You're probably asking, "What?! Google Play has a Bouncer?". Yes, that's right. Google Play has a Bouncer. It is responsible for thoroughly scanning the new apps that are coming in and as well as re-checking the previously uploaded apps that are available in Google Play. It also scans and checks the apps' developers if they are truly legit or not. So basically, it's kinda like Google Play's own security service or antivirus.
What is this malware and how did it snuck inside Google Play?
Let's first talk about Android/TrojanDropper.Mapin. It disguises itself as a legitimate game app and has a certain special app that's bundled within it. This special app may come as 'systemdata' or 'resourcea'. Systemdata is a system application and a game app is NOT a system app.
How does Android/TrojanDropper.Mapin work?
When Android/TrojanDropper.Mapin has been installed, either in it's first 24 hours of installation or when it is actually installed, the app drops a trojan onto the device. It prompts the user to install the 'system application' which is either a Google Play Update or a Manage Settings app whenever the connection is changed.
 |
| sample install requests by the trojan
If the user chooses to cancel the installation, the trojan will prompt the user again to install whenever the connection is changed. Which eventually leads the user to install the app. When the app is installed, which is actually Android/Mapin, the Trojan will start a service with its own registered broadcast receiver and wait for another change in the infected device's connection.
When a connection starts, the Trojan will attempt to register itself with Google Cloud Messages servers so that the malware can receive messages. After it has been registered, the malware will then register the infected device on its own server and sends the user's Username, Google Account, IMEI, Registration ID together with its own package name.
The malware keeps itself from being uninstalled by making the user activate the 'device administrator'.
|
 |
| the malware attempts to let the user activate device administrator |
The Trojan notifies the remote server whether if the device administrator activation was successful or not. The malware then displays full screen ads(which abuses the legitimate AdMob SDK) each time the infected device's connectivity changes.
 |
| sample ad displayed |
The Trojan communicates to the server by using Google Cloud Messaging. It makes the backdoor trojan respond to commands received from the server.
What is the other malware that slipped past Google Play's Bouncer?
The second malware we're going to talk about is Android/AdDisplay.Cheastom. This malware requests for device administrator rights so that it can not be easily uninstalled by the user.
How did this malware get past Bouncer?
When activated, the malware will attempt to detect whether it has been executed within an emulator or from Google's servers(Bouncer). The malware does this by obtaining the IP address of the user's device and then checks the IP's WHOIS record. If the result contains a 'Google' string, the malware will assume that it is running in Bouncer. If the malicious app detects that it is being run in an emulator or in Bouncer environment, then the actual payload(ad displaying) will not be initiated. Instead, the app will run as a 'normal' app.
 |
| Cheastom's 'normal' display and function |
However, if the app detects that it is not run in a virtual environment, the malware will set a scheduled task which displays full screen ads with either 30 or 40 minute intervals. Nevertheless, the ad displaying cycle is initiated whether if the app has been launched in an emulated environment, after the device is rebooted. After the infected device's reboot, the full screen ads are displayed every 45 minutes.
 |
| sample full screen ads of the app |
The malware checks if the infected device is connected to the internet. If it is, the malware will ask the remote server if it should display an ad.
Article Ref: http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/ (for Android/TrojanDropper.Mapin and Android/Mapin) and http://www.welivesecurity.com/2015/10/08/android-addisplay-using-anti-bouncer-technique/ (for Android/AdDisplay.Cheastom)
No comments:
Post a Comment