{"id":181893,"date":"2024-02-07T23:29:53","date_gmt":"2024-02-08T07:29:53","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=181893"},"modified":"2024-02-26T23:06:24","modified_gmt":"2024-02-27T07:06:24","slug":"moqhao-evolution-new-variants-start-automatically-right-after-installation","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/moqhao-evolution-new-variants-start-automatically-right-after-installation\/","title":{"rendered":"MoqHao evolution: New variants start automatically right after installation"},"content":{"rendered":"

Authored by Dexter Shin<\/span>\u00a0<\/span><\/p>\n

MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted <\/span>several articles<\/span><\/a> related to this malware family that traditionally targets Asian countries such as Korea and Japan.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span>Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a <\/span>previous post<\/span><\/a> but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by <\/span>Google Play Protect<\/span><\/a>, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android\/MoqHao.<\/span>\u00a0<\/span><\/p>\n

How <\/span>it is<\/span> distribute<\/span>d<\/span><\/span>\u00a0<\/span><\/h2>\n

MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns:<\/span>\u00a0<\/span><\/p>\n

\"\"
\n<\/span><\/p>\n

Figure <\/span><\/span>1<\/span><\/span><\/span>. <\/span><\/span><\/strong>Smishing message impersonating a notification from a <\/span><\/span>courier <\/span>service.<\/span><\/span>\u00a0<\/span><\/p>\n

One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service.<\/span>\u00a0<\/span><\/p>\n

What is new in this variant<\/span><\/b>\u00a0<\/span><\/h2>\n

As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span><\/b>2<\/span><\/b>. <\/span><\/b>Differences between typical MoqHao and Modern MoqHao<\/p>\n

We<\/span> explained<\/span> this <\/span>auto-execution <\/span>technique<\/span> in detail in <\/span><\/span>a<\/span> previous post<\/span><\/span><\/a> but <\/span>to <\/span>briefly <\/span>summarize<\/span> it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. <\/span>T<\/span>his<\/span> feature <\/span>is<\/span> the one that is<\/span> being <\/span>abused <\/span>by <\/span>the highly active Trojan family <\/span>MoqHao<\/span> to auto-execute itself without user interaction.<\/span> The <\/span>distribution, <\/span>installation,<\/span> and auto-execution<\/span> of this <\/span>recent <\/span>MoqHao<\/span> variant<\/span> can be seen in the following video:<\/span><\/span>\u00a0<\/span><\/span><\/p>\n