{"id":99618,"date":"2020-04-09T10:38:53","date_gmt":"2020-04-09T17:38:53","guid":{"rendered":"\/blogs\/?p=99618"},"modified":"2024-07-08T01:48:46","modified_gmt":"2024-07-08T08:48:46","slug":"malbus-actor-changed-market-from-google-play-to-one-store","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/","title":{"rendered":"MalBus Actor Changed Market from Google Play to ONE Store"},"content":{"rendered":"<p>Authored by: Sang Ryol Ryu and Chanung Pak<\/p>\n<p>McAfee Mobile Research team has found another variant of <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development\/\" target=\"_blank\" rel=\"noopener noreferrer\">MalBus<\/a> on an education application, developed by a South Korean developer. In the previous Malbus case, the author distributed the malware through Google Play, but new variants are distributed via the <a href=\"https:\/\/www.onestorecorp.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">ONE Store<\/a> in much the same way. ONE Store is a joint venture by the country\u2019s three major telecom companies and is a preinstalled app on most Android phones selling in South Korea. It has 35 million users (close to 70% of South Korea\u2019s population) and has already surpassed Apple\u2019s app store sales from the end of 2018.<\/p>\n<p>The application in question is distributed via Google Play and the ONE Store at the same time. The malicious application downloads and runs an encrypted payload with malicious functions.<\/p>\n<p><a href=\"https:\/\/www.mcafeemobilesecurity.com\" target=\"_blank\" rel=\"noopener noreferrer\">McAfee Mobile Security<\/a> detects this threat as Android\/Malbus and alerts mobile users if it is present, while protecting them from any data loss.<\/p>\n<h2>The Campaign<\/h2>\n<p>We found malicious code injected by an attacker, via the developer\u2019s account, into versions 27 and 28 of the application distributed through the ONE Store. The App Signature Certificate for versions 26 through 29 distributed from the One Store are the same. No other application developed by the same author was found on the ONE Store. The ONE Store is now servicing version 29 which does not contain malicious code. Google Play still offers version 26, though this is also clear of infection.<\/p>\n<p>The overall flow of this application, focusing on the malicious function, is explained below:<\/p>\n<p>After the malware is installed, the malicious code has a latent period of 10 hours to avoid being discovered by dynamic analysis.<\/p>\n<p style=\"text-align: center;\">\n<p>After the latent period, it starts two threads. The first one loads native library \u201clibmovie.so\u201d and calls one of its exported functions, \u201cplayMovie\u201d, with a phone number as an argument while the second one creates a Java server socket for communication with another native library.<\/p>\n<p style=\"text-align: center;\">\n<p>The first loaded library, libmovie.so, contains a curl binary and URLs for secondary payloads in XOR encoded data which are decoded at runtime. The XOR value is 0x8E and it is globally used in this library. All decoded URLs appear to have been hacked and the decoded URLs drop RC4 encrypted ELF files.<\/p>\n<p style=\"text-align: center;\">\n<p>Simply put, libmovie.so is a downloader and executer. It downloads the next payload from a hacked web server by using a dropped curl binary, decrypts it and loads the library. Once the library is loaded, the downloaded file is deleted to avoid detection. Lastly, the downloaded code starts from exported function name \u201cLibfunc\u201d.<\/p>\n<p>As for the RC4 cryptographic library, encryption is the most common way to hide or protect important things. Accordingly, it is assumed that there is some important in this file.<\/p>\n<p>The file sizes and data for szServer_XX_1 and szServer_XX_2 are the same as shown in Table 2. But szServer_XX_3 has several functions that are added, removed or modified a little bit. However, it does not affect the overall process.<\/p>\n<p>\u201cdoMainProc\u201d is the core function called by \u201cLibfunc\u201d. The first job of the \u201cdoMainProc\u201d is selecting the C2 server randomly.<\/p>\n<p>After selecting the C2 server, a randomly created TUID is sent to the server. Guessing from its usage, the TUID might be a target device ID to manage contaminated targets. Now the application is working as a spy agent, waiting for actions from the selected server and ready to execute commands. We discovered the following available commands:<\/p>\n<p style=\"text-align: center;\">\n<p>Among the malicious commands, an eye-catching feature is SMS and MMS capturing. SMS and MMS are saved in the \u201c\/data\/data\/&lt;package name&gt;\/files\/\u201d directory as file name \u201csms.txt\u201d and \u201cmms.txt\u201d respectively.<\/p>\n<p>This feature can be activated by registering the Android receiver.<\/p>\n<p>This malicious app opens TCP port 1111 locally to communicate with the loaded native library. Below is manually interpreted Java code:<\/p>\n<p>public void run()<\/p>\n<p>{<\/p>\n<p>CommunicationThread commThread;<\/p>\n<p>Socket socket = null;<\/p>\n<p>serverSocket = new ServerSocket(sock_port); \/\/ sock_port = 1111<\/p>\n<p>if (serverSocket) {<\/p>\n<p>while ((!Thread.currentThread().isInterrupted())) {<\/p>\n<p>commThread = new CommunicationThread(this, serverSocket.accept());<\/p>\n<p>new Thread(commThread).start();<\/p>\n<p>}<\/p>\n<p>}<\/p>\n<p>}<\/p>\n<p style=\"text-align: center;\">\n<p>The SMS\/MMS capture feature is enabled when receiving a &#8220;SET&#8221; string on local TCP 1111 port and disabled by receiving &#8220;FREE&#8221;.<\/p>\n<p>The loaded native library connects when the \u201cSD_SetSMSCapture\u201d command receives and sends \u201cSET\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>Below is interpreted as C language.<\/p>\n<p><em>client = socket(AF_INET, SOCK_STREAM, 0);<\/em><\/p>\n<p><em>addr.sin_family = AF_INET;<\/em><\/p>\n<p><em>addr.sin_port = htons(1111);<\/em><\/p>\n<p><em>addr.sin_addr.s_addr= inet_addr(&#8220;127.0.0.1&#8221;);<\/em><\/p>\n<p>One other function we have not seen before is \u201cSD_LoadSoFile\u201d. This loads a new native library and executes a specific function in it. This function seems to change the running native library to a newer one when the current binary has a problem, or to add new features.<\/p>\n<h3>Compared to Malbus<\/h3>\n<p>This newly discovered malicious code has many similarities compared to Malbus, such as using the same malicious function name starting with \u201cSD_\u201d, file name, XOR\u2019ed strings to hide original strings, embedded files in libraries, command ids, the same version of compiler and so on. It also has the differences mentioned above: downloading a malicious library directly instead of installing a plugin APK and no sensitive keyword list such as \u2018North Korea\u2019, \u2018National Defense\u2019 and so on.<\/p>\n<h2>Conclusion<\/h2>\n<p>Malware can be distributed through all manner of third-party app stores, not only official ones such as Google Play. This malware is carefully prepared &#8211; the final payload of the malware is the file that was hacked and uploaded to the vulnerable server before malware distribution. We believe the authors of this malware will continue to buy or hack trusted developer accounts to update malicious functionality, infiltrate and distribute through official app stores. As with previous cases, users should verify the applications they install, even if they download them from official stores. McAfee is working with Korean law enforcement agencies to help with the takedown of the attack campaign.<\/p>\n<p>&nbsp;<\/p>\n<h3>Hashes (SHA-256)<\/h3>\n<p><strong>Initial Downloader (APKs)<\/strong><\/p>\n<ul>\n<li>5e57bc8d83a372bf4d046c272cd43db9000036c9b32d8eecead1af75f4958c57<\/li>\n<li>1613b35c73c6497730490d7712ac015c2b42931446aed149e1292e2ba77d0ff4<\/li>\n<\/ul>\n<p><strong>Encrypted Trojan (additional payload)<\/strong><\/p>\n<ul>\n<li>d328373cd67c467485b9c96349a0ee08fc3b58fe2c11fb19f4dcb9ea6c7a0dae<\/li>\n<li>c5bff68022ead6302f710f1ce1c3d5682a8cd3610b1f8ed2563098d7ac4e1909<\/li>\n<li>c410cacbb0be8f649f082148c91f4cef27f101b8db3ce64a02882506c9b51a63<\/li>\n<li>178dddf38ec232d540bd88320521d8134644da1e7af19e7ae295b2d614e3ab56<\/li>\n<\/ul>\n<p><strong>Decrypted Trojan (additional payload)<\/strong><\/p>\n<ul>\n<li>9fc914545fbb99b7e0d4a5207f5a2b32a8a127a36caa9159d4feeac445c509f7<\/li>\n<li>df651ac1bfd60cd29cea85cc410002b933552260c2439fe86a4f32486abd0828<\/li>\n<li>63d10c9cd105c7b17effef18d31d571fe4c9c999966cc09bdb40df07c1b6baa8<\/li>\n<li>f99212b70729942923fe26b996791cdd8eb561f8ae017e1d71202fbb97f7d245<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an&#8230;<\/p>\n","protected":false},"author":695,"featured_media":96044,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-99618","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-09T17:38:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-08T08:48:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1152\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"MalBus Actor Changed Market from Google Play to ONE Store\",\"datePublished\":\"2020-04-09T17:38:53+00:00\",\"dateModified\":\"2024-07-08T08:48:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\"},\"wordCount\":1153,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\",\"name\":\"MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg\",\"datePublished\":\"2020-04-09T17:38:53+00:00\",\"dateModified\":\"2024-07-08T08:48:46+00:00\",\"description\":\"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg\",\"width\":2048,\"height\":1152},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"MalBus Actor Changed Market from Google Play to ONE Store\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog","description":"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog","og_description":"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2020-04-09T17:38:53+00:00","article_modified_time":"2024-07-08T08:48:46+00:00","og_image":[{"width":2048,"height":1152,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"MalBus Actor Changed Market from Google Play to ONE Store","datePublished":"2020-04-09T17:38:53+00:00","dateModified":"2024-07-08T08:48:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/"},"wordCount":1153,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/","name":"MalBus Actor Changed Market from Google Play to ONE Store | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg","datePublished":"2020-04-09T17:38:53+00:00","dateModified":"2024-07-08T08:48:46+00:00","description":"Authored by: Sang Ryol Ryu and Chanung Pak McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/07\/Dark-network-with-glowing-red-node-targeting-a-bug-information-security-3D-illustration.jpg","width":2048,"height":1152},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malbus-actor-changed-market-from-google-play-to-one-store\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"MalBus Actor Changed Market from Google Play to ONE Store"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/99618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=99618"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/99618\/revisions"}],"predecessor-version":[{"id":196179,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/99618\/revisions\/196179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/96044"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=99618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=99618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=99618"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=99618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}