Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Veo Zhang (Mobile Threats Analyst)

    Recently, other researchers reported that a new Android malware family (detected as ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities. Based on our analysis, we have found that this malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin. This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.

    The researchers originally found ANDROIDOS_KAGECOIN as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.

    To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, as seen below:

    Figure 1. The modified Google Mobile Ads code

    The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.

    By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times.

    Figure 2. Coin pool configuration code

    The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. We detect this new malware family as  ANDROIDOS_KAGECOIN.HBTB. (As of this writing, these apps are still available.)

    Figure 3. Mining Apps in Google Play

    Figure 4. Download count of mining apps

    Analyzing the code of these apps reveal the cryptocurrency mining code inside. Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.

    Figure 5. Cryptocurrency mining code

    The same miner configuration updating logic is also present here. Analyzing the configuration file, it seems that the cybercriminal responsible is switching into mining Litecoins.

    Figure 6. Configuration file, showing switch into LiteCoin mining

    We believe that with thousands of affected devices, cybercriminal accumulated a great deal of Dogecoins.

    Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.

    Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace.

    Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats. Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe.

    We have informed the Google Play security team about this issue.


    Note: We have clarified the use of the word “bricking” in this blog post, and added a solution for developers and other power users.

    We recently read about an Android system crash vulnerability affecting Google’s Bouncer™ infrastructure, one that, alarmingly, also affects mobile devices with Android OS versions 4.0 and above. We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets. The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider “bricking” it.

    How did they do it?

    Our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.

    If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.

    An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.

    Bug found to crash a series of services. 

    Further research on our part revealed that apart from the WindowManager service, PackageManager and ActivityManager are also susceptible to a similar crashing vulnerability. The critical difference here is that the user’s device will crash immediately once the malicious exploit app is installed. Note that the exploit app in this case does not need any special permission.

    In AndroidManifest.xml, apps’ label names can be set in the “android:label” attribute of the element, and it can be written with a raw string, not only with the reference of the string resource. Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder’s transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash.


    Figure 1. PackageManager service crash

    In a chain reaction, all other processes that depend upon PackageManager crashes and leaves the Android device completely unusable. Below are notifications of some crashed services, which include Launcher and android.process.acore.


    Figure 2.Crashed services that depend on PackageManager

    The system service ActivityManager is also affected due to the continuous error in the Binder transaction. This may possibly lead to a Binder driver crash, which then results in an automatic rebooting of the device. At this point, users would have no other recourse but to do a hard factory reset on the device while running the risk of erasing all of the stored data.


    Figure 3.Binder driver crash (click thumbnail for full view)

    What should users do?

    As always, we advise users to never download apps from third-party app stores. It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices. Google has already been notified about the vulnerabilities but users should still take the necessary precautions in order to protect their mobile devices.

    Developers familiar with the use of the Android Debug Bridge can use this as well to remove problematic apps in question. (We would like to thank rmack for pointing out this option for developers and other power users.)

    We have informed Google’s Android security team about this issue.


    Earlier we talked about some Flappy Bird-related threats. In the course of uncovering their background, we found several third-party app stores that distributed or created similarly dangerous mobile apps.

    These third-party app stores target mobile users in Vietnam and inject advertising or even malicious code into popular apps. These apps put the user’s privacy at risk, and may even cause financial loss – the recent Trojanized Flappy Bird app used premium service abuse to profit, and also connected to a command-and-control server in order to receive commands.

    This example of a third-party app store imitates the Google Play store and contains various well-known apps that have been Trojanized. Even a fake version of the Google Play app itself is present, but it leads to their own third-party store.


    Figure 1. Example of imitated Google Play’s page

    The apps in this store contain added advertising code; the profit from these ads goes to the cybercriminals and not the app developers. Among the information sent is the user’s phone number, email address, and device information.

    Figure 2. Advertising information

    In addition, this advertising module may remotely load code to be executed on the device, effectively acting as a backdoor. This poses a great risk for users.

    Figure 3. Backdoor code

    Apps with this malicious code are detected as ANDROIDOS_FLEXLEAK.HBT.

    Another third-party store was even riskier – this single store contained more than 500 OPFAKE malware variants. One of the malicious Flappy Bird apps was downloaded from this store. Not only do they contain the potentially malicious advertising code, they also abuse premium service numbers in order to get money directly from the user.

    Adult apps are also present on this store, with the users having to pay via SMS to use these apps.

    Figure 4. Second malicious third-party store

    A third app store has similar threats as the other stores mentioned in this post. This one, however, has higher download counts (more than 70,000 downloads).

    Figure 5. Third malicious third-party store

    These incidents highlight the possible dangers from downloading apps from third-party stores. Users often visit third-party app stores to obtain apps that may be unavailable in official app stores or  even pirated apps (like free versions of paid apps). Some users, meanwhile, rely on these sites because of the unavailability of official app stores in their region.

    However, visiting these sites can often be a hit-or-miss. Third-party app sites may not be as strict in monitoring and removing malicious apps compared to, say, Google Play. Apps from these third-party sites should be treated as potentially malicious, as a user has no easy way to determine what malicious code was added.

    We detect all the apps listed in these stores that contain malicious content or may violate a user’s privacy.

    Posted in Malware, Mobile | Comments Off

    The interesting turn of events surrounding the game Flappy Bird has had the Internet buzzing: after becoming massively popular (downloaded more than 50 million times), the developer suddenly announced that he will take down the game from app stores, and then actually did it. The decision brought the interest around the game to an even greater scale, with similar apps seen emerging in app stores, and even auctions for devices with the app installed.

    The next development we saw, however, is a less desirable one: we found a bunch of fake Android Flappy Bird apps spreading online.

    Especially rampant in app markets in Russia and Vietnam, these fake Flappy Bird apps have exactly the same appearance as the original version:


    All of the fake versions we’ve seen so far are Premium Service Abusers — apps that send messages to premium numbers, thus causing unwanted charges to victims’ phone billing statements. As seen below, the fake Flappy Bird app asks for the additional read/send text messages permissions during installation — one that is not required in the original version.


    After the game is installed and launched, the app will then begin sending messages to premium numbers:


    And while the user is busy playing the game, this malware stealthily connects to a C&C server through Google Cloud Messaging to receive instructions. Our analysis of the malware revealed that through this routine, the malware sends text messages and hides the notifications of received text messages with certain content.

    Apart from premium service abuse, the app also poses a risk of information leakage for the user since it sends out the phone number, carrier, and Gmail address registered in the device.

    Other fake versions we’ve seen have a payment feature added into the originally free app. These fake versions display a pop up asking the user to pay for the game. If the user refuses to play, the app will close.

    These fake Flappy Bird apps are now detected as ANDROIDOS_AGENT.HBTF, ANDROIDOS_OPFAKE.HATC, and ANDROIDOS_SMSREG.HAT.

    We advise Android users (especially those who are keen to download the now “extinct” Flappy Bird app) to be careful when installing apps. Cybercriminals are constantly cashing in on popular games (like Candy Crush, Angry Birds Space, Temple Run 2, and Bad Piggies) to unleash mobile threats. Our past entry, Checking the Legitimacy of Android Apps, enumerates some tips on how to do avoid suspicious or malicious apps. Users may also opt to install a security app (such as Trend Micro Mobile Security) to be able to check apps even before installation.

    Posted in Mobile | Comments Off

    We have been seeing apps that exploit vulnerabilities in Android, with most of them attempting to gain higher privileges on user devices. In recent days, a stronger and a far more advanced Android malware named ANDROIDOS_OBAD has come into play. What seems to be a product from the same malware authors behind ANDROIDOS_JIFAKE, ANDROIDOS_OBAD is found to be equipped with ability to avoid being uninstalled from devices and triggers more malicious code.

    Newer and more improved stealth routines 

    This new malware family has overall stealth and anti-reverse methods for both normal users and security researchers. When installed, it asks for root privileges and activates the device administrator. Because of ANDROIDOS_OBAD’s gaining root privilege, the malware takes complete control of the device and may allow an attacker to utilize this fully.

    If the user does not activate as instructed, the malware displays frequent pop-up messages when the device restarts. Additionally, if users press the back button, pop-ups appear once again. If the if home button pressed, the pop-ups appear any time later.

    Here, users will finally have the chance to uninstall it, but if device administrator is activated, the malware will instead run fully in stealth mode.

    Figure 1. Activating device administrator allows the malware to run in stealth mode

    Still, you can carefully distinguish the malicious app from the mixed Android system apps under Apps Management. However, you won’t be able to uninstall it because it’s a device admin app.

    Figure 2. Malware’s app information

    The “anti-uninstall” tricks also work on Android’s vulnerability by hiding itself from Device Administrator management view:

    Figure 3. The malware hides itself from the Device Administrator management view

    From a security researcher’s perspective, it seems that the malware author tested ANDROIDOS_OBAD against traditional analyze tools.

    The Android OS recognizes AndroidManifest.xml but major decoding tools fail to precisely parse it. Most sandboxes encounter problems loading this malware because ANDROIDOS_OBAD has the ability to initially detect them.

    A new obfuscation technique

    The app’s Dalvik code is obfuscated in a new way – almost every Class file has a unique, embedded obfuscated decryption routine. This means that every string and function called must be first decrypted while the app runs. Some parts of the code – like string constants – are encrypted multiple times. Current decompilers have problems to illustrate the execution order correctly.

    An example of unordered execution code snippet from one decrypt routine:

    Figure 4. Code sample

    The upper IF statement intersects with WHILE loop. The IF condition cannot be true, so consequent code will never be executed, but WHILE loop will loop back to the middle of IF consequent code (p6 = (p6 + 1); ). The correct order is append last two lines of IF consequent  code to the WHILE loop, and disable IF statement.

    Once we were able to decrypt the code and analyze it, we found that the malware is capable of the following behavior:

    • Hiding the launcher, and run as a background service with the highest priority.
    • Automatically try to open Wi-Fi connections and connect to remote server (http://www.{BLOCKED}
    • Collect user’s contacts, call log, SMS inbox and installed apps.
    • Download, install and uninstall apps (with root privileges, this can be done silently).
    • Distributing malware to other phones via Bluetooth


    ANDROIDOS_OBAD shares similar features with that of its predecessor ANDROIDOS_JIFAKE. The latter is a fake app installer that tricks user into installing and executing them, after which it will silently register as a service connecting to remote servers as it waits for commands. The remote server can then trigger sending premium text messages and do the same “anti-uninstall” tricks.

    The anti-uninstall trick is exploited through Android’s Device Administration feature. If one app is installed and enabled as the device admin application, it will be entrusted with more power to constrain user’s device, including enforcing security policy, lock or wipe user’s device. Under this level, app cannot be easily uninstalled, which contributes much for the anti-uninstall tricks.

    To uninstall the device application app, users need to deactivate under Settings->Security->Device Administrators. But an unpublished Android vulnerability can be exploited to hide the deactivation option. Users are then forced to enable the malware as device admin application with no way to disable it.

    Trend Micro Mobile Security already detects this malware family upon installation.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice