Google Play apps steal texts and pepper you with unauthorized purchases

Getty Images

Security researchers have uncovered a batch of Google Play apps that stole customers’ textual content messages and made unauthorized purchases on customers’ dime.

The malware, which was hidden in eight apps that had greater than 700,000 downloads, hijacked SMS message notifications and then made unauthorized purchases, McAfee cell researchers Sang Ryol Ryu and Chanung Pak said Monday. McAfee is looking the malware Android/Etinu.

User knowledge free for the taking

The researchers stated an investigation of the attacker-operated server that managed contaminated units confirmed it saved all types of date from customers’ telephones, together with their cell service, telephone quantity, SMS messages, IP deal with, nation, and community standing. The server additionally saved auto-renewing subscriptions, a few of which regarded like this:

No joke

The malware is reminiscent, if not an identical, to a prolific household of Android malware often known as Joker, which also steals SMS messages and indicators up customers for dear providers.

“The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission,” the researchers wrote referring to Etinu. “Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface.”

While the researchers say that Etinu is a malware household distinct from Joker, safety software program from Microsoft, Sophos, and different firms use the phrase Joker of their detection names of among the newly found malicious apps. Etinu’s decryption circulate and use of multi-stage payloads are additionally related.
buy viagra super fluox force online no prescription

The decryption flow.

The decryption circulate.


In an e-mail, McAfee’s Sang Ryol Ryu wrote: “While Etinu looks very similar to Joker, in-depth, its processes for loading payloads, encryption, targeting geographies are different from Joker.”

The Etinu payloads seem in an Android Assets folder with file names similar to “cache.bin,” “settings.bin,” “data.droid,” or “image files.”


Multi stage

As depicted within the decryption circulate diagram above, hidden malicious code in the primary set up file downloaded from Play opens an encrypted file named “1.png” and decrypts it utilizing a key that’s the identical because the bundle title. The ensuing file, “loader.dex” is then executed, leading to an HTTP POST request to the C2 server.

“Interestingly, this malware uses key management servers,” the McAfee researchers wrote. “It requests keys from the servers for the AES encrypted second payload, ‘2.png.’ And the server returns the key as the ‘s’ value of JSON. Also, this malware has self-update function. When the server responds ‘URL’ value, the content in the URL is used instead of ‘2.png’. However, servers do not always respond to the request or return the secret key.”


The apps and corresponding cryptographic hashes are:

CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C com.pip.editor.digicam
08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 com.tremendous.coloration.hairdryer
018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C com.hit.digicam.pip
0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 com.daynight.keyboard.wallpaper

Some of the apps seem like this:


The researchers stated they reported the apps to Google, and the corporate eliminated them.

Source link