CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

COVID Malware: Android is the next target

Over the past several weeks we have seen numerous email phishing scams related to the COVID-19 pandemic. There have been outbursts of emails promoting product scams that include convincing people to buy items such as disinfectants, masks, and hand sanitizers, then sending the victims anything but what was ordered (if anything at all). More sophisticated criminal activities include selling drugs and medicine with promises that they will help fight the virus, but which, of course, do nothing of the sort.

A larger proportion of these phishing emails and SPAM sends have had embedded viruses, ransomware, and other types of malware. Infected users are unwittingly installing backdoors or remote access Trojans that open their systems to ransomware, becoming part of a botnet, or any number of other computer woes.

The attacks appear to have shifted in focus and are heavily targeting mobile applications. In recent days I have seen more and more malware solely aimed at mobile devices. For instance, I analyzed some Android downloads that appear to advertise themselves as COVID-19 informational applications. I am finding many that simply trick users into entering personal information, steal content from their mobile devices, and in some cases directly attack the user and mobile device with malware.

The Kinda Terrible




One example is the covidMapv8.1.7.apk application. It has an unusual number of permissions it requests from the mobile Android device that includes:

CALL_PHONE

INTERNET

READ_CONTACTS

READ_PHONE_STATE

READ_SMS

RECEIVE_BOOT_COMPLETED

RECEIVE_SMS

REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

SEND_RESPOND_VIA_MESSAGE

SEND_SMS


The app is able to read your contacts, and can also send/receive SMS messages. SMS fraud is something mobile phone users have been dealing with for some time – this is nothing very new. Many of us have seen SMS shortcode sends (those 5-6 number messages), and in some cases sending SMS messages to a specific phone number can result in additional charges that relate to fraud (see the explanation below).

However, I believe this particular application may be using SMS messages to send victims a ransomware link. Upon analysis, I found several strings within the application that tries to unlock and open access to the mobile device.




Not too bad, though. Right?

I was thinking the application, in and of itself, was not horribly malicious. But then things changed. I observed it reaching out to an IP address (108.177.15.188). I ran it through some sites and it did not show up as a malicious one. Maybe a dead link? I’m not sure.

But then it also reached out to two URLs, one of which (hxxp://lanadelrey.top) was detected as malicious. So it connects out to at least one known malicious site, through which control of your device becomes a certainty.




The Really Terrible

The second application is a file named CoronaVirus-apps.apk, and it appears to be much more malicious in nature. During my analysis:

· The application collected all contact and address book information.

· Location tracking and audio capture permissions were also requested from the application.

Like most other mobile malware samples, it tried to commit SMS premium toll fraud. Basically, let’s say you want to purchase a ringtone or wallpaper for your device. You can do this by texting to a short code, get the content, and be billed for it on the next payment cycle. Cybercriminals can make a lot of money by getting your system to ‘purchase’ premium items without you knowing it. Your phone bill might look a little off if they want to do lots of small collections spread out among a large group of victims, which is typical.

There was also evidence the application may be participating in click fraud to generate revenue for the cybercriminal. This is a type of fraud that occurs within the pay-per-click model many Internet sites use. Advertisers pay the host according to clicks to the site, because their ads are being viewed. Cybercriminals get your device to imitate a legitimate user of a web browser that clicks to their fraudulent site that is set to receive payment for those clicks.

The application also connected out to a known malicious URL: hxxp//botduke1.ug

Here are the permissions this malware requested within the victim’s Android device – quite a few more than the malware example above:

ACCESS_LOCATION_EXTRA_COMMANDS

ACCESS_NETWORK_STATE

BIND_ACCESSIBILITY_SERVICE

BIND_JOB_SERVICE

BIND_NOTIFICATION_LISTENER_SERVICE

BROADCAST_STICKY

CALL_PHONE

FOREGROUND_SERVICE

GET_ACCOUNTS

INTERNET

MODIFY_AUDIO_SETTINGS

PROCESS_OUTGOING_CALLS

READ_CONTACTS

READ_EXTERNAL_STORAGE

READ_PHONE_STATE

READ_SMS

RECEIVE_BOOT_COMPLETED

RECEIVE_SMS

RECORD_AUDIO

REORDER_TASKS

REQUEST_COMPANION_RUN_IN_BACKGROUND

REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

SEND_RESPOND_VIA_MESSAGE

SEND_SMS

USE_FULL_SCREEN_INTENT

WAKE_LOCK

WRITE_EXTERNAL_STORAGE

This particular piece of malware seemed to be much more invasive and capable of controlling the device.

I had some fun digging through these samples, but apart from analyzing them, I feel bad for the good people that get tricked into opening these up in their systems.

Please be careful of what you download and enable on your devices – particularly in any time of crisis. Cybercriminals truly reap higher rewards in time of confusion – the general state of alertness is weakened when we deal with a large-scale disaster, such as a pandemic event.

If you were hit by one or the other, my sympathies. If not, I thought it might be useful to provide the SHA256 hashes for these two examples.

a754c35dd09677b0b96d8a0dad5c9c5fdd28abd8cf2d8d38a9bd945ca8362e02 CoronaVirus-apps.apk

2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823 covidMapv8.1.7.apk

Until next time – be safe, stay healthy, and remain alert in fighting cybercrime!

SOCIALS 

SUBSCRIBE 

 Keeping you informed | Latest News 

© 2018 Dr. Chaos 

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM