{"id":8511,"date":"2017-07-31T07:10:01","date_gmt":"2017-07-31T15:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/31\/news-2285\/"},"modified":"2017-07-31T07:10:01","modified_gmt":"2017-07-31T15:10:01","slug":"news-2285","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/31\/news-2285\/","title":{"rendered":"Mobile Menace Monday: Malicious clicker with extra maliciousness included"},"content":{"rendered":"<p><strong>Credit to Author: Nathan Collier| Date: Mon, 31 Jul 2017 14:00:42 +0000<\/strong><\/p>\n<p>A new malicious clicker has emerged onto third-party app stores. Chinese in origin, the malicious app uses heavy obfuscation and poses as a battery optimizer app. We classify is as <em>Android\/Trojan.Clicker.hyj<\/em>.<\/p>\n<p> <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/#gallery-19009-1-slideshow\">Click to view slideshow.<\/a> <\/p>\n<h3>Hide what\u2019s inside<\/h3>\n<p>To obfuscate its code, Clicker.hyj uses an APK inside another APK that hooks into the malicious code \u2014 allow me to explain. Let\u2019s call the original APK that gets installed from a third-party app store onto the Android device the shell APK. After installation, the shell APK hooks into another APK, which is held in the shell APK\u2019s data folder \u2014 let\u2019s call this the executing APK. The executing APK holds all the malicious code while the shell APK contains simple code that runs some libraries which does the hooking of the executing APK. Looking at the shell APK code, there isn\u2019t much to it. Because of its simplicity, it could easily be overlooked by malware researchers and\/or scanners.<\/p>\n<p>It\u2019s important to note that the executing APK cannot be installed on an Android device alone \u2014 it must be run via the shell APK.<\/p>\n<h3>The meaty badness<\/h3>\n<p>The executing APK holds all the meaty badness. Within the executing APK\u2019s <em>assets <\/em>folder are several JavaScript files. These JavaScript files have base64 encryption along with other encryption to further obfuscate. The JavaScript files are used to perform various actions when URLs are piped to them via code within the executing APK.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19014\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/pipe_url.jpg\" alt=\"\" width=\"572\" height=\"134\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/pipe_url.jpg 572w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/pipe_url-300x70.jpg 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/p>\n<p>Although the code within the JavaScript files uses obfuscation, the file names are pretty telling of their actions:<\/p>\n<ul>\n<li><em>findbutton20161226.js <\/em>\u2013 Find button on webpage<\/li>\n<li><em>getcaptcha4numberl.js <\/em>-Get Captcha on webpage<\/li>\n<li><em>processurl.js <\/em>\u2013 Process URL<\/li>\n<li><em>setcaptcha4numberl.js <\/em>\u2013 Set Captcha on webpage<\/li>\n<li><em>simulationClickYes.js <\/em>\u2013 Click \u201cYes\u201d on button in webpage<\/li>\n<\/ul>\n<p>With each URL \u201cclicked\u201d, the malware authors are paid a small amount as a result. Therefore, running the actions from the JavaScript files over and over again on a small list of URLs can accumulate revenue quickly.<\/p>\n<h3>Shortcut to maliciousness<\/h3>\n<p>Another trait of Clicker.hyj is creating a shortcut that opens up the default Web browser to a URL that is no longer active \u2014 who knows what malicious content it once contained!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-19015 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/Shortcut-338x600.png\" alt=\"\" width=\"338\" height=\"600\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/Shortcut-338x600.png 338w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/Shortcut-169x300.png 169w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/Shortcut.png 720w\" sizes=\"auto, (max-width: 338px) 100vw, 338px\" \/><\/p>\n<h3>Even more money scams<\/h3>\n<p>To gain even more revenue, Clicker.hyj sends SMS messages to the affected device\u2019s contact list. These SMS messages attempt to trick the user into subscribing to a pay-for-service via SMS:<\/p>\n<pre><em>This application has Asia's largest video library, <\/em>  <em>is now to super preferential price of the massive broadcasting,<\/em>  <em>constantly surprises.<\/em>  <em>Just sms registration can receive various hot video.<\/em>  <em>You want to hear our act in pettish,<\/em>  <em>you want to take a look at the beauty of the hot body,<\/em>  <em>Only INR30.00. immediately at the click of a button,<\/em>  <em>fast join us! Wonderful content is absolutely not to be missed!  <\/em><\/pre>\n<p>Subscribe to the &#8220;service&#8221; and as a result, an extra charge will appear on your phone bill each month.<\/p>\n<h3>All about the $$$<\/h3>\n<p>Crooks know there is real money in mobile malware \u2014 consequently, we will continue to see the rise of malware like Clicker.hyj.<\/p>\n<p>In conclusion, be wary of installing third-party apps from untrusted app stores. It is also a good idea to always have a scanner installed on your phone like <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=org.malwarebytes.antimalware&amp;hl=en\" target=\"_blank\" rel=\"noopener\">Malwarebytes anti-malware mobile<\/a> \u2014 which, for the record, is FREE.<\/p>\n<p>Stay safe out there!<\/p>\n<p><em>Nathan Collier<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/\">Mobile Menace Monday: Malicious clicker with extra maliciousness included<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Nathan Collier| Date: Mon, 31 Jul 2017 14:00:42 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/' title='Mobile Menace Monday: Malicious clicker with extra maliciousness included'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/11\/photodune-10296879-surprised-man-reading-bad-news-on-smartphone-s-899x506.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>A new malicious clicker has emerged onto third-party app stores.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/mobile\/\" rel=\"category tag\">Mobile<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/android\/\" rel=\"tag\">Android<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/clicker\/\" rel=\"tag\">clicker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/clicker-hyj\/\" rel=\"tag\">Clicker.hyj<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sms-scam\/\" rel=\"tag\">sms scam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/triple-m\/\" rel=\"tag\">triple m<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/' title='Mobile Menace Monday: Malicious clicker with extra maliciousness included'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/mobile-menace-monday-malicious-clicker-with-extra-maliciousness-included\/\">Mobile Menace Monday: Malicious clicker with extra maliciousness included<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10462,13227,13228,4503,3764,10554,13229,10556],"class_list":["post-8511","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-android","tag-clicker","tag-clicker-hyj","tag-cybercrime","tag-malware","tag-mobile","tag-sms-scam","tag-triple-m"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8511"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8511\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}