Fake Android Update Delivers SMS, Click Fraud in Europe

McAfee Mobile Research has been monitoring a mobile malware campaign targeting users in Germany, France, and Russia since the beginning of the year. Several users have complained in forums and social networks about a suspicious file with the name Android_Update_6.apk being automatically downloaded when a website is loaded.
Recently a user tweeted that one of the advertisers in a widely read German-language news website “pushed” this file when the user navigated the website:

Dmisk_Germany_Twitter

User reporting the download of the file Android_Update_6.apk.
Source: https://twitter.com/arminhausf/status/719894019422162944

A month ago, another user reported the same behavior but on a French daily newspaper website and the filename in French:

Dmisk_France_Twitter
User reporting the download of the file mise_à_jour_Android_6.apk on a French newspaper’s website.
Source: https://twitter.com/Baptouuuu/status/708391947937914880

On January 29, another user reported the same incident but this time the report went to what appears to be the source of the download:

Dmisk_Slashdot_Twitter
User reporting the download of the file Android_Update_6.apk.
Source: https://twitter.com/Baptouuuu/status/708391947937914880

Finally, in one of the earliest reports of this campaign, on January 7 another user reported on the website AndroidPolice the download of the suspicious file when visiting the mobile version from Russia:

Dmisk_AndroidPolice
User reporting the download of the file Android_Update_6.apk on the website AndroidPolice.
Source: https://github.com/archon810/androidpolice/issues/69

According to that report, the malicious ad loaded a URL pointing to an APK like the following, triggering the automatic download of the file by the default web browser:

Dmisk_APK_April20Android_Update_6.apk available on a remote server since April 20.

The question that most users asked in forums when they received this suspicious file was: Is this APK file a legitimate Android update? The answer is absolutely not. Each manufacturer and carrier has its own method of delivering and installing Android updates but, so far, none of them has as a distribution method of an automatic download of an APK file when the user visits a random website. This behavior is most likely related to a malicious application, so we took a deeper look at the app to find out its purpose and understand its impact.

Once the app is installed, the following icon appears in the home screen:

Dmisk_Icon
The malware’s icon.

However, as soon as the user executes the app, the icon disappears, tricking the user into believing that the app is no longer on the system. Meanwhile, in the background, the malware sends encrypted data to a remote server in Estonia:

Encrypted traffic sent to a remote server in Estonia.

Some variants of the malware were packed and, even after we unpacked of the payload, the code was very obfuscated. After some static and dynamic analysis we were able to learn that all the communication between the infected device and the control server is encrypted using an RSA asymmetric encryption algorithm:

Dmisk_RSA_PrivateKeyMalware generating a private key using an RSA specification.

Here is the device information that was constantly sent by the malware to the remote control server:

  • Device information: Android version, model, manufacturer, browser user-agent, device identifiers (IMEI, IMSI, android_id), locale (language/country configuration), screen specifications, mobile network operator.
  • Device status: Wi-Fi connectivity, root status, battery status.
  • Malware settings: Version, apiKey, appId (package name), forGooglePlay.

The most recent variant, from April 20, omits sending root status and instead comes with the setting “advertId,” suggesting that in future versions malware authors will include the advertisement identifier that distributed the specific variant to the infected device:

Dmisk_advertId
The “advertId” in the malware’s settings.

In addition to that device information leak, which is normally used by malware authors to register infected devices, the malicious app silently intercepts all incoming SMS messages and forwards them encrypted to the same remote server in the following format:

  • “type”: receive.sms
  • “WiFi”: true/false
  • “text”: body of the message
  • “phone”: origin of the message

The amount of stolen SMS messages could generate a lot of noise in the backend, so the malware can also filter the intercepted messages using regular expressions obtained from the control server. Here’s an extract of the regular expressions filtering the origin of the intercepted SMS:

Dmisk_Regex_Sms_Filter
A list of intercepted SMS filters.

Most of the names in the list belong to mobile phone companies in Russia, Germany, and France. Malware authors are interested in these messages because they are very useful for performing SMS fraud by intercepting confirmation codes received by victims when cybercriminals subscribe users to premium services using SMS spoofing (by sending an SMS while pretending to be the victim). The filtered intercepted incoming SMS messages are sent back to the remote server using the following format:

  • “type”: sms.filter
  • “phone”: origin of the message
  •  “text”: body of the message
  • “phoneExp”: regular expression that matches the origin (for example, “*Orange.*”)
  • “phonetext”: regular expression that matches the content (for example, “.*”)

The malware is also able to report to the control server when the screen is on or off or if the user is present using the following types in the response:

  • screen.on
  • scree.off
  • user.present

If the cybercriminal knows that the user is not present (for example, screen off), the remote server can send the command “webClick”:

Dmisk_webClickThe webClick command.

Judging by the name of the command, it is very likely this function is performing click fraud when the victim is absent. There is another command to execute JavaScript code:

Dmisk_JavascriptA command executing arbitrary JavaScript code.

One of the interesting flags sent to the remote server is “forGooglePlay,” which led us to investigate additional campaigns conducted in the past. We found that at the end of October 2015 malware authors were able to publish an early version of this malware using the developer “Smart Development LLC,” but apparently these apps were quickly removed. Currently they are available only in third-party markets such as apkpure:

Dmisk_GooglePlay
Trojanized apps published on Google Play on October 2015.
Source: https://apkpure.com/developer/Smart%20Development%20LLC

The first versions of this malware implemented only heavy obfuscation and encryption of the source code, but recent ones are packed to make static analysis difficult, encrypting the main payload to decrypt it and dynamically load it in runtime when the app is executed by the user. These efforts show that the malware is still in development. We have seen recent detections from users in France and Germany confirming that this malware campaign is currently active. McAfee has notified the host of the control server and the Estonia CERT; we hope the control server will be taken down soon.

To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.

McAfee Mobile Security detects this Android threat as Android/Dmisk and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hashes of the analyzed samples:

  • c60916b79e51182837f4833ae650b2abe2f7fce6eeb2f41f4ff248c6e1ec43a2
  • 40c30ab35455b8920d08989d2695f04178c8145e9929ed7dbcd95acc2507faa7
  • 5bfc6a02d594a8cc22bc4ed7b64e9986105a2a4992bd44cee18738182bafed60
  • e9dfb3a432d9e54d344515ff000d94be48322f2d2c4f102a6a319768b7248c0b
  • 9c177189b981752c9cf89d5435c9d37c3b6441c02efb7d012426885747b7ac99
  • 705aeb71b7134d747853a3e65f0bf492d0af0dc2aab73f1a7ccc66e2a773fa84
  • b44f7ae39cc6320a804174a5825d0f8fd74a6e519985f83397fe25bb12af99b1
  • 0d4ea10179d293666b637bbda385b7d9dd248dc998e5875ed2dddd0280fdff55
  • 95a3db31fc19a90f76a4a27ae87321b4d6b9b0122509258b5b87c1c5ee6f0e09
  • d0f5ab874383a24fac7fcabb9fba2ffcbbafffb7dfe6dbb7b5224ecf7d443aa3
  • 3c9d303e375ee3125593035d4e861ee94b2340b9778c10a9b33871aaa4d727e5
  • 69d93b6e50d7d684af932691c65ab396f8ae6da4a4081a171eb233e3d8dabffd
  • 2a5fba694f60a249bf78d88c73223c60b6528c231b7579f59b8d57c67605cc8f
  • 1593900445f84ffc225fc1399a563644a31e0963aa70bd1317195970706a7942
  • ab8abfe7420777eeb02b8d40c2f012dcea36737ffd616deb20d926cff727fdc0
  • 2b32a6c4aa09209ebe203cc305ca3c6970bd6025d4604a1b7458b1a0bc7f9bf7
  • 1980d5b3d8f1e30fdf0831fa2db059f1f1dd2dc749541ba3792e7093541e7958
  • 771946d95b38b8204562befd427fa45fd29fdfccb987bc0b33e796f4a1cbb5b0
  • f2f2ebe7a709f0456a40dfba8eaf66af09fb2a9ed50845e1a5c24e8b78ddbb0c
  • a9aef90cac11bc1f1635abde02be018a76ef4a876369d46349c5301c742597b3
  • c0a6ec3f8850676c875eb9a151f33c319950f6a8260c469874e5a30fea0b6643
  • d19ff00c8933e8fd23cfa1fb62615d18330fe43bc369492034f5755c69bf4f1c
  • 4ece7dc532ad074837d141c245177ad4ba38215a9dee8093970cd671f998d130
  • 29582ec3eb0fd77ed5a88d4dee68d5ad06299b014fa9d9f5acb35dd2282ae21e

URLs distributing malware APKs:

  • slidetracking[.]ru
  • postway12[.]ru
  • traffic2015[.]ru
  • francia-apk[.]ru
  • traff16[.]ru
  • update-free-andr-6[.]ru
  • 6-androdid[.]ru
  • freeupgrade6[.]ru

Control servers:

  • innotion[.]pw
  • bugtracking[.]biz
  • bugstracking[.]xyz
  • alfabrong[.]eu

Leave a Comment

five × three =