{"id":17604,"date":"2020-01-31T09:40:03","date_gmt":"2020-01-31T17:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/31\/news-11339\/"},"modified":"2020-01-31T09:40:03","modified_gmt":"2020-01-31T17:40:03","slug":"news-11339","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/31\/news-11339\/","title":{"rendered":"Android Malware Targets Diabetic Patients"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Affected platforms:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Android<br \/> Impacted parties:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Android mobile users, patients, healthcare institutions<br \/> Impact:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Malware, Premium rate SMS<\/p>\n<p>I recently ran across an Android app named \u201cTreatment for Diabetes.\u201d With such a title, many would intuitively think this Android application is safe. However, at the recent Virus Bulletin 2019 conference I <a href=\"https:\/\/fortiguard.com\/events\/3166\/virus-vulletin-2019-medical-iot-for-diabetes-and-cybercrime,\">have showed<\/a> that malware can be hidden in any application \u2013 medical applications included \u2013 to enable criminals to generate revenue through aggressive advertisements. While this compromised app does not generate false advertisements, the issue is the same: almost any application can be infected with malware.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_884119419.img.png\/1580339565562\/malware-diabetes-one.png\" alt=\"Malicious Android app disguised as a diabetes resource\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Malicious Android app disguised as a diabetes resource<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As the saying goes, \u201cthe habit does not make the monk\u201d: this particular sample \u201cTreatment for Diabetes\u201d is malicious.<\/p>\n<p>The application was automatically detected on our servers in September 2019, and fortunately, customers were already protected by one of our generic signatures. However, nobody had noticed its particular relevance to the medical sector until now.\u00a0<\/p>\n<p>This particular sample is named &quot;Treatment for Diabetes.&quot; It provides documentation on the different forms of diabetes and its diagnosis, facts and myths, the symptoms of diabetes, information about treatment and insulin, etc.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_2026350784.img.png\/1580340500815\/malware-diabetes-two.png\" alt=\"Diabetes resources in the \u201cTreatment for Diabetes\u201d app\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Diabetes resources in the \u201cTreatment for Diabetes\u201d app<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>However, in between providing medical information about this condition, it also sends an SMS message to the phone number\u00a05554&#8230;\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Experienced malware analysts will note this malware re-uses a technique from the past: trojan dialers used to be popular in the past, they aren\u2019t any longer. This reminds us of old days&#8230;<\/p>\n<p>The malicious application actually requests permission to send this SMS message in the manifest. Of course, for a diabetes resource application, this is immediately suspicious.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_1267511951.img.png\/1580349412482\/malware-diabetes-three.png\" alt=\"Request for SMS permission in the manifest\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Request for SMS permission in the manifest<\/span>         <\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 14pt 0in 14pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;\"><code style=\"font-family: 'Courier New';\"><span style=\"font-size: 10.0pt;\">&lt;manifest  android:compileSdkVersion=\"23\"  android:compileSdkVersionCodename=\"6.0-2438415\"  android:versionCode=\"17\" android:versionName=\"1.02\" package=\"com.DEVproAPP.diabetesblood\"  platformBuildVersionCode=\"26\"  platformBuildVersionName=\"8.0.0\"  xmlns:android=\"http:\/\/schemas.android.com\/apk\/res\/android\"&gt; <\/span><\/code><\/p>\n<p style=\"margin: 14pt 0in 14pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;\"><code style=\"font-family: 'Courier New';\"><span style=\"font-size: 10.0pt;\">... <\/span><\/code><\/p>\n<p style=\"margin: 14pt 0in 14pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;\"><code style=\"font-family: 'Courier New';\"><span style=\"font-size: 10.0pt;\">&lt;uses-permission  android:name=\"android.permission.SEND_SMS\" \/&gt; <\/span><\/code><\/p>\n<p style=\"margin: 14pt 0in 14pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;\"><code style=\"font-family: 'Courier New';\"><span style=\"font-size: 10.0pt;\">&lt;\/manifest&gt;<\/span><\/code><\/p>\n<p style=\"text-align: center; margin: 14pt 0in; font-size: 12pt; font-family: 'Times New Roman', serif;\" align=\"center\"><code style=\"font-family: 'Courier New';\"><strong><em><span style=\"font-size: 10.0pt;\">Manifest code<\/span><\/em><\/strong><\/code><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In Android 6.0 and beyond, the app checks to ensure that this permission is present, and if not, it requests it.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image.img.png\/1580349513316\/malware-diabetes-four.png\" alt=\"Code for managing SMS permission request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Code for managing SMS permission request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This code also uses basic-method name obfuscation. However, de-obfuscating it is quite trivial.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_329874312.img.png\/1580350454673\/malware-diabetes-five.png\" alt=\"Obfuscated code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Obfuscated code<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_2090943367.img.png\/1580349542753\/malware-diabetes-six.png\" alt=\"Unobfuscated code used to send SMS messages\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Unobfuscated code used to send SMS messages<\/span>         <\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 14pt 0in; font-size: 12pt; font-family: 'Times New Roman', serif;\">Sending an SMS only occurs once. Once the routine has run, the code inserts the value <code style=\"font-family: 'Courier New', serif;\"><span style=\"font-size: 10.0pt;\">was<\/span><\/code> into the field <code style=\"font-family: 'Courier New', serif;\"><span style=\"font-size: 10.0pt;\">was<\/span><\/code> of <code style=\"font-family: 'Courier New', serif;\"><span style=\"font-size: 10.0pt;\">table1<\/span><\/code> in <code style=\"font-family: 'Courier New', serif;\"><span style=\"font-size: 10.0pt;\">movieplayer.db<\/span><\/code>.<\/p>\n<\/div><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<pre style=\"margin: 0in 0in 0.0001pt 0.5in; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">this.insertStmt = DataHelper.FOVaZCLuBrXhSEH(this.db, \"insert into table1(was) values ('was')\");<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 0.5in; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">...<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 0.5in; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\"> public void was() {<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 0.5in; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DataHelper.executeInsert(this.insertStmt);<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 0.5in; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">&nbsp;&nbsp;&nbsp; }<\/code><\/pre>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>\u201cwas\u201d inserted into table 1 of movieplayer.db<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>My emulator tried to send the SMS and marked it (of course, it failed to send the SMS as my emulator has no SIM card!):<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<pre style=\"margin: 0in 0in 0.0001pt 45.8pt; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">$ sqlite3 movieplayer.db <\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 45.8pt; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">SQLite version 3.22.0 2018-12-19 01:30:22<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 45.8pt; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">Enter \".help\" for usage hints.<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 45.8pt; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">sqlite&gt; select * from table1;<\/code><\/pre>\n<pre style=\"margin: 0in 0in 0.0001pt 45.8pt; font-size: 10pt; font-family: 'Courier New'; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><code style=\"font-family: 'Courier New';\">was<\/code><\/pre>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Emulator marked SMS message as sent<\/i><\/p>\n<p>Who is behind the phone number 5554 receiving the SMS message? It looks like a premium-rate SMS, typically used by malicious Trojan dialers to steal money from a victim, but we do not know the country, its cost, or even if it is still active.\u00a0<\/p>\n<p>Regardless of who is behind this, the point is made. Healthcare institutions and patients:\u00a0<b>do not assume medical applications, such as this diabetes app, are immune to malware,<\/b>\u00a0and have them checked before install.<\/p>\n<h2>Solutions<br \/> <\/h2>\n<p>FortiGate AV and FortiClient detect the sample as\u00a0<b><i>Android\/FakePlayer.X!tr<\/i><\/b>\u00a0with SIGID: 708812<\/p>\n<h2>IOCs<\/h2>\n<p><b><i>sha256:<\/i><\/b>\u00a0cf661506978f088f276a5a5bc4f0ea71101f99941840dd0864b2068ee2eb2271<\/p>\n<p><i>Learn how\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0provides\u00a0unmatched security and intelligence services using integrated AI systems.<\/i><\/p>\n<p><i>Find out about the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and <a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Discover how the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>\u00a0provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/Xmw8XGNbHzI\/android-malware-targets-diabetic-patients.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/android-malware-targets-diabetic-patients\/_jcr_content\/root\/responsivegrid\/image_884119419.img.png\/1580339565562\/malware-diabetes-one.png\"\/><br \/>Read FortiGuard Labs&#8217; analysis of a recent android malware targeting diabetic patients.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/Xmw8XGNbHzI&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17604","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17604"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17604\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17604"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}