Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, engineered, user, obtains, the, application, and, execute, it, their, device, the malware, phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, the, device.
Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.
Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.
Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.
These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.
In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.
Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054
Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113
The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Sunday, April 24, 2016
Hundreds of Google Play Apps Compromised, Lead to Mobile Malware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com