Browsing category

Mobile

Anubis, banking malware, Google Play, Malicious Apps, Mobile,

Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics

by Kevin Sun

We recently found two malicious apps on Google Play that drop wide-reaching banking malware. The two apps were disguised as useful tools, simply named Currency Converter and BatterySaverMobi. Google has confirmed that both these apps are no longer on the Play Store.

The battery app logged more than 5,000 downloads before it was taken down, and boasted a score of 4.5 stars from 73 reviewers. However, a close look at the posted reviews show signs that they may not have been valid; some anonymous usernames were spotted and a few review statements are illogical and lack detail.

We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well.

Besides aserogeege.space, 18 other malicious domains map to the IP address 47.254.26.2 and we confirmed that Anubis uses the subpath of these domains. These domains change IP addresses quite frequently and may have switched six times since October 2018, showing just how active this particular campaign is.

Fig 1.

Fig 1.

Fig 1.

Figure 1. Images of the malicious apps on Google Play

Table 1.

Table 1.Victim distribution for all BatterySaveMobi samples

How the apps evade detection

These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities.

As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.

The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.

Fig 2.

Figure 2. The malware tracks the user’s movement; the malicious code will run if it senses motion

Command Action
“::apk::” Download apk and trick user to install
“kill” Stop running malicious code

Table 2. C&C server commands

If the malicious code runs, then the app will try to trick the users into downloading and installing its payload APK with a fake system update.

Fig 3.

Figure 3. Fake system update

One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter webpage requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device. By parsing the response’s HTML content, it gets the C&C server (aserogeege.space). Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background. It will try and trick users into installing it with the fake system update seen in Figure 3.

Fig 4.

Figure 4. The encoded server URL, showing the text results in the URL of the C&C server

The Anubis payload

The Anubis malware masquerades as a benign app, prompts the user to grant it accessibility rights, and also tries to steal account information. Banking trojans usually launch a fake overlay screen when the user accesses a target app and tries to steal information when the user inputs account credentials into the overlay. However, Anubis’ process is a little different. It has a built-in keylogger that can simply steal a users’ account credentials by logging the keystrokes. The malware can also take a screenshot of the infected users’ screen, which is another way to get the victims credentials.

Our data shows that the latest version of Anubis has been distributed to 93 different countries and targets the users of 377 variations of financial apps to farm account details. We can also see that, if Anubis successfully runs, an attacker would gain access to contact lists as well as location. It would also have the ability to record audio, send SMS messages, make calls, and alter external storage. Anubis can use these permissions to send spam messages to contacts, call numbers from the device, and other malicious activities. Previous research from security company Quick Heal Technologies shows that versions of Anubis even function as a ransomware.

Fig 5.

Figure 5. Some of the financial apps Anubis targets

Gaps in mobile security can lead to severe consequences for many users because devices are used to hold so much information and connect to many different accounts. Users should be wary of any app that asks for banking credentials in particular and be sure that they are legitimately linked to their bank.

Trend Micro Solutions
Trend Micro™Mobile Security for Android™
Trend Micro™Mobile Security for Enterprise
Trend Micro’s Mobile App Reputation Service

Indicators of Compromise

SHA256 and URLs Definitions
b012eb5538ad1d56c5bdf9fe9562791a163dffa4

bc87c9fffcdac4eea1b84c62842ce1138fd90ed6

7e025e21d445be9b6b12a9181ada4bab3db5819c

e29c814c2527ebbac11398877beea2bc75b58ffd

 

 IoCs
16fc9bc96f58ba35a04ade2d961b0108d135caa5

 

 Payload
areadozemode.space

selectnew25mode.space

twethujsnu.cc

project2anub.xyz

taiprotectsq.xyz

uwannaplaygame.space

projectpredator.space

nihaobrazzzahit.top

aserogeege.space

hdfuckedin18.top

dingpsounda.space

wantddantiprot.space

privateanbshouse.space

seconddoxed.space

firstdoxed.space

oauth3.html5100.com

dosandiq.space

protect4juls.space

wijariief.space

scradm.in

 

 Command and control

The post Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

January 17, 2019
Android, Android for Work, Android security, Enterprise Mobility Management (EMM), Google, IBM MaaS360, MaaS360, Mobile, Mobile Device Management (MDM), Mobile Devices, Mobile Security,

Where Can IT Get Expert Guidance for Managing Android in the Enterprise?

Over the past decade, Android has taken the enterprise by storm. In each new operating system (OS) version update, its capabilities continue to become more business-friendly as the strength and depth of its mobile security functionality improves. With these changes considered, it’s clear Google is committed to delivering an OS that transcends the consumer world into the enterprise. For this reason, it’s no surprise that one of the world’s most popular platforms appears on IT’s shortlist for new device investments and bring-your-own-device (BYOD) programs.

Despite its extensive improvements over time, one of the biggest questions that remains for IT decision-makers is, “How can I be certain I am managing and securing Android with the best tools and technical resources available to me?”

Join the Jan. 31 webinar

The Android Enterprise Recommended Program

Android Enterprise RecommendedWith its introduction of the Android Enterprise Recommended program earlier this year, Google has improved this decision-making process for IT leaders, making it possible to zero in on the vendors that meet specifications across a broad range of stringent criteria. The limited number of vendors that achieve this validation have not only taken appropriate steps to support the full gamut of Android’s specifications — they have also gone the extra mile to partake in Google-led trainings that enable them to deliver an exceptional experience for partners and customers.

Up until this point, the Android Enterprise Recommended program has been available to help IT teams select smartphones, tablets and ruggedized devices that are well-suited for the enterprise setting. However, customers and partners have had to conduct independent research and assessments to determine which enterprise mobility management (EMM) solutions should be used to manage Android devices in the enterprise.

These evaluations cannot be taken lightly; enterprise use cases for Android have grown in number, and organizations need to ensure that their EMM of choice has what it takes to support them. Furthermore, security threats have evolved and become more complex, and endpoints and their users remain their biggest targets. The less careful organizations are about who they partner with in supporting their environment, the consequences become more severe.

These reasons considered, at minimum EMMs should be able to prove their ongoing commitment to delivering same-day support for the latest OS updates. As Android continues to roll out new functionality for Android in the enterprise — most recently zero-touch enrollment, managed Google Play, Verify Apps and SafetyNet APIs — the onus is also on EMMs to keep up.

A Program Expansion for Enterprise Mobility Management Vendors

To stay ahead of the evolving threat landscape and more effectively manage Android devices, IT decision-makers need to fast-track the EMM selection process. That’s why Google expanded its Android Recommended Program to help security leaders gain confidence in their EMM selection, streamline deployment and deliver up-to-date support for the latest updates.

IBM MaaS360 with Watson is a validated solution in the Android Enterprise Recommended program for EMMs, placing it among the select few EMMs that meet these new comprehensive program requirements.

Recognizing the value of the overall Android Enterprise Recommended program, MaaS360 delivers support for all Android Enterprise Recommended OEM devices, including both categories of knowledge worker and rugged use cases.

Join the Jan. 31 webinar to learn more

Google and Android are trademarks of Google LLC.

The post Where Can IT Get Expert Guidance for Managing Android in the Enterprise? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Harrington Jr.

January 15, 2019
Microsoft, Mobile, Software,

First Windows 10 Build for Microsoft’s Foldable Devices Appears Online

BuildFeed, a site that keeps track of the latest Windows 10 and Window Insider builds, has found a new build that may indicate that Microsoft is internally testing builds for foldable Windows 10 devices. This new build has a version of 18313.1004 on Microsoft’s servers and comes from the Windows 10 19H1 development. […]

This post appeared first on Bleeping Computer
Author: Mayank Parmar

January 15, 2019
adware, Google Play, Malware, Mobile,

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

By Ecular Xu

Adware is bothersome, disruptive, and have been around for a long time, but they’re still around. In fact, we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps, which have been downloaded a total of 9 million times around the world. After verifying our report, Google swiftly suspended the fake apps from the Play store.

FIGURE 1-A

FIGURE 1-B

Figure 1. A screen capture of some of the adware-laden fake apps on Google Play

The “Easy Universal TV Remote,” which claims to allow users to use their smartphones to control their TV, is the most downloaded among the 85 adware-loaded apps.

FIGURE 2-A

FIGURE 2-B

Figure 2. A screen capture of the Easy Universal TV Remote app and its information

The fake app, which already has been downloaded more than 5 million times, has received multiple complaints on the comment section pertaining to its behaviors.

FIGURE 3

Figure 3. A screen capture of some of the negative reviews left by Easy Universal TV Remote users complaining about the app disappearing, not functioning as advertised, and ad pop-ups

Behavior Analysis

We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code.

After the adware is downloaded and launched on a mobile device, a full-screen ad initially pops up.

FIGURE 4-A

FIGURE 4-B

FIGURE 4-C

Figure 4. Screenshots of the full-screen ads that pop up on an adware-infected mobile device

Upon closing the first ad, call to action buttons such as “start,” “open app,” or “next,” as well as a banner ad will appear on the mobile device’s screen. Tapping on the call to action button brings up another full-screen ad.

FIGURE 5-A

FIGURE 5B

FIGURE 5-C

Figure 5. Screenshots of the call to action buttons appearing on the device’s screen

FIGURE 6

Figure 6. A screen capture of a full-screen ad that pops up after clicking the call to action button on one of the fake apps

After the user exits the full-screen ad, more buttons that provide app-related options for users appear on the screen. It also prompts the user to give the app a five-star rating on Google Play. If the user clicks on any of the buttons, a full-screen ad will pop up again.

FIGURE 7-A

FIGURE 7-B

FIGURE 7-C

Figure 7. Screenshots of app-related options a user can click on; all of them bring up more pop-up ads

Afterwards, the app informs the user that it is loading or buffering. However, after a few seconds, the app disappears from the user’s screen and hides its icon on the device. The fake app still runs in a device’s background after hiding itself. Though hidden, the adware is configured to show a full-screen ad every 15 or 30 minutes on the user’s device.

FIGURE 8

Figure 8. A screen capture of the fake app taken before it disappears from the device’s screen

FIGURE 9

Figure 9. A screen capture of a code snippet that enables the app to hide itself on a user’s device

Some of the fake apps exhibit another type of ad-showing behavior that monitors user screen unlocking action and shows an ad each time the user unlocks the mobile device’s screen. A receiver module registers in AndroidManifest.xml so that each time a user unlocks the device it will then trigger a full-screen ad pop up.

FIGURE 10

 

Figure 10. A screen capture of an adware-infected device with a fake app that has already hidden itself but is still running in the device’s background

FIGURE 11

Figure 11. A screen capture of a register receiver in AndroidManifest.xml

FIGURE 12

Figure 12. Screen capture of a code snippet that enables the adware to display full-screen ads when a user unlocks the screen of an infected device

FIGURE 13

Figure 13. A screen capture of a full-screen ad displayed after unlocking an infected device’s screen

Trend Micro Solutions

While the fake apps can be removed manually via the phone’s app uninstall feature, it can be difficult to get there when full-screen ads show up every 15 or 30 minutes or each time a user unlocks the device’s screen.

As more and more people become dependent on mobile devices, the need to keep mobile devices safe from a growing number of mobile threats — such as fake apps laced with adware — is all the more pertinent.

Trend Micro customers are protected with multilayered mobile security solutions via Trend Micro™ Mobile Security for Android™ (available on Google Play). Trend Micro™ Mobile Security for Enterprise solutions provide device, compliance, and application management, data protection, and configuration provisioning, as well as protect devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps and detecting and blocking malware and fraudulent websites. Trend Micro™ Mobile App Reputation Service (MARS) covers threats to Android and iOS devices using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.

A comprehensive list of the indicators of compromise can be found here.

 

 

The post Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

January 8, 2019
Older Posts