McAfee’s Cell Analysis crew not too long ago analyzed new malware focusing on NTT DOCOMO customers in Japan. The malware which was distributed on the Google Play retailer pretends to be a reputable cellular safety app, however it’s actually a cost fraud malware stealing passwords and abusing reverse proxy focusing on NTT DOCOMO cellular cost service customers. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Safety’, package deal identify ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The functions are not accessible on Google Play. Google Play Shield has additionally taken steps to guard customers by disabling the apps and offering a warning. McAfee Cell Safety merchandise detect this risk as Android/ProxySpy and shield you from malware. For extra info, to get totally protected, go to McAfee Cell Safety.
How Do victims set up this malware?
The malware actor continues to publish malicious apps on the Google Play Retailer with numerous developer accounts. In accordance with the data posted on Twitter by Yusuke Osumi, Safety Researcher at Yahoo! Japan, the attacker sends SMS messages from abroad with a Google Play hyperlink to lure customers to put in the malware. To draw extra customers, the message entices customers to replace safety software program.
The Cell Analysis crew additionally discovered that the malware actor makes use of Google Drive to distribute the malware. In distinction to putting in an software after downloading an APK file, Google Drive permits customers to put in APK recordsdata with out leaving any footprint and makes the set up course of less complicated. As soon as the consumer clicks the hyperlink, there are only some extra touches required to run the appliance. Solely three clicks are sufficient if customers have beforehand allowed the set up of unknown apps on Google Drive.
Following notification from McAfee researchers, Google has eliminated recognized Google Drive recordsdata related to the malware hashes listed on this weblog put up.
What does this malware appear like?
When an NTT DOCOMO community consumer installs and launches this malware, it asks for the Community password. Cleverly, the malware exhibits incorrect password messages to gather extra exact passwords. After all, it doesn’t matter whether or not the password is appropriate or not. It’s a manner of getting the Community password.
The Community password is used for the NTT DOCOMO cost service which gives simple on-line funds. NTT DOCOMO cellular community customers can begin this cost service by simply setting 4-digits password known as a Community password. The cost will likely be paid together with the cell phone invoice. When you might want to pay on-line, you’ll be able to merely do the cost course of by getting into the 4-digits password.
After the password exercise, the malware exhibits a faux cellular safety display screen. Curiously, the structure of the exercise is much like our previous McAfee Cell Safety. All buttons look real, however these are all faux.
How does this malware work?
There’s a native library named ‘libmyapp.so’ loaded through the app execution written in Golang. The library, when loaded, tries to hook up with the C2 server utilizing a Net Socket. Net Software Messaging Protocol (WAMP) is used to speak and course of Distant Process Calls (RPC). When the connection is made, the malware sends out community info together with the cellphone quantity. Then, it registers the consumer’s process instructions described within the desk beneath. The net socket connection is stored alive and takes the corresponding motion when the command is obtained from the server like an Agent. And the socket is used to ship the Community password out to the attacker when the consumer enters the Community password on the exercise.
| RPC Operate identify | Description |
| connect_to | Create reverse proxy and hook up with distant server |
| disconnect | Disconnect the reverse proxy |
| get_status | Ship the reverse proxy standing |
| get_info | Ship line quantity, connection sort, operator, and so forth |
| toggle_wifi | Set the Wi-Fi ON/OFF |
| show_battery_opt | Present dialog to exclude battery optimization for background work |
Registered RPC features description
To make a fraudulent buy through the use of leaked info, the attacker wants to make use of the sufferer’s cellular community. The RPC command ‘toggle_wifi’ can swap the Wi-Fi connection standing of the sufferer, and ‘connect_to’ will present a reverse proxy to the attacker. A reverse proxy can enable connecting the host behind a NAT (Community Deal with Translation) or a firewall. Through the proxy, the attacker can ship buy requests by way of the sufferer’s cellular community.
Conclusion
It’s attention-grabbing that the malware makes use of a reverse proxy to steal the consumer’s community and implement an Agent service with WAMP. McAfee Cell Analysis Group will proceed to search out this type of risk and shield our clients from cellular threats. It is strongly recommended to be extra cautious when getting into a password or confidential info into untrusted functions.
IoCs (Indicators of Compromise)
193[.]239[.]154[.]23
91[.]204[.]227[.]132
ruboq[.]com
| SHA256 | Package deal Title | Distribution |
| 5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd | com.z.cloud.px.app | Google Play |
| e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0 | com.z.cloud.px.app | Different |
| e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02 | com.z.px.appx | Google Play |
| 3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad | com.z.cloud.px.app2 | Different |
| 2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4 | com.jg.rc.papp | Google Drive |
| af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956 | com.de.rc.seee | Google Drive |
