2014-03-06 - MALICIOUS ANDROID APP

ASSOCIATED FILES:

INTRODUCTION

Reviewing IDS alerts at work, I came across a malicious URL.  It was a simple redirect to a malicious Android app.  I wanted to share this information, so I recreated the traffic at home with a Android phone I use to check out malicious apps.

DETAILS

This Android malware appears to be the "Not Compatible" trojan.  The malware is spread through spam from compromised email accounts.  If an Android device accesses the link, the malicious APK file is sent.

Here are more recent links concerning my malware infection today:

THE INFECTION

To infect an Android phone with this app, first go into the security settings and change the permissions.

   

 

Allow the installation of apps from unkown sources, and don't verify apps.

 

When I accessed the URL, it asked if I wanted to save the APK file.  A notification shows the file is downloaded.  The app can be installed by double-tapping the notification.

   

 

As with any other app, you'll see what permissions the app requests when you install it.

 

After installation, go to settings -> apps.  Select the app from the list to see more infromation about it.

   

 

The app didn't do anything in the short time I had it on my test phone.  That Android phone is only running as a WiFi device without any phone service.  After nothing happened, I reset the phone to factory conditions.  Let's review the WiFi network traffic on this...

 

NETWORK TRAFFIC

ASSOCIATED DOMAINS

CHAIN OF EVENTS

NOTE: In the original traffic I saw 15 hours earlier at work, billions2buy.com generated redirected to 93.190.137.149 on mobile.downloadmobilessoftware.ru (note the extra "s" in the domain name).

 

PRELIMINARY MALWARE ANALYSIS

MALICIOUS ANDROID APP

File name:  Security.Update.apk
File size:  63.1 KB ( 64600 bytes )
MD5 hash:  02874f8cda359307723d5c0e7f4df6c2
Detection ratio:  27 / 50
First submission:  2014-02-20 19:23:39 UTC
VirusTotal link: https://www.virustotal.com/en/file/88e772f4eb3ddd9c3010d16572b859dbbe30f01b5eec53722912073d3193b17b/analysis/

 

SNORT EVENTS

No Snort events seen for this traffic.

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect link - billions2buy.com/tmwib/fox_news.php

 

First HTTP GET request for the malicious Android app - mobile.downloadmobilesoftware.ru/FLVupdate.php

 

Second HTTP GET request for the malicious Android app - mobile.downloadmobilesoftware.ru/FLVupdate2.php

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.