BACK

Fake Voice Apps on Google Play, Botnet Likely in Development

Fake Voice Apps on Google Play, Botnet Likely in DevelopmentBy Echo Duan We noticed several uploaded apps on Google Play posing as legitimate voice messenger platforms, with suspicious automated functions such as automatic pop-ups of fake surveys and fraudulent ad clicks. Observed variants of these malicious apps and malware have been deployed one by one …

  • 27 Nov 2018
4 min read
Fake Voice Apps on Google Play, Botnet Likely in Development
By Echo Duan We noticed several uploaded apps on Google Play posing as legitimate voice messenger platforms, with suspicious automated functions such as automatic pop-ups of fake surveys and fraudulent ad clicks. Observed variants of these malicious apps and malware have been deployed one by one since October, with its evolution including evasive techniques and its infection behavior divided into several stages. The modular capabilities of the analyzed samples have been tagged versions 1.0, and the cybercriminals may be in the process of adding more features and updates for future malicious activities such as botnet attacks. Infection numbers are not yet critical, but the increase in uploads and user downloads for the remaining live apps call for continued observation due to its rapid development and distribution in the mobile ecosystem. While the majority of the fake apps have been taken down, we took one of the apps as an example to show their common behaviors. All the analyzed samples from the seven identified app IDs have similar coding and behavior, which make us suspect that the cybercriminals are working on additional modules and will deploy more malicious apps.   Figure 1. One of the apps posing as a legitimate voice messenger uploaded on Google Play Figure 2. Malicious voice messenger app with thousands of installs recorded Behavior Uploaded on Google Play, the app (detected by Trend Micro as AndroidOS_FraudBot.OPS ) tries to be subtle by using lightweight modular downloaders to compromise unknowing users’ gadgets. While the published uploaders of these apps are different, we suspect that the apps came from the same authors since the codes are similar to each other. Once downloaded, the first component connects with the C&C server, then decrypts and executes the payload. Figure 3. Order of payload execution. The payload executes as follows: The module named “Icon” hides the app’s icon to prevent the user from uninstalling it. Figure 4. Hiding the icon   Module “Wpp” can open the browser to access arbitrary URLs. Figure 5. The module collects specific URLs found in the browser   While analyzing the sample, the app displays fake survey forms to collect users’ personally identifiable information (PII) such as names, phone numbers, and home addresses, in exchange for gift cards. The fake survey form will load using the device’s default browser. If the default browser cannot be identified, the survey is loaded from the any of the following browsers, which we have observed based on the C&C response: Boat Browser, Brave, Chrome, Cheetah, Dolphin, DU, Firefox, Jiubang Digital Portal, Link Bubble, Opera, Opera Mini, Puffin and UC. Figure 6. Fake app for users’ information collection   Wpp also generates fraudulent ad clicks via random app touch events. Figure 7. Random app touch events for fraudulent ad clicks   The module named “Socks” functions as a dynamic library that integrates with C-Ares (the C library for asynchronous DNS requests) as well as name resolves. Though we have not observed communication with the server,
Source: TrendLabs Security Intelligence BlogPublished on 2018-11-27
Blog Details
  • 27 Nov 2018

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.

Buy Cyber Essentials

price-popup-pattern