40 only comes with the image sensor.

Moreover, Huawei has added a new image algorithm library called the XD Fusion image engine. This chip enables the image processor to perform advanced image stacking to improve image detail.

Related:

Can Huawei’s AppGallery really replace Google’s Play Store? I spend a week with Huawei’s Google-less phone 

 

Other camera enhancements include Golden Snap, a camera feature that selects the best shot from a sequence of rapidly taken photos. Huawei claims that it performs more than 90 facial feature analysis and 30 pose detection. Another feature is the ability to remove imperfections such as reflections directly on the device.

Huawei’s pixel size comparison against other flagship phones.

All three models use Huawei’s Kirin 990 SoC with an integrated 5G modem. The P40 comes with 6GB or 8GB of RAM, while the P40 Pro and the P40 Pro+ comes with 8GB and 12GB of RAM respectively.

Although it doesn’t have Google Play Services, the P40 series will ship with EMUI 10.1 OS based on Android 10. It also now has Huawei’s Celia voice assistant that can place calls, schedule meetings, and translate speech. Huawei’s AppGallery will take the place of the Google Play Store.

In addition to 40W wired charging, the P40 Pro+ now supports 40W wireless charging. The charger will likely be a separate purchase from Huawei.

The P40 Series will begin arriving in Canada in early June. Prices and availability will be announced in the coming weeks.

Watch Out: Android Apps in Google Play Store Capitalizing on Coronavirus Outbreak

Preying on public fears, the ongoing coronavirus outbreak is proving to be a goldmine of opportunity for attackers to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps. Now in a fresh twist, third-party Android app developers too have begun to take advantage of the situation to use coronavirus-related keywords in their app names,

TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services

The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users

Dozens of Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users. Dubbed "Tekya," the malware in the apps imitated users' actions to click ads from advertising networks such as Google's AdMob, AppLovin',

Hacking Voice Assistants with Ultrasonic Waves

I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves:

Voice assistants -- the demo targeted Siri, Google Assistant, and Bixby -- are designed to respond when they detect the owner's voice after noticing a trigger phrase such as 'Ok, Google'.

Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can't hear, providing an attacker has a line of sight on the device and the distance is short.

What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.

Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.

Research paper. Demonstration video.

Fake Coronavirus tracking app exploiting our fear and vulnerable social situation

As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android Playstore, there were many applications present  which claimed that they could provide Coronavirus tracking information. But Google has set up some rules for these types of applications and have considered these under the ‘Sensitive events’ category. According to policies from this rule, Google proactively removed many applications from Playstore to stop malware authors to take advantage of this situation. But malware authors have used another way to enter into the user’s phone….

Google Advanced Protection users get new protections against Android malware

Google has announced the rollout of two new non-negotiable security features for Android users who have also enrolled in the company’s Advanced Protection Program (APP). What is the Advanced Protection Program? In late 2017, Google decided to provide additional security for those who are at an elevated risk of targeted attacks – e.g., journalists, human rights and civil society activists, campaign staffers, people in abusive relationships, etc. – and are willing to trade off a … More

The post Google Advanced Protection users get new protections against Android malware appeared first on Help Net Security.

Smashing Security #170: PornHub, Coronavirus apps, and remote working

It’s a self-isolated Coronavirus special as we discuss with our quarantined special guest how COVID-19 is making itself felt in the world of cybersecurity, and we offer tips on how to better protect yourself if you’re unexpectedly working from home.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with Graham Cluley and Carole Theriault, joined this week by Malicious Life’s Ran Levi from his attic.

MonitorMinor, the outstanding stalkerware can track Gmail, WhatsApp, Instagram, and Facebook

Security experts spotted a new stalkerware, dubbed MonitorMinor, that can track Gmail, WhatsApp, Instagram, and Facebook user activity.

Security experts from Kaspersky Lab spotted a new stalkerware, dubbed MonitorMinor (Monitor.AndroidOS.MonitorMinor.c), that can track Gmail, WhatsApp, Instagram, and Facebook user activity.

Stalkerware is commercial monitoring software or spyware that is used for stalking, it is usually used to secretly spy on family members or colleagues.

According to the experts, MonitorMinor is more powerful than all existing software of its family.

Stalkerware are able to gather the victim’s current geolocation, to intercept SMS and call data, and sometimes implements geofencing features,

MonitorMinor outstands because it also allows spying on other communication channels such as instant messaging applications.

The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of stalkerware that can do this.

Experts discovered that the author of the stalkerware leverage the presence of the SuperUser-type app (SU utility) which grants root access to the system.

“In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control).” reads the report published by Kaspersky.

“The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system.” “It is the presence of this utility that the creators of MonitorMinor are counting on.”

Once escalated privileges by running the SU utility, the malware gains full access to data in the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Hangouts
  • Viber
  • Hike News & Content
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM

MonitorMinor is also able to extract the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. MonitorMinor operator could use it to unlock the device, this is the first stalkerware that implements such a function.

The persistence mechanism implemented by the malware is very efficient and leverages the root access. The stalkerware remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode.

Victims will not able to remove the spying software using regular OS tools.

MonitorMinor leverages the Accessibility Services API to intercept events in the controlled apps, even without root access it is able to operate effectively on all devices with this API.

The malware also implements a keylogger through this API, it also allows operators to monitor the clipboard and forwards the contents.

The stalkerware also allows its owner to:

  • Control the device using SMS commands
  • View real-time video from the device’s cameras
  • Record sound from the device’s microphone
  • View browsing history in Chrome
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage
  • View the contacts list
  • View the system log

According to Kaspersky most of the installs of this stalkerware are in India (14.71%), followed by Mexico (11.76%), Germany, Saudi Arabia, and the UK (5.88%). Experts also noticed the presence of a Gmail account with an Indian name is into the body of MonitorMinor, a circumstance that suggests it was developed by an Indian developer.

MonitorMinor is superior to other stalkerware in many aspects. It implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device.” concludes Kaspersky. “If the device has root access, its operator has even more options available.

Pierluigi Paganini

(SecurityAffairs – MonitorMinor, malware)

The post MonitorMinor, the outstanding stalkerware can track Gmail, WhatsApp, Instagram, and Facebook appeared first on Security Affairs.

Fake Covid-19 tracker app delivers ransomware, disinformation abounds

As Covid-19 spreads across the globe and countries do their best to slow down the infection rate, cybercriminals’ onslaught against worried users is getting more intense by the day. The latest scheme includes a malicious Android tracker app that supposedly allows users to keep an eye on the spread of the virus, but locks victims’ phone and demands money to unlock it. Also, as many have already discovered, the spread of potentially very dangerous disinformation … More

The post Fake Covid-19 tracker app delivers ransomware, disinformation abounds appeared first on Help Net Security.

How Google Play Protect kept users safe in 2019


Through 2019, Google Play Protect continued to improve the security for 2.5 billion Android devices. Built into Android, Play Protect scans over 100 billion apps every day for malware and other harmful apps. This past year, Play Protect prevented over 1.9 billion malware installs from unknown sources. Throughout 2019 there were many improvements made to Play Protect to bring the best of Google to Android devices to keep users safe. Some of the new features launched in 2019 include:
Advanced similarity detection
Play Protect now warns you about variations of known malware right on the device. On-device protections warn users about Potentially Harmful Apps (PHAs) at install time for a faster response. Since October 2019, Play Protect issued 380,000 warnings for install attempts using this system.
Warnings for apps targeting lower Android versions
Malware developers intentionally target devices running long outdated versions of Android to abuse exploits that have recently been patched. In 2018, Google Play started requiring new apps and app updates be built for new versions of the Android OS. This strategy ensures that users downloading apps from Google Play recieve apps that take advantage of the latest privacy and security improvements in the OS.
In 2019, we improved on this strategy with warnings to the user. Play Protect now notifies users when they install an app that is designed for outdated versions. The user can then make an informed decision to proceed with the installation or stop the app from being installed so they can look for an alternative that target the most current version of Android.
Uploading rare apps for scanning
The Android app ecosystem is growing at an exponential rate. Millions of new app versions are created and shared outside of Google Play daily posing a unique scaling challenge. Knowledge of new and rare apps is essential to provide the best protection possible.
We added a new feature that lets users help the fight against malware by sending apps Play Protect hasn't seen before for scanning during installation. The upload to Google’s scanning services preserves the privacy of the user and enables Play Protect to improve the protection for all users.
Integration with Google’s Files app
Google’s Files app is used by hundreds of millions of people every month to manage the storage on their device, share files safely, and clean up clutter and duplicate files. This year, we integrated Google Play Protect notifications within the app so that users are prompted to scan and remove any harmful applications that may be installed.
Play Protect visual updates
The Google Play Store has over 2 billion monthly active users coming to safely find the right app, game, and other digital content. This year the team was excited to roll out a complete visual redesign. With this change, Play Protect made several user-facing updates to deliver a cleaner, more prominent experience including a reminder to enable app-scanning in My apps & games to improve security.
The mobile threat landscape is always changing and so Google Play Protect must keep adapting and improving to protect our users. Visit developers.google.com/android/play-protect to stay informed on all the new exciting features and improvements being added to Google Play Protect.
Acknowledgements: Aaron Josephs, Ben Gruver, James Kelly, Rodrigo Farell, Wei Jin and William Luh

Over one billion Android devices at risk as they no longer receive security updates

More than one billion Android devices are at risk of being hacked or infected by malware, because they are no longer supported by security updates and built-in protection.

That’s the conclusion of an investigation which found that at-risk smartphones are still being sold, despite the range of malware and other threats to which they are vulnerable.

Read more in my article on the Hot for Security blog.

You Can Now Run Android on an iPhone With ‘Project Sandcastle’

Not happy with your expensive iPhone and wondered if it's possible to run any other operating system on your iPhone, maybe, how to install Android on an iPhone or Linux for iPhones? Android phones can be rooted, and iPhones can be jailbroken to unlock new features, but so far, it's been close to impossible to get Android running on iPhones, given the mobile device hardware constraints and

Stalkerware Installations Up 60% in 2019

The number of stalkerware apps detected on smartphones increased in 2019, a full 60% over the previous year according to a new report released by Kaspersky Labs. 

The anti-virus company’s annual mobile malware report said stalkerware reports increased from 40,286 in 2019 to 67,500 in 2019, figures derived from data gleaned from Kaspersky product users that consented to provide statistical data for research purposes.

Stalkerware apps (also called spouseware) are designed to track and stream personal information on a target user’s phone, including photos, videos, email, phone calls placed, SMS communications, and location data. While not specifically illegal, the apps are banned from both Google Play and the Apple App Store because of ethical and privacy considerations. 

The Federal Trade Commission launched investigations into the developers of three different “stalkerware” apps in late 2019, for being “uniquely suited to illegal and dangerous uses.”

What You Need to Know

Stalkerware apps are installed by someone with physical access to a device (potentially by a spouse or parent) or via phishing exploits where the sender lures their target into clicking a link or downloading something that appears to be legitimate. This is thought to be the way Amazon founder and CEO Jeff Bezos was hacked in 2019.

While stalkerware is designed to operate undetected, there are warning signs that a smartphone may be compromised:

  • Insecure Device Settings: Many Android devices provide a setting that allows the remote installation of Apps. It can be found under Settings > Security > Allow unknown sources, or Apps > Menu > Special Access > Install unknown apps. This setting could indicate the presence of stalkerware on a device.

  • Unexpected Battery Drain: Intercepting and transmitting data and other activity from a smartphone can be energy intensive. A battery that is quickly depleted may indicate the presence of a hidden application using system resources.

While many commercial malware and security apps can potentially identify or prevent the installation of stalkerware apps, if you are concerned about the presence of it on your device, take a moment to enable security settings including PIN codes, and 2-Factor authentication. Alternatively, a factory reset can be effective, removing most (nothing is failsafe in things cyber) if not all malicious apps. 

The post Stalkerware Installations Up 60% in 2019 appeared first on Adam Levin.

PHA Family Highlights: Bread (and Friends)





“So..good..”
“very beautiful”
Later, 1 star reviews from real users start appearing with comments like:
“Deception”
“The app is not honest …”

SUMMARY

Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed. Sample 1 may use AES-encrypted strings with reflection, while Sample 2 (submitted on the same day) will use the same code but with plaintext strings.
At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant. This family showcases the amount of resources that malware authors now have to expend. Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device.

SELECTED SAMPLES

Package Name SHA-256 Digest
com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f
org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26
com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09
com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5
com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86
com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131
com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68
com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b

A Growing Number of Android Malware Families Believed to Have a Common Origin: A Study Based on Binary Code

Introduction

On Feb. 19, IBM XForce researchers released an intelligence report [1] stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated Android malware family that emerged in the Russian-speaking cybercrime underground in late 2014. IBM also claimed that several Android malware families recently described in the security community were actually variants of GM Bot, including Bankosy[2], MazarBot[3], and the SlemBunk malware recently described by FireEye[4, 5].

Security vendors may differ in their definition of a malware “variant.” The term may refer to anything from almost identical code with slight modifications, to code that has superficial similarities (such as similar network traffic) yet is otherwise very different.

Using IBM’s reporting, we compared their GM Bot samples to SlemBunk. Based on the disassembled code of these two families, we agree that there are enough code similarities to indicate that GM Bot shares a common origin with SlemBunk. Interestingly, our research led us to identify an earlier malware family named SimpleLocker – the first known file-encryption ransomware on Android [6] – that also shares a common origin with these banking trojan families.

GM Bot and SlemBunk

Our analysis showed that the four GM Bot samples referenced by IBM researchers all share the same major components as SlemBunk. Figure 1 of our earlier report [4] is reproduced here, which shows the major components of SlemBunk and its corresponding class names:

  • ServiceStarter: An Android receiver that will be invoked once an app is launched or the device boots up. Its functionality is to start the monitoring service, MainService, in the background.
  • MainService: An Android service that runs in the background and monitors all running processes on the device. It prompts the user with an overlay view that resembles the legitimate app when that app is launched. This monitoring service also communicates with a remote host by sending the initial device data and notifying of device status and app preferences.
  • MessageReceiver: An Android receiver that handles incoming text messages. In addition to the functionality of intercepting the authentication code from the bank, this component also acts as the bot client for remote command and control (C2).
  • MyDeviceAdminReceiver: A receiver that requests administrator access to the Android device the first time the app is launched. This makes the app more difficult to remove.
  • Customized UI views: Activity classes that present fake login pages that mimic those of the real banking apps or social apps to phish for banking or social account credentials.

Figure 1. Major components of SlemBunk malware family

The first three GM Bot samples have the same package name as our SlemBunk sample. In addition, the GM Bot samples have five of the same major components, including the same component names, as the SlemBunk sample in Figure 1.

The fourth GM Bot sample has a different initial package name, but unpacks the real payload at runtime. The unpacked payload has the same major components as the SlemBunk sample, with a few minor changes on the class names: MessageReceiver replaced with buziabuzia, and MyDeviceAdminReceiver replaced with MDRA.

Figure 2. Code Structure Comparison between GM Bot and SlemBunk

Figure 2 shows the code structure similarity between one GM Bot sample and one SlemBunk sample (SHA256 9425fca578661392f3b12e1f1d83b8307bfb94340ae797c2f121d365852a775e and SHA256 e072a7a8d8e5a562342121408493937ecdedf6f357b1687e6da257f40d0c6b27 for GM Bot and SlemBunk, respectively). From this figure, we can see that the five major components we discussed in our previous post [4] are also present in GM Bot sample. Other common classes include:

  • Main, the launching activity of both samples.
  • MyApplication, the application class that starts before any other activities of both samples.
  • SDCardServiceStarter, another receiver that monitors the status of MainService and restarts it when it dies.

Among all the above components and classes, MainService is the most critical one. It is started by class Main at the launching time, keeps working in the background to monitor the top running process, and overlays a phishing view when a victim app (e.g., some mobile banking app) is recognized. To keep MainService running continuously, malware authors added two receivers – ServiceStarter and SDCardServiceStarter – to check its status when particular system events are received. Both GM Bot and SlemBunk samples share the same architecture. Figure 3 shows the major code of class SDCardServiceStarter to demonstrate how GM Bot and SlemBunk use the same mechanism to keep MainService running.

Figure 3. Method onReceive of SDCardServiceStarter for GM Bot and SlemBunk

From this figure, we can see that GM Bot and SlemBunk use almost identical code to keep MainService running. Note that both samples check the country in system locale and avoid starting MainService when they find the country is Russia. The only difference is that GM Bot applies renaming obfuscation to some classes, methods and fields. For example, static variable “MainService;->a” in GM Bot has the same role as static variable “MainService;->isRunning” in SlemBunk. Malware authors commonly use this trick to make their code harder to understand. However this won’t change the fact that the underlying codes share the same origin.

Figure 4 shows the core code of class MainService to demonstrate that GM Bot and SlemBunk actually have the same logic for main service. In Android, when a service is started its onCreate method will be called. In method onCreate of both samples, a static variable is first set to true. In GM Bot, this variable is named “a”, while in SlemBunk it is named “isRunning”. Then both will move forward to read an app particular preference. Note that the preferences in both samples have the same name: “AppPrefs”. The last tasks of these two main services are also the same. Specifically, in order to check whether any victim apps are running, a runnable thread is scheduled. If a victim app is running, a phishing view is overlaid on top of that of the victim app. The only difference here is also on the naming of the runnable thread. Class “d” in GM Bot and class “MainService$2” in SlemBunk are employed respectively to conduct the same credential phishing task.

Figure 4. Class MainService for GM Bot and SlemBunk

In summary, our investigation into the binary code similarities supports IBM’s assertion that GM Bot and SlemBunk share the same origin.

SimpleLocker and SlemBunk

IBM noted that GM Bot emerged in late 2014 in the Russian-speaking cybercrime underground. In our research, we noticed that an earlier piece of Android malware named SimpleLocker also has a code structure similar to SlemBunk and GM Bot. However, SimpleLocker has a different financial incentive: to demand a ransom from the victim. After landing on an Android device, SimpleLocker scans the device for certain file types, encrypts them, and then demands a ransom from the user in order to decrypt the files. Before SimpleLocker’s emergence, there were other types of Android ransomware that would lock the screen; however, SimpleLocker is believed to be the first file-encryption ransomware on Android.

The earliest report on SimpleLocker we identified was published by ESET in June 2014 [6]. However, we found an earlier sample in our malware database from May 2014 (SHA256 edff7bb1d351eafbe2b4af1242d11faf7262b87dfc619e977d2af482453b16cb). The compile date of this app was May 20, 2014. We compared this SimpleLocker sample to one of our SlemBunk samples (SHA256 f3341fc8d7248b3d4e58a3ee87e4e675b5f6fc37f28644a2c6ca9c4d11c92b96) using the same methods used to compare GM Bot and SlemBunk.

Figure 5 shows the code structure comparison between these two samples. Note that this SimpleLocker variant also has the major components ServiceStarter and MainService, both used by SlemBunk. However, the purpose of the main service here is not to monitor running apps and provide phishing UIs to steal banking credentials. Instead, SimpleLocker’s main service component scans the device for victim files and calls the file encryption class to encrypt files and demand a ransom. The major differences in the SimpleLocker code are shown in the red boxes: AesCrypt and FileEncryptor. Other common classes include:

  • Main, the launching activity of both samples.
  • SDCardServiceStarter, another receiver that monitors the status of MainService and restarts it when it dies.
  • Tor and OnionKit, third-party libraries for private communication.
  • TorSender, HttpSender and Utils, supporting classes to provide code for CnC communication and for collecting device information.

Figure 5. Code structure comparison between SimpleLocker and SlemBunk samples

Finally, we located another SimpleLocker sample (SHA256 304efc1f0b5b8c6c711c03a13d5d8b90755cec00cac1218a7a4a22b091ffb30b) from July 2014, about two months after the first SimpleLocker sample. This new sample did not use Tor for private communications, but shared four of the five major components as the SlemBunk sample (SHA256: f3341fc8d7248b3d4e58a3ee87e4e675b5f6fc37f28644a2c6ca9c4d11c92b96). Figure 6 shows the code structure comparison between these two samples.

Figure 6. Code structure comparison between SimpleLocker and SlemBunk variants

As we can see in Figure 6, the new SimpleLocker sample used a packaging mechanism similar to SlemBunk, putting HttpSender and Utils into a sub-package named “utils”. It also added two other major components that were originally only seen in SlemBunk: MessageReceiver and MyDeviceAdminReceiver. In total, this SimpleLocker variant shares four out of five major components with SlemBunk.

Figure 7 shows the major code of MessageReceiver in the previous samples to demonstrate that SimpleLocker and SlemBunk use basically the same process and logic to communicate with the CnC server. First, class MessageReceiver registers itself to handle incoming short messages, whose arrival will trigger its method onReceive. As seen from the figure, the main logics here are basically the same for SimpleLocker and SlemBunk. They first read the value of a particular key from app preferences. Note that the names for the key and shared preference are the same for these two different malware families: key is named “CHECKING_NUMBER_DONE” and preference named “AppPrefs”.  The following steps call method retrieveMessage to retrieve the short messages, and then forward the control flow to class SmsProcessor. The only difference here is that SimpleLocker adds one extra method named processControlCommand to forward control flow.

Class SmsProcessor defines the CnC commands supported by the malware families. Looking into class SmsProcessor, we identified more evidence that SimpleLocker and SlemBunk are of the same origin. First, the CnC commands supported by SimpleLocker are actually a subset of those supported by SlemBunk. In SimpleLocker, CnC commands include "intercept_sms_start", "intercept_sms_stop", "control_number" and "send_sms", all of which are also present in SlemBunk sample. What is more, in both SimpleLocker and SlemBunk there is a common prefix “#” before the actual CnC command. This kind of peculiarity is a good indicator that SimpleLocker and SlemBunk share a common origin.

Figure 7. Class MessageReceiver for SimpleLocker and SlemBunk variants

The task of class MyDeviceAdminReceiver is to request device administrator privilege, which makes these malware families harder to remove. SimpleLocker and SlemBunk are also highly similar in this respect, supporting the same set of device admin relevant functionalities.

At this point, we can see that these variants of SimpleLocker and SlemBunk share four out of five major components and share the same supporting utilities. The only difference is in the final payload, with SlemBunk phishing for banking credentials while SimpleLocker encrypts certain files and demands ransom. This leads us to believe that SimpleLocker came from the same original code base as SlemBunk.

Conclusion

Our analysis confirms that several Android malware families share a common origin, and that the first known file-encrypting ransomware for Android – SimpleLocker – is based on the same code as several banking trojans. Additional research may identify other related malware families.

Individual developers in the cybercrime underground have been proficient in writing and customizing malware. As we have shown, malware with specific and varied purposes can be built on a large base of shared code used for common functions such as gaining administrative privileges, starting and restarting services, and CnC communications. This is apparent simply from looking at known samples related to GM Bot – from SimpleLocker that is used for encryption and ransomware, to SlemBunk that is used as a banking Trojan and for credential theft, to the full-featured MazarBot backdoor.

With the leak of the GM Bot source code, the number of customized Android malware families based on this code will certainly increase. Binary code-based study, one of FireEye Labs’ major research tools, can help us better characterize and track malware families and their relationships, even without direct access to the source code. Fortunately, the similarities across these malware families make them easier to identify, ensuring that FireEye customers are well protected.

References:

[1]. Android Malware About to Get Worse: GM Bot Source Code Leaked
[2]. Android.Bankosy: All ears on voice call-based 2FA
[3]. MazarBOT: Top class Android datastealer
[4]. SLEMBUNK: AN EVOLVING ANDROID TROJAN FAMILY TARGETING USERS OF WORLDWIDE BANKING APPS
[5]. SLEMBUNK PART II: PROLONGED ATTACK CHAIN AND BETTER-ORGANIZED CAMPAIGN
[6]. ESET Analyzes Simplocker – First Android File-Encrypting, TOR-enabled Ransomware