• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

  • Posted on:November 2, 2017 at 5:00 am
  • Posted in:Bad Sites, Malware, Mobile
  • Author:
    Mobile Threat Response Team
0

by Lilang Wu, Ju Zhu, and Moony Li

We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.

We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores—hxxp://m[.]3454[.]com and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.

Figure 1 config profiles

Figure 1. Screenshot of an unsigned profile (left) and a signed profile (right). In English translation, the right photo describes 51 Apple Helper, an iOS app store that provides games, software, and wallpaper.

If users access the app stores, the signed .mobileconfig file, which is an iOS configuration profile, will be downloaded to the device. An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates. The .mobileconfig file contains four irremovable icons that will appear on the home screen, which is about the only other similarity this threat has with iXintpwn/YJSNPI aside from the usage of a configuration profile. The four icons are Web Clips that appear as app icons on the home screen. The difference is that instead of launching the app when clicked, it will take the user directly to a website.

Figure 2 mobileconfig

Figure 2. The four icons contained in a .mobileconfig file.

One of the Web Clips seen in the picture above redirects users to 51 Apple Helper, a third-party app store where repackaged apps can be downloaded.

A Closer Look at the App Stores

Further analysis reveals that the two app stores can also be accessed from a PC and an Android device. When users download apps from either of the two, it will evoke a response that could be different based on the user agent.

Figure 3 signed config

Figure 3. Code snippet of the signed profile being downloaded from the malicious website.

For Android users, another third-party app store will be installed on their devices when downloading apps from either of the two app stores. Unlike 51 Apple Helper, this app is a legitimate and popular distribution platform in China. Meanwhile, Mac and Windows users will be safe since all downloaded apps from the two app store will fail to install on the computer.

Interestingly, we also discovered that the two third-party app stores were distributors of the rootkit malware used by ZNIU.

Figure 4 ZNIU link

Figure 4. Code snippet of Android users downloading the app from the third-party app store.

Based on its JavaScript code, hxxps://ap[.]405153[.]com/w/9048409[.]apk is not working anymore and was replaced by the link to a third-party app store. Nevertheless, our researchers were still able to identify it as one that the ZNIU malware used before. It is speculated that the authors revised the code when the discovery of ZNIU was made public. Upon further investigation, we discovered that this apk file is still being hosted by a popular cloud server censored in the image below.

Figure 5 apk file request

Figure 5. The response we get when requesting for the apk file.

Mitigations and Solutions

Users should only install apps from official and trusted app stores. They should also be wary of the potential risks of downloading repackaged apps:

  • Users’ sensitive information may be leaked when the app updates to a later version.
  • Repackaged apps installed on the newest iOS version prevent the installation of the legitimate apps—and their official updates—from which they were based.
  • Installing repackaged apps to older iOS versions (10.1 and below) may expose devices to vulnerabilities.

Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security for iOS and  Trend Micro™ Mobile Security for Android devices to block threats from app stores before they can be installed.

Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

In addition, enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Indicators of Compromise (IOCS)

iOS:

SHA256:  4a2b4f0b2c5980a2bba4213d931da5ad2768309032a7cd697000e054225f62eb

Android:

SHA256 Package Name App Label
7c840433020c33e16e942a39d53c593ce58db680a41955a8a29139cf022be8dd com[.]okosdfsdfhsh[.]www 触摸女神 (Touch the goddess)

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidapp storesiOSMalwareMobile

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.