{"id":94034,"date":"2019-02-04T10:00:12","date_gmt":"2019-02-04T18:00:12","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=94034"},"modified":"2024-02-18T20:20:31","modified_gmt":"2024-02-19T04:20:31","slug":"malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development\/","title":{"rendered":"MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware"},"content":{"rendered":"

McAfee\u2019s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.<\/p>\n

\"\"<\/p>\n

Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series<\/em><\/p>\n

When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.<\/p>\n

The Campaign<\/h2>\n

The following diagram explains the overall flow from malware distribution to device infection.
\n\"\"<\/p>\n

Figure 2. Device infection process<\/em><\/p>\n

When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.<\/p>\n

Initial Downloader<\/h2>\n

The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.<\/p>\n

\"\"<\/p>\n

Unlike the clean version of the app, the malicious version contains a native library named \u201clibAudio3.0.so\u201d.<\/p>\n

\"\"<\/p>\n

Figure 3. Transportation app version with malicious native library embedded<\/em><\/p>\n

In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().<\/p>\n

\"\"<\/p>\n

Figure 4. Malicious library being loaded and executed in the app<\/em><\/p>\n

startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named \u201cbackground.png\u201d and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as libSound1.1.so) is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.<\/p>\n

\"\"<\/p>\n

Figure 5 Additional payload download servers<\/em><\/p>\n

Fake Plugin<\/h2>\n

The fake plugin is downloaded from a hacked web server with file extension \u201c.mov\u201d to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in LibMovie.so, which is stored inside the asset folder, drops a malicious trojan to the current running app\u2019s directory masquerading as libpng.2.1.so file. The dropped trojan is originally embedded in the LibMovie.so xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function \u201cLibfunc\u201d in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.<\/p>\n

\"\"<\/p>\n

Figure 6 Toast message when malware is installed<\/em><\/p>\n

In the other forked process, it tries to access the \u201cnaver.property\u201d file on an installed SD Card, if there is one, and if it succeeds, it tries starting \u201c.KaKaoTalk\u201d activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:<\/p>\n

\"\"<\/p>\n

Figure 7. Execution flow of the dropper<\/em><\/p>\n

Following is a snippet of a manifest file showing that \u201c.KaKaoTalk\u201d activity is exported.<\/p>\n

\"\"<\/p>\n

Figure 8. Android Manifest defining \u201c.KaKaoTalk\u201d activity as exported<\/em><\/p>\n

Phishing in JavaScript<\/h2>\n

KakaoTalk class opens a local HTML file, javapage.html, with the user\u2019s email address registered on the infected device automatically set to log into their account.<\/p>\n

\"\"<\/p>\n

Figure 9. KakaoTalk class loads malicious local html file<\/em><\/p>\n

The victim\u2019s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:<\/p>\n

\"\"<\/p>\n

Figure 10. The malicious JavaScript shows crafted Google login page with user account<\/em><\/p>\n

We found the following attempts of exploitation of Google legitimate services by the malware author:<\/p>\n