Fake ‏Google Play App Steals Private Information

Status
Not open for further replies.

Littlebits

Retired Staff
Thread author
May 3, 2011
3,893
- Fake app launches five services
A new threat for Android devices emerges, as researchers have found a Google Play clone that can send text messages, signature certificates, and bank passwords to Gmail accounts.

FireEye researchers Jinjian Zhai and Jimmy Su analyzed the behavior of the app and determined that the attacker uses a dynamic DNS server with the Gmail SSL protocol in order to exfiltrate the collected data.

Once started, the fake app, called “googl app stoy,” requests administrator privileges and, instead of an interface, launches error messages and informs the user that it has been deleted and that “googl app stoy” activity has stopped.

Upon closer inspection, only its icon is removed, as the app is still active in the background and launches a set of five services. It is present in the list of apps currently running on the device and it cannot be removed or uninstalled.

This is of particular importance because users have to launch it only once for it to become active and traces of suspicious activity can remain undetected, since the legitimate Google Play icon is still in place.

It appears that the targeted victims are Korean, as the error message presented in the infected device is in Korean.

The malicious program appears to hide the malware component through compression and encryption. FireEye researches managed to decrypt it and reached the conclusion that the details targeted by the cybercriminals are short text messages, signature certificates, and bank account passwords.

By capturing the network traffic generated by the threat, the two researchers could ascertain that signature certificates and keys were sent to the domain “dhfjhewjhsldie.xicp.net.”

They also found evidence of SMS transmission by replacing a cached file on the phone containing the destination Gmail address with one in their control.

“Because the destination, including the email address and the password is stored in a cached file on the phone, we have replaced it with a testing email account and redirected a testing SMS to the newly created email address to simulate the scenario of receiving SMS in the MTP platform,” is written in the FireEye post.

The researchers say that, as a result of finding evidence of victim’s bank accounts and passwords being leaked to the cybercriminals, they reached to the Gmail team in order to take down the hacker’s email accounts.

Significant in the research is the fact that only three scan engines on VirusTotal detect the sample as being malicious. The reason for this is “the unique nature of how the malware is packaged,” since “most vendors only use signature-based algorithms to detect malware, they fail to detect the malicious content concealed within apps that appear to be basic or run-of-the-mill.”

Source
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top