If an app is super hot right now, expect Malware devs to jump in the bandwagon of fans as well. Not because they're fans too, of course.(or maybe they are.) But it's because they can smell from a mile away that a lot of vulnerable users and potential victims would be downloading those hot apps right away. Their method? Imitate that app, of course!
Malware devs have been wittingly known for copying legitimate apps and turning them into, well, malware.
If you've been living under a rock, or just not "in the know" on what's hot and popular on apps. Here is an example.
Dubsmash. Dubsmash is a very popular app commonly used by young people in their teens and even celebrities and have also captured Malware devs' hearts, i mean, interest.
In a recent Google Play Store inspection, a certain app with the name 'Dubsmash 2' have been discovered. This app has been downloaded around 100,000 - 500,000 times already.
 |
| Image Ref from: https://blog.avast.com/2015/04/24/porn-clicker-app-slipped-into-google-play-imitating-popular-dubsmash-app/ |
Let's get technical!
The malware author of Dubsmash 2 made it as a 'porn clicker' and has a package name of "com.table.hockes". If a user downloads and installs it, they won't see a Dubsmash 2 app icon and such. Why? Because the malware will instead create an app under the name 'Setting IS'.
 |
| Image Ref from: https://blog.avast.com/2015/04/24/porn-clicker-app-slipped-into-google-play-imitating-popular-dubsmash-app/ |
This malware's actions can be triggered either by running the 'Settings IS' app or by, if the user has not noticed the 'Settings IS' app yet, via the BroadcastReceiver component. This component, BroadcastReceiver, observes device connectivity. If this component notices that the user's device is connected to the Internet, the malware's actions will be triggered.
If the 'Settings IS' app was opened by the user, it will then open Google Play Store and display the actual 'Dubsmash' app download page. Once activated, the malicious app sends an HTTP GET request to an encrypted URL. If the request returns a string with a '1' character two services,MyService and Streaming, may begin to start which can give the malware author the ability to remotely turn off the start of the services.
MyService will delete the 'Settings IS' app icon from the device's main menu and will schedule a task in the background to run every 60 seconds which downloads a list of links to various porn sites from an encrypted URL stored within the app along with the JavaScript execution code. One of the porn site links from the list will be launched via the device's browser and the JavaScript code, which clicks further links within the porn site, will also be executed 10 seconds after.
Streaming, on the other hand, may have similar actions like MyService but not completely. Streaming also has scheduled tasks to run every 60 seconds however, the Service task will be noticed by the user and will not run in the background. This task will check for changes in the user's IP address or date. If the IP address or date has changed, a video would launch via the Youtube app.
This porn clicker malware will garner financial gain made through clicks on multiple ads within the porn sites. The malware author probably receives his earnings through pay-per-click advertisements from advertisers who probably thought that the author was displaying their ads on websites for other people to see and click.
No comments:
Post a Comment