Research Saturday 6.15.19
Ep 90 | 6.15.19

Apps on third-party Android store carry unwelcome code.


Dave Bittner: [00:00:00] Hi everybody, it's Dave here with a special request. We put together a short audience survey to help us make sure we're delivering the type of publications and programs you depend on. Please take a minute and visit and answer a handful of questions. It'll only take a few minutes and it will help us out a lot. Plus, you can enter to win some fabulous CyberWire swag, so there's that. It's Thanks.

Dave Bittner: [00:00:30] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:53] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:40] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Deepen Desai: [00:02:20] As part of our daily mobile malware tracking activity, there are several third-party app stores as well as app stores that are not known before. But we see payloads being downloaded from there.

Dave Bittner: [00:02:34] That's Deepen Desai. He's vice president of security research and operations at Zscaler. The research we're discussing today is titled, "From third-party Android store to SMS Trojan."

Deepen Desai: [00:02:44] So in this case, it was Android packages. We saw about forty-nine different android packages that were downloaded from this location, which is what got the researchers interested in digging more. And that's how we discovered this campaign and the fake malicious app store.

Dave Bittner: [00:03:01] In the research that you published here, I mean, one of the first things you have is an image of this app store, and I guess we should say that this is something that's fairly common on the Android side of things, these third-party app stores?

Deepen Desai: [00:03:13] Yeah. Third-party app stores are fairly common on Android side, for sure.

Dave Bittner: [00:03:17] Looking at the images that you posted of these, it's funny to me how the games look similar to games we know about. There's one called Crazy Birds, which of course looks like Angry Birds. There's Super Bro's Run, which I guess looks like Super Mario Brothers Run, and Bubble Candy, which I suppose is supposed to be Candy Crush, and Tetrix Blocks, which is supposed to be Tetris. So, they're all similar, but not quite the original games.

Deepen Desai: [00:03:42] Right. Yeah, that's that's a good point, and that's what we noticed as well, like, all of these are sort of a renamed version of some of the popular games. And Crazy Birds and Super Bros are the ones that we have also mentioned in the blog, screenshots, they look very, very similar. So yeah, I believe the intention over here was to attract users' attention and get that package downloaded on the user's cellphone device. The delivery mechanism goes through the web, so the user should have clicked, or it would have been a drive-by download from another website that they use and was already visiting.

Dave Bittner: [00:04:18] So, if someone is on this site that is pretending to be a third-party app store, and they click to download one of these apps, what happens next?

Deepen Desai: [00:04:27] So, once a user installs the app and tries to run the game, there is no icon present on the dashboard, right? So, because there is no game, the user will not be able to start anything after the installation is complete. But in the back end, the app is actually running, and it starts sending SMS messages. It communicates with the command-and-control server, where it reports the infected device and waits for further instructions from there.

Dave Bittner: [00:04:57] Now, it's interesting because, again, one of the screenshots that you have here, you show someone's screen on their Android device and there's just a blank space. So, where it's been installed, like you say, there's no app icon, there's no app name, but something does happen if you click in that blank space.

Deepen Desai: [00:05:13] So, when you click on that blank area, what will happen is you will get a page, and that will again point the user to one of those two fake malicious app store screens that you can see in the blog as well. One of them says "Smart World" and the other one is "Sexy World," and with it, any of them, you're going to see again the host of apps that pretends to be some of the popular apps out there - a different name.

Dave Bittner: [00:05:39] Also, when you click on one of those, it attempts to escalate your privileges?

Deepen Desai: [00:05:43] It will attempt to get the admin privileges. And we've shown the screenshot where, you know, the user will have to activate the administrator privilege for the app, and that's when the activity will start.

Dave Bittner: [00:05:55] Yeah. It's an interesting little bit of social engineering there - it says, "To view all the porn videos you need to update. Click to activate." I could imagine that could grab some people's attention.

Deepen Desai: [00:06:07] (Laughs) Yeah. That has happened in the past as well, right? Remember Porn Droid? As well as many other porn-based ransomware as well, where, you know, user falls for this, and then you will see a totally different screen - no video there.

Dave Bittner: [00:06:20] Right. And so, once you've given this app your admin rights, what happens next?

Deepen Desai: [00:06:26] So, once the app receives the admin right, it will then collect information off the infected device. It will then relay information such as what's the Android version that's running on the system, device ID, country code - all of that information is then relayed to a remote command-and-control server. In response to that, the server will then act - the information that it receives from the infected device, and it will then further instruct the device to perform malicious activity.

Dave Bittner: [00:06:56] And what malicious activity does it want to the device to do then?

Deepen Desai: [00:07:00] So, the one that we saw during the course of analysis was sending text messages to random numbers, and these numbers could not be random, but we weren't able to connect the dots. The numbers were legitimate, and the list of messages that we saw are also listed in our blog. But, again, we didn't make any sense out of this, so for now, we're calling this spam messages. But there were certain strings that were related to politics. So, one of the potential uses for the author to send politically motivated messages as well through the infected devices, and that the author doesn't have to pay the bills, it's the device owner that gets charged for that.

Dave Bittner: [00:07:42] Yeah, it's interesting. I mean, I'm looking through the list of SMS messages that were sent, and it's a wide gamut from, you know, stuff that's a little naughty, you know, porn kind of things, to political things, and some things that just sort of seem nonsensical. I wonder, are they trying to, you know, hide some sort of signal in the noise there?

Deepen Desai: [00:07:59] That could be a possibility. And the other thing was this is a fairly new campaign that we saw, so one of our researchers believed that this is a malware that is still in testing phase...

Dave Bittner: [00:08:10] Hmm.

Deepen Desai: [00:08:10] ...And it could be leveraged at an intended time later on.

Dave Bittner: [00:08:14] And do you have any sense for what the source of this, who's behind it?

Deepen Desai: [00:08:17] We do not.

Dave Bittner: [00:08:19] OK. How widespread is it? How much are you seeing of this?

Deepen Desai: [00:08:23] We saw about forty-nine different transactions. When I say transactions, these are unique payloads that were pretending to be different games. We have listed all of those file hashes in our blog as well. We saw three domains involved. These are domains where the infected devices would communicate back after the user's device has been infected. This was during a 90-day period of us tracking this activity.

Dave Bittner: [00:08:49] Is this something you've still got your eye on to see if it gets past this sort of perceived testing phase?

Deepen Desai: [00:08:55] Absolutely. So, we were tracking this a few different ways in our cloud, but this app has been fingerprinted and we are looking for any other variants brought from static point of view - that is, minor changes in the code - as well as activity point of view - that is, the behavior it exhibits at network level.

Dave Bittner: [00:09:15] When you look at what's going on here, how do you rank the sophistication of these efforts?

Deepen Desai: [00:09:20] It is not that sophisticated. I would say this is pure luring the user with something enticing and then having them click and do the standard install process. We didn't see anything sophisticated, any obfuscated code either in this package, so it's fairly basic.

Dave Bittner: [00:09:37] How much do we blame the Android ecosystem here, that these third-party app stores are so easy to spin up and and allows this to be a risk to folks?

Deepen Desai: [00:09:47] Agreed, but in the end, it's on the user, right? The device owner. They need to be prudent and only installing apps that are from official app stores. Like in this case, it's Google Play Store. Maybe, you know, downloading apps from some of the trusted, reputed third-party app store is fine, as long as the user knows what they're downloading.

Dave Bittner: [00:10:07] And what are your recommendations in terms of people best protecting themselves?

Deepen Desai: [00:10:12] Again, please be prudent on what you're downloading and installing on your devices, right? It may appear to be doing nothing when you install it, and you may forget about it, but in the back end, there is lot of activity that might be happening on your device that can lead to financial losses. So always stick to official Play Store, and be sure to know what you're downloading and installing.

Dave Bittner: [00:10:37] Now, suppose someone found themselves infected with this. What goes into remediation?

Deepen Desai: [00:10:42] Once a user discovers that he's been impacted by this payload, then the user will have to follow the standard steps of removing the app. The first step in this case would be to remove the administrator privilege of this app, and then the user will be able to uninstall the app, and the user should then reboot the device into normal mode.

Dave Bittner: [00:11:02] And as far as you can tell, that would do it. There wouldn't be anything else left behind.

Deepen Desai: [00:11:06] There wouldn't be anything left behind. We didn't see any other code associated with this package getting dropped.

Dave Bittner: [00:11:12] Yeah, I have to say, I mean, this is an interesting one as much in the sort of basic level of it. It's almost kind of clumsy in the way that it presents things and installs things, but I suppose it works.

Deepen Desai: [00:11:24] It does work. And like I said, it might be just the start of this campaign. We might seem many more payloads, or the existing payloads might get additional instructions from the C&C server, and we might be able to see additional activity out of this.

Dave Bittner: [00:11:45] Our thanks to Deepen Desai from Zscaler for joining us. The research is titled, "From third-party Android store to SMS Trojan." We'll have a link in the show notes.

Dave Bittner: [00:11:55] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:12:04] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:12:11] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.