Introduction

Since the beginning of 2018, researchers in Zimperium’s zLabs have been tracking a rise in the frequency and sophistication of applications that have been loaded outside of the official Google Play Store. Many of these have leveraged social engineering techniques such as duplicate Play Stores.

At the start of August, zLabs decided to take a look at some previously unknown malware samples that Zimperium’s z9 machine learning-based engine detected in the first half of the year. z9 for Mobile Malware is the only machine learning-based engine capable of detecting previously unknown malware on-device in real-time. One of these apps, “Play Market”, seems to be part of a campaign targeted at monetization through the abuse of advertisements and subscriptions. To help illustrate the threat of apps loaded outside of the Play Store, our analysis of Play Market follows.

Behavior

Play Market shows a collection of interesting behaviors that are clearly designed for persistence and to trick users into starting the execution the first time, namely:

• It mimics the Google Play Store application using the same logo and application icon and has “Play Market” as its label; this is clearly a common trick to deceive the user into opening the malware at least once as show here:
  
• Once the application has been opened, the MainActivity sets two properties called DONT_KILL_APP and COMPONENT_ENABLED_STATE_DISABLED which hide the application’s icon from the drawer (and forced our analyst to re-enable the component via adb to re-launch it);
• The AndroidManifest.xml exports a Broadcast Receiver with the intent-filter android.provider.Telephony.SMS_RECEIVED; the only action of the onReceive method is to abort the further broadcasting of the SMS_RECEIVED message;

• One of the classes exports some interesting utility methods: a method to disable the WiFi connection, one to enable the mobile data connection (via reflection) and one to set the ringer mode to RINGER_MODE_SILENT (avoiding vibration and sound notifications);

• The MainActivity also takes care of inviting the user to enable access to the DevicePolicyManager (the included configuration is the default one). The malware author crafted two messages to trick the user into enabling the access and possibly not revoking it. In fact, while the Device Admin is active, the application cannot be uninstalled:
  • “Для продолжения установки требуется доступ к памяти устройства, подтвердите доступ” which translates to “To continue the installation, you need to access the device’s memory, confirm access”;
  • “Отключение данной функции может навредить вашему телефону или планшету, вы согласны ?” which translates to “Disabling this feature can damage your phone or tablet, do you agree?”

The aforementioned list of interesting techniques is actively combined with the main chain of events executed by the application:

• • The application declares two methods to fetch the content from an URL and to load web pages into a WebView with JavaScript enabled. The main URL embedded in the application is http://cpw.00xff.net/p.php and it’s loaded with the device information (v is the device API version, im is the device IMEI, sv is the device Android version) and the parameter act with the following values:
    • gettype: in our tests it always returned the string “full”; the “full” response instruct the application to disable the WiFi and forcibly enable the mobile data, then to execute the requests with actions “getcont” and “getrul”;
    • getcont: returns the russian string “подп|стоимость” which translated to “sub|cost of”;
    • land or adv: fetches an URL that redirects to advertisement or subscription websites;
    • getrul: downloads a sequence of JavaScript codes that are split, loaded in the WebView and clearly used to automate the clicking of Ads and subscription buttons.

• After the first execution, the application also sets up timers to execute the advertisement and subscription fetching to every 24 hours or 1 hour. The AndroidManifest.xml also exports Broadcast Receiver to start the execution after a reboot.
• Every time the auto-click functionality kicks in, the user is completely unaware of it because the whole execution takes place in a hidden WebView.

Downloaded JavaScript code

The following is an example of downloaded JavaScript code. After splitting on the ||| separator (which is used as lines separator) and the || separator (which is used as elements separator), we obtain the following:

As can be seen, it contains ad-hoc written javascript calls to fill forms and click buttons. This kind of code is traditionally used by clickers. Also, it contains several URLs proving that the author is trying to trigger particular events in carefully selected sites.

Additional information

Although completely unrelated to the main execution chain, the application includes a file named htrerfgh (md5 e80e8801bebf93fd26c37cca85f32cb6) in the Assets folder. It turned out to be an MP4 video with a few seconds of the “Never Gonna Give You Up” song by Rick Astley, and after some seconds, the face of Rick Astley is changed to the face of Rick Harrison.

IOCs

During dynamic analysis, some domains have been contacted by the malware, either during the configuration phase or during the execution of the advertisement and subscription auto-click tasks, and they change based on the localization of the request.

The configuration domain embedded in the APK is cpw.00xff.net, while some of the domains contacted for advertising and subscription are:

• di6sartote.ru
• blw4-1.com
• marcaapuestas.es
• mpsnare.iesnare.com
• r.remarketingpixel.com
• tracking.perfecttoolmedia.com
• stats.g.doubleclick.net
• 7xc4n.com

The hashes of the sample are:

• MD5: 4aa837d0fc1bf57b1e5df3884b6cfc71
• SHA1: 8df961d3722fcd02a5e14e51c2cf14821d40f9bb
• SHA256: 38dead873bc40db7c6ecfc57c24b33758c4443a62cb179378401f1796cf3c11c

App Metadata

Application Name: Play Market

Package Name: com.tosveokrtbv.xjortnrkl
SHA256:  38dead873bc40db7c6ecfc57c24b33758c4443a62cb179378401f1796cf3c11c

Availability: The sample wasn’t available on the Play Store and is not available on VirusTotal

Initial z9 Detection: Detected by z9 for Malware on January 1st, 2018

Conclusion

Like it has for numerous other samples this year, Zimperium’s z9 machine learning-based engine detected these samples while other vendors did not… both at initial sample time and even currently.