{"id":10488,"date":"2017-11-14T17:10:04","date_gmt":"2017-11-15T01:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4260\/"},"modified":"2017-11-14T17:10:04","modified_gmt":"2017-11-15T01:10:04","slug":"news-4260","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4260\/","title":{"rendered":"New Android Trojan malware discovered in Google Play"},"content":{"rendered":"

Credit to Author: Nathan Collier| Date: Wed, 15 Nov 2017 00:07:53 +0000<\/strong><\/p>\n

A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017.\u00a0 These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1).<\/p>\n

We named this new malware variant Android\/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs.<\/p>\n

Click to view slideshow.<\/a> <\/p>\n

For the sake of discussion as we analyze this malware, let\u2019s concentrate on just one of its associated apps, since they all share the same behavior. We will focus on a malicious QR scanner app named Qr code generator \u2013 Qr scanner<\/em>.<\/p>\n

Surface analysis of Trojan AsiaHitGroup<\/h3>\n

AsiaHitGroup has several layers of maliciousness. It starts innocently enough with an icon created on the mobile device after install. Click on the icon, and it opens a functioning QR scanner, as promised.<\/p>\n

Click to view slideshow.<\/a> <\/p>\n

However, this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it. If you are looking under the Q\u2019s for Qr coder generator <\/em>or Qr scanner, <\/em>it’s not there. It\u2019s not even under the icon\u2019s name, Barcode reader, <\/em>which is shown briefly before vanishing. Instead, this deceiving app is called\u00a0Download Manager<\/em> in the app list. Unless you know all the apps on your mobile device exceptionally well, it\u2019s near impossible to discover this app name.<\/p>\n

\"\"<\/p>\n

Diving deeper into Trojan AsiaHitGroup<\/h3>\n

If the behaviors listed above weren\u2019t enough to conclude this QR app is malicious, it gets worse. The first step performed by the malicious app in the background is checking the location of the mobile device. This is done by using the website ip-api.com<\/em> which provides Geolocation using IP. If the location is in an area that satisfies rules within the code, then it proceeds to the next step. This next step is to download an APK by visiting a website that contains download instructions.<\/p>\n

Code from http:\/\/[hidden_domain]\/api\/custom\/dynamic-fragment<\/em> with instructions to download an APK<\/h4>\n

{\"id\": \"duy.van.dao.dynamicduy.20171005.16\", \"files\": [{\"id\": \"duy.van.dao.dynamicduy.20171005.16\", \"md5\": \"4662e8537751c49beb06309a989796fc\", \"url\": \"https:\/\/[hidden_domain]\/hoanghai27\/dynamic-fragment\/raw\/master\/dynamic-plugin-v22.apk\"}], \"version\": \"20171005.16\", \"fragments\": [{\"code\": \"duy.van.dao.dynamicduy.20171005.16\", \"name\": \"duy.van.dao.dynamicduy.MainFragment\", \"host\": \"dynamicfragment\"}]}
<\/code><\/p>\n

Unfortunately during testing, the APK could not be downloaded via the malicious QR app\u2014most likely due to my location. However, I was able to manually download the APK using the URL provided within the download instructions. The behavior of this downloaded APK was that of a Trojan SMS (which is why I subsequently named it Android\/Trojan.SMS.AsiaHitGroup). Based on all the references to Asia within the code, my assumption is you must be in Asia<\/a> for this malware to fully function.<\/p>\n

Add some adware into the mix<\/h3>\n

Even if the malicious Trojan SMS fails to download, there is yet another layer to the malevolence.\u00a0 Hidden within the malicious QR app is another APK waiting to do its biding. However, this hidden APK is a less threatening, adware-pushing app.<\/p>\n

The hidden adware app comes with an unusual service name:\u00a0vn.solarjsc.fakeads.ShowAdsService.\u00a0 <\/em>Within this service, there is reference to the same domain that was used to gain download instructions of the Trojan SMS. Although I was unable to verify, this domain may also contain the \u201cfakeads\u201d referenced in the service name. Regardless, rest assured we are detecting this hidden adware app as well as Android\/Adware.AsiaHitGroup.<\/p>\n

Google Play: not quite flawless<\/h3>\n

Even with the introduction of Google Play Protect<\/a>, there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails. We (obviously) recommend Malwarebytes for Android<\/a>. Stay safe out there!<\/p>\n

 <\/p>\n

Malicious APK samples: use at own risk<\/h3>\n

Android\/Trojan.AsiaHitGroup<\/h4>\n

MD5: 178E6737A779A845B8F2BAF143FDEA15, Package Name: duy.van.dao.qrcode
MD5: 7EEC1C26E60FEDE7644187B0082B6AC4, Package Name: com.varvet.barcodereader
MD5: 7CEDA121F9D452E9A32B8088F50012B8, Package Name: com.maziao.alarm
MD5: B481CE9D0B7295CDA33B15F9C7809B95, Package Name: com.magiaomatday.editimage
MD5: 60A71632004EE431ABB28BF91C3A4982, Package Name: com.maziao.speedtest
MD5: N\/A, Package Name: com.ruzian.explorer<\/p>\n

Android\/Trojan.SMS.AsiaHitGroup<\/h4>\n

MD5: 3CC02E4FECEB488B084665E763968108, Package Name: duy.van.dao.dynamicduy<\/p>\n

Android\/Adware.AsiaHitGroup<\/h4>\n

MD5: 995D5DC873104B5E42B3C0AF805359DB, Package Name: com.offer.flashcall<\/p>\n

The post New Android Trojan malware discovered in Google Play<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Nathan Collier| Date: Wed, 15 Nov 2017 00:07:53 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
New Android Trojan malware has been found in Google Play masquerading as multiple apps. We call this malware Android\/Trojan.AsiaHitGroup.<\/p>\n

Categories: <\/p>\n