Multi-stage malware sneaks into Google Play

multi-share_google-623x432

Another set of malicious apps has made it into the official Android app store. Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, legitimate-looking and with delayed onset of malicious activity.

We have discovered eight apps of this malware family on Google Play and notified Google’s security team about the issue. Google has removed all eight apps from its store; users with Google Play Protect enabled are protected via this mechanism.

Figure1-768x194
Figure 1 – Six of the multi-stage downloaders discovered on Google Play

None of the apps in question had reached more than a few hundred downloads. Regardless, their advanced anti-detection features make this malware family interesting.

Anti-detection features

These malware samples all employ a multi-stage architecture and encryption to stay under the radar.

After being downloaded and installed, these apps do not request any suspicious permissions and even mimic the activity the user expects them to exhibit.

Along with this, the malicious app also decrypts and executes its payload – that is, the first-stage payload. This payload decrypts and executes the second-stage payload, which is stored in the assets of the initial app downloaded from Google Play. These steps are invisible to the user and serve as obfuscatory measures.

Figure2
Figure 2 – Execution model of Android/TrojanDropper.Agent.BKY

The second-stage payload contains a hardcoded URL, from which it downloads another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user is prompted to install the downloaded app.

The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions.

Figure3-576x1024
Figure 3 – Installation request for the third-stage payload

Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypts and executes the fourth-stage – and final – payload.

In all the cases we investigated, the final payload was a mobile banking trojan. Once installed, it behaves like a typical malicious app of this kind: it may present the user with fake login forms to steal credentials or credit card details.

One of the malicious apps downloads its final payload using the bit.ly URL shortener. Thanks to this, we were able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.

Figure4-768x539.png
Figure 4 – Download stats for the final payload of one of the malicious apps, as of November 14, 2017

Two of most recent samples of Android/TrojanDropper.Agent.BKY were caught downloading either MazarBot, a notorious banking trojan, or spyware.

Given its nature, this downloader can deliver any payload of the criminals’ choice as long as it doesn’t get flagged by the Google Protect mechanism.

How to get rid of it

If you’ve downloaded any of these apps, you need to (i) deactivate admin rights for the installed payload, (ii) uninstall the surreptitiously-installed payload and (iii) uninstall the app downloaded from the Play Store.

  • To deactivate admin rights for the installed payload, go to Settings > (General) > Security > Device administrators and search for Adobe Flash Player, Adobe Update or Android Update.
  • To uninstall the installed payload, go to Settings > (General) > Application manager/Apps and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.
  • To uninstall the malicious app downloaded from the Play store, go to Settings > (General) > Application manager/Apps and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн or Слоты Онлайн Клуб Игровые Автоматы.

Note that the settings structure may vary slightly depending on Android version.

How to stay protected

Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.

IoCs

Package Name Available Installs HASH
com.fleeeishei.erabladmounsem October 16, 2017 1,000 – 5,000 9AB5A05BC3C8F1931A3A49278E18D2116F529704
com.softmuiiurket.cleanerforandroid October 3, 2017 50 – 100 2E47C816A517548A0FBF809324D63868708D00D0
com.expjhvjhertsoft.bestrambooster September 29, 2017 500 – 1,000 DE64139E6E91AC0DDE755D2EF49D60251984652F
gotov.games.toppro October 7, 2017 1,000 – 5,000 6AB844C8FD654AAEC29DAC095214F4430012EE0E
slots.forgame.vul October 6, 2017 10 – 50 C8DD6815F30367695938A7613C11E029055279A2
com.bucholregaum.hampelpa October 9, 2017 100 – 500 47442BFDFBC0FB350B8B30271C310FE44FFB119A
com.peridesuramant.worldnews October 19, 2017 100 – 500 604E6DCDF1FA1F7B5A85892AC3761BED81405BF6
com.peridesurrramant.worldnews October 20, 2017 100 – 500 532079B31E3ACEF2D71C75B31D77480304B2F7B9

Hardcoded domains hosting links to the third-stage payloads

loaderclientarea24.ru
loaderclientarea22.ru
loaderclientarea20.ru
loaderclientarea15.ru
loaderclientarea13.ru

written by Lukas Stefanko, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s