Yukihiro Okutomi – McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Wed, 07 Aug 2019 16:10:58 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.1 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Yukihiro Okutomi – McAfee Blogs https://www.mcafee.com/blogs 32 32 MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/#respond Wed, 07 Aug 2019 16:10:58 +0000 https://securingtomorrow.mcafee.com/?p=96248

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found […]

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

]]>

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found evidence of a connection between the distribution method used for the existing campaign and this new spyware. All the spyware we found this time pretends to be security applications targeting users in Japan and Korea. We discovered a phishing page related to DNS Hijacking attack, designed to trick the user into installing the new spyware, distributed on the Google Play store.

Fake Japanese Security Apps Distributed on Google Play

We found two fake Japanese security applications. The package names are com.jshop.test and com.jptest.tools2019. These packages were distributed on the Google Play store. The number of downloads of these applications was very low. Fortunately, the spyware apps had been immediately removed from the Google Play store, so we acquired the malicious bullets thanks to the Google Android Security team.

Figure 1. Fake security applications distributed on Google Play

This Japanese spyware has four command and control functions. Below is the server command list used with this spyware. The spyware attempts to collect device information like IMEI and phone number and steal SMS/MMS messages on the device. These malicious commands are sent from a push service of Tencent Push Notification Service.

Figure 2. Command registration into mCommandReceiver

Table 1. The command lists

*1 Not implemented correctly due to the difference from the functionality guessed from the command name

We believe that the cybercriminal included minimal spyware features to bypass Google’s security checks to distribute the spyware on the Google Play store, perhaps with the intention of adding additional functionality in future updates, once approved.

Fake Korean Police Apps

Following further investigation, we found other very similar samples to the above fake Japanese security applications, this time targeting Korean users. A fake Korean police application disguised itself as an anti-spyware application. It was distributed with a filename of cyber.apk on a host server in Taiwan (that host has previously been associated with malicious phishing domains impersonating famous Japanese companies). It used the official icon of the Korean police application and a package name containing ‘kpo’, along with references to com.kpo.scan and com.kpo.help, all of which relate to the Korean police.

Figure 3. This Korean police application icon was misappropriated

The Trojanized package was obfuscated by the Tencent packer to hide its malicious spyware payload. Unlike the existing samples used in the MoqHao campaign, where the C&C server address was simply embedded in the spyware application; MoqHao samples hide and access the control server address via Twitter accounts.

The malware has very similar spyware functionality to the fake Japanese security application. However, this one features many additional commands compared to the Japanese one. Interestingly, the Tencent Push Service is used to issue commands to the infected user.

Figure 4. Tencent Push Service

The code and table below show characteristics of the server command and content list.

Figure 5. Command registration into mCommandReceiver

Table 2. The command lists

*1 Seems to be under construction due to the difference from the functionality guessed from the command name

There are several interesting functions implemented in this spyware. To execute an automated phone call function on a default calling application, KAutoService class has an implementation to check content in the active window and automatically click the start call button.

Figure 6. KAutoSevice class clicks start button automatically in the active calling application

Another interesting function attempts to disable anti-spam call applications (e.g. whowho – Caller ID & Block), which warns users if it is suspicious in the case of incoming calls from an unknown number. The disable function of these call security applications in the spyware allows cyber criminals to make a call without arousing suspicion as no alert is issued from the anti-spam call apps, thus increasing the success of social engineering.

Figure 7. Disable anti-spam-call applications

Figure 8. Disable anti-spam-call applications

Table 3. List of disabled anti-spam call applications

Connection with Active MoqHao Campaigns

The malware characteristics and structures are very different from the existing MoqHao samples. We give special thanks to @ZeroCERT and @ninoseki, without who we could not have identified the connection to the active MoqHao attack and DNS hijacking campaigns. The server script on the phishing website hosting the fake Chrome application leads victims to a fake Japanese security application on the Google Play store (https://play.google.com/store/apps/details?id=com.jptest.tools2019) under specific browser conditions.

Figure 9. The server script redirects users to a fake security application on Google Play (Source: @ninoseki)

There is a strong correlation between both the fake Japanese and Korean applications we found this time. This malware has common spy commands and shares the same crash report key on a cloud service. Therefore, we concluded that both pieces of spyware are connected to the ongoing MoqHao campaigns.

Conclusion

We believe that the spyware aims to masquerade as a security application and perform spy activities, such as tracking device location and eavesdropping on call conversations. It is distributed via an official application store that many users trust. The attack campaign is still ongoing, and it now features a new Android spyware that has been created by the cybercriminals. McAfee is working with Japanese law enforcement agencies to help with the takedown of the attack campaign. To protect your privacy and keep your data from cyber-attacks, please do not install apps from outside of official application stores. Keep firmware up to date on your device and make sure to protect it from malicious apps by installing security software on it.

McAfee Mobile Security detects this threat as Android/SpyAgent and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com

Appendix – IOCs

Table 4. Fake Japanese security application IOCs

Table 5. Fake Korean police application IOCs

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/feed/ 0
Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization https://www.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/#respond Wed, 01 Nov 2017 13:00:59 +0000 https://securingtomorrow.mcafee.com/?p=81800 The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies […]

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

]]>
The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies being distributed on the official market.

The four pirated apps we found are developed by AE-funStudios, which offers versions of the common tool and games Flashlight, Race Car, Gun Shoot, and Chess. The download numbers of these apps are between 10,000–100,000. We contacted Google about these pirated apps; they were promptly removed from the Google Play store.

How do we know these apps are pirated versions? Let’s look at their structure. The following screenshot shows the pirated version of Chess, com.chess.chessfree.chessboard.chessgame.free.

In this app, we find the file ttttt in the assets folder. The file has no extension, but the format is APK, and in this case is the legitimate app Chess Free from a different developer. The bogus filename is already suspicious.

The pirate app attempts to create a virtual space using the class VirtualCore, installing the legitimate app in the virtualization space, and running it after it launches.

The component com.lody.virtual is a piece of virtualization technology. The virtualization component VirtualApp is published on github as open source. Thus the component itself is not malicious. It is a similar technology to Instant App, introduced from Android 8.0 Oreo that provides a framework for running an application in a virtual space without installation. The component creates a virtual memory space in a local process, and loads and executes an APK file in the memory space.

The pirated app makes the legitimate app in the assets folder behave like a part of the application by using the virtualization component, without installing the legitimate app on the device. Using this framework, the malware author can generate a new Trojan without repackaging (disassembling an app, inserting malware code, and rebuilding it as new package).

However, the virtualization technique is not the perfect framework for all Android apps. Those with diversion protection and complex structures will not run in a virtual space. By applying app protection technology against repackaging, for example, we believe that the risk of a legitimate application being abused will become very low.

Let’s consider the intent of the pirated app’s author. In the following screenshot, it appears the author intends to earn income from mobile app advertisements. From our investigation, however, the current versions of these pirated apps have no mechanisms to display advertisements or to intercept the communications of the related legitimate apps to gain the revenue. Perhaps this feature is under development for future updates.

Another scenario is that the developer of the pirated apps might plan to sell the developer account to a criminal organization because, as one website points out, popular accounts such as those on Facebook and Instagram are traded at high prices in the black market just like banking accounts and personal identity information. The developer account could also be used for malware and spyware distribution. Each application affected by these four pirated apps is very popular, with the number of users between 1 million to 50 million. The pirated versions offer the same functionality as the legitimate apps to attract and retain users looking for original applications.

McAfee Mobile Security detects these pirated apps as Android/PUP.Pirates.C and protects user devices as well as the legitimate developers’ rights. To further protect yourself against pirated apps, download only recommended and popular apps on official app stores, and pay attention to suspicious traits such as odd app titles, user-unfriendly descriptions, low-quality screenshots, and poor user reviews. Also, verify that an app’s request for permissions is related to its functionality.

 

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/feed/ 0
Turkish Instagram Password Stealers Found on Google Play https://www.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/#respond Thu, 12 Jan 2017 22:48:55 +0000 https://securingtomorrow.mcafee.com/?p=67462 McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims to […]

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

]]>
McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users.

20161228-1
The malware lead victims to a phishing website that steals Instagram account passwords using the WebView component. As we see in the following screenshots, the design of the login page is very simple, so it is difficult for users to appreciate the difference between legitimate and fake.

20161228-2

The victim’s credentials are sent to the malware author as plain text. If the network connection is monitored (as is possible on a free Wi-Fi network), the account name and password are open to unknown persons.

20161228-3

Victims’ personal information may leak if they use the same passwords on other websites and social network services. Malware authors will attempt to log into other web services using the stolen accounts and passwords.

Instagram’s popularity makes it a target for attackers. McAfee recommends you install mobile security and password-management software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/InstaZuna and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

 

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/feed/ 0
Android Spyware Targets Security Job Seekers in Saudi Arabia https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/#respond Tue, 31 May 2016 16:08:21 +0000 https://blogs.mcafee.com/?p=50060 The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, McAfee Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism but […]

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

]]>
The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, McAfee Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism but also for intelligence gathering. Today we shed light on a new campaign targeting Saudi Arabia.

We have identified a campaign that is working in tandem with a job site that offers work for security personal in government or military jobs.

20160527-website

The spyware, Android/ChatSpy, was distributed as a private chat application. It steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.

20160527-icon

The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.

Let’s take a look at spyware’s behavior. After it runs, the spyware shows only a screen with the network carrier and user’s phone number information, nothing more.

20160527-screenshot

At the same time, the spyware runs in the background and gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to the attacker’s server. Then Then the spyware sends the message “New victim arrived” to notify the attacker of the infection and hides its application icon from the menu to prevent uninstallation and keep its spying activities secret.

20160527-code1

The spyware keeps monitoring incoming SMS messages and takes screenshots, and records incoming/outgoing voice calls in the background. This user-sensitive information is also posted to the attacker’s server. The server runs a MySQL database and collects the data from infected devices. How is the information used? Most likely in a subsequent targeted attack.

20160527-code2

Although the spyware works cleanly and quietly, the application code is of poor quality. The spyware has “spy” in the package name, and the hardcoded SMS message to the attacker has “victim” in plain text. The spyware uses an open-source “call-recorder-for-android,” found on GitHub, to implement the voice-call recording function. With such sloppy coding, the spyware must have been developed in a rush job by a “script kiddie.”

McAfee recommends you install mobile security software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/ChatSpy and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hash of analyzed sample(s):

  • 7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb
  • 4aef8d9a3c4cc1e66a6f2c6355ecc38d87d9c81bb2368f4ca07b2a02d2e4923b

Control server:

  • hxxp://ksa-sef[dot]com/Hack%20Mobaile/

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/feed/ 0
Amazon Gift Card Malware Spreading via SMS https://www.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/#respond Tue, 03 Mar 2015 15:50:32 +0000 https://blogs.mcafee.com/?p=41700 McAfee Labs recently published its Hacking the Human OS report, which details a number of ways in which cybercriminals rely on victims’ trust in a particular brand or public authority to hand over information or allow their systems to become infected with malicious code. This week, the McAfee Labs team uncovered a new scam leveraging […]

The post Amazon Gift Card Malware Spreading via SMS appeared first on McAfee Blogs.

]]>
McAfee Labs recently published its Hacking the Human OS report, which details a number of ways in which cybercriminals rely on victims’ trust in a particular brand or public authority to hand over information or allow their systems to become infected with malicious code. This week, the McAfee Labs team uncovered a new scam leveraging user trust in the Amazon brand.

Amazon is one of the biggest online shopping markets. Recently, McAfee Labs team found new Android malware spreading via SMS (short message service) mascarading as an Amazon Rewards application. The SMS appears to come from your trusted contacts such as your family or friends who already have infected devices. Have you received an SMS (as below) offering an Amazon Gift Card from your family or friends by any chance?

image1

The SMS uses a shortened URL and leads users to a malicious website to download malware with the filename AmazonRewards.apk. Then the website attempts to make users rush to download the application by reducing the remaining number of Free Gift Cards—a sneaky tactic!

image2 image3

After installation, “Amazon Rewards” is registered on the Menu.

image5

The malware shows a survey website after it runs. It’s a good guess that the user can get an Amazon Gift Card by answering the survey, but that’s not the case. The survey and application offered by the malware are the legitimate advertisement and legitimate applications from the Google Play store. The malware author will get “reward” money from you when you answer the survey or install the application.

image6 image7

In addition, the malware sends SMS messages like the one above to all listed contacts, including your family and friends. As a result, the malware can spread widely and rapidly, and the malware author will get more money with each infection.

This SMS spreading method via contacts on infected devices will make this threat widespread in the mobile world, as we have already seen in China. So please do not install applications from untrusted sources, especially if they arrive in the form of an unexpected SMS message. Think before you click: If it’s too good to be true, it usually is! Your awareness will help slow the spread of such malware.

McAfee Mobile Security detects this Android threat as Android/Gazon and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

 

The post Amazon Gift Card Malware Spreading via SMS appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/feed/ 0