Authored by Dexter Shin
McAfee Cell Analysis Staff discovered an Android banking trojan signed with a key utilized by reliable apps in South Korea final yr. By design, Android requires that each one purposes should be signed with a key, in different phrases a keystore, to allow them to be put in or replaced. As a result of this key can solely be utilized by the developer who created it, an software signed with the identical key is assumed to belong to the identical developer. That’s the case of this Android banking trojan that makes use of this reliable signing key to bypass signature-based detection strategies. And these banking trojans weren’t distributed on Google Play or official app shops till now. This menace had been disclosed to the firm that owns the reliable key final yr and the firm has taken precautions. The firm has confirmed that they’ve changed the signing key and at present, all of their reliable apps are signed with a brand new signing key.
Android malware utilizing a reliable signing key
Whereas monitoring the Android banking trojan Fakecalls we discovered a pattern utilizing the identical signing key as a effectively–identified app in Korea. This app is developed by a respected IT companies firm with in depth enterprisees throughout varied sectors, together with however not restricted to IT, gaming, fee, and advertising. We confirmed that a lot of the malicious samples utilizing this key faux to be a financial institutioning app as they use the similar icon as the actual banking apps.
Determine 1. Malware and reliable app on Google Play
Distribution methodology and newest status
Domains verified final August after we first found the samples are actually down. Nonetheless, we investigated URLs associated to this malware and we discovered related ones associated to this menace. Amongst them, we recognized a phishing web site that is nonetheless alive throughout our analysis. The location can also be disguised as a banking web site.
Determine 2. A phishing web page disguised as a Korean banking web site
We additionally discovered that they up to date the area data of this internet web page a couple of days earlier than our investigation.
So we took a deeper look into this area and we discovered extra uncommon IP addresses that led us to the Command and control(C2) server admin pages utilized by the cybercriminals to manage the contaminated gadgets.
Determine 3. Fakecalls Command and management(C2) admin web pages
How does it work
When we verify the APK file construction, we will see that this malware makes use of a packer to keep away from evaluation and detection. The malicious code is encrypted in one of many recordsdata beneath.
Determine 4. Tencent’s Legu Packer libraries
After decrypting the DEX file, we discovered some uncommon performance. The code beneath will get the Android bundle data from a file with a HTML extension.
Determine 5. Questionable code within the decrypted DEX file
This file is in truth one other APK (Android Software) moderately than a conventional HTML file designed to be displayed in an online browser.
Determine 6. APK file disguised as an HTML file
When the consumer launches the malware, it instantly asks for permission to put in one other app. Then it tries to put in an software saved in the “belongings” listing as “introduction.html”. The “introduction.html” is an APK file and actual malicious conduct occurs right here.
Determine 7. Dropper asks you to put in the primary payload
When the dropped payload is about to be put in, it asks for a number of permissions to entry delicate private data.
Determine 8. Permissions required by the primary malicious software
It additionally registers a number of companies and receivers to manage notifications from the machine and to obtain instructions from a distant Command and Management server.
Determine 9. Companies and receivers registered by the primary payload
Against this, the malware makes use of a reliable push SDK to obtain commands from a distant server. Listed below are the full listing of instructions and their function.
| Command title | Objective |
| be aware | sms message add |
| incoming_transfer | caller quantity add |
| del_phone_record | delete name log |
| zhuanyi | set name forwarding with parameter |
| clear_note | delete sms message |
| assign_zhuanyi | set name forwarding |
| file | file add |
| lanjie | block sms message from specified numbers |
| allfiles | discover all doable recordsdata and add them |
| email_send | ship e-mail |
| record_telephone | name recording on |
| inout | re-mapping on C2 server |
| blacklist | register as blacklist |
| listener_num | no perform |
| no_listener_num | disable monitoring a selected quantity |
| rebuild | reset and reconnect with C2 |
| deleteFile | delete file |
| num_address_list | contacts add |
| addContact | add contacts |
| all_address_list | name file add |
| deleteContact | delete contacts |
| note_intercept | intercept sms message from specified numbers |
| intercept_all_phone | intercept sms message from all |
| clear_date | delete all file |
| clear_phone_contact | delete all contacts |
| clear_phone_record | delete all name log |
| per_note | fast sms message add |
| soft_name | app title add |
Cybercriminals are continuously evolving and utilizing new methods to bypass safety checks, corresponding to abusing reliable signing keys. Happily, there was no injury to customers resulting from this signing key leak. Nonetheless, we advocate that customers set up safety software program on their gadgets to answer these threats. Additionally, customers are beneficial to obtain and use apps from the official app shops.
McAfee Cell Safety detects this menace as Android/Banker whatever the software, is signed with the beforehand reliable signing key.
Indicators of Compromise
| SHA256 | Title | Kind |
| 7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 | 신한신청서 | Dropper |
| 9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda | 신한신청서 | Dropper |
| 21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc | 신한신청서 | Dropper |
| 9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579 | 신한신청서 | Dropper |
| 60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2 | 보안인증서 | Banker |
| 756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6 | 보안인증서 | Banker |
| 6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6 | 보안인증서 | Banker |
| 52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b | 보안인증서 | Banker |
| 125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12 | 보안인증서 | Banker |
| a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3 | 보안인증서 | Banker |
| c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f | 보안인증서 | Banker |
| dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92 | 보안인증서 | Banker |
| e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24 | 보안인증서 | Banker |
Domains:
- http[://]o20-app.dark-app.web
- http[://]o20.orange-app.right now
- http[://]orange20.orange-app.right now
