{"id":11465,"date":"2018-02-13T09:10:23","date_gmt":"2018-02-13T17:10:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/13\/news-5236\/"},"modified":"2018-02-13T09:10:23","modified_gmt":"2018-02-13T17:10:23","slug":"news-5236","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/02\/13\/news-5236\/","title":{"rendered":"Kotlin-based malicious apps penetrate Google market"},"content":{"rendered":"

Credit to Author: Gleb Malygin| Date: Tue, 13 Feb 2018 16:00:00 +0000<\/strong><\/p>\n

An open-source programming language, Kotlin<\/a> is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin,\u00a0from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)<\/p>\n

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app\u2014which makes it much safer.\u00a0However, as revealed by Trend Micro researchers, the first samples of Android malware\u00a0created using Kotlin<\/a>\u00a0were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.<\/p>\n

\"\"<\/p>\n

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud<\/a>, and sign users up to premium SMS subscription services without their permission. So much for safe.<\/p>\n

Analyze this<\/h3>\n

Subsequently, after launching Swift Cleaner, the first thing the malware does is call\u00a0PspManager.initSDK, <\/em>check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.<\/p>\n

\"\"<\/p>\n

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities.\u00a0Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.<\/p>\n

\"\"<\/p>\n

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.<\/p>\n

\"\"<\/p>\n

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP).\u00a0WAP is a technical standard for accessing information over a mobile wireless network.<\/p>\n

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA<\/a> bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the\u00a0neural network.<\/a>\u00a0Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.<\/p>\n

\"\"<\/h3>\n

Premium SMS service<\/h3>\n

The Swift Cleaner malware also uploads information about the user\u2019s service provider\u00a0along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.<\/p>\n

\"\"<\/p>\n

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:<\/p>\n

    \n
  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)<\/li>\n
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)<\/li>\n<\/ol>\n

    Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.<\/p>\n

    \"\"<\/p>\n

    Neverending story<\/h3>\n

    As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android<\/a>. Stay safe out there!<\/p>\n

    The post Kotlin-based malicious apps penetrate Google market<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

    https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: Gleb Malygin| Date: Tue, 13 Feb 2018 16:00:00 +0000<\/strong><\/p>\n\n\n\n
    <\/a><\/td>\n<\/tr>\n
    New malicious apps appear in Google Play abusing Kotlin, the “safest” official programming language for the Android.<\/p>\n

    Categories: <\/p>\n