In the first quarter of 2016, Singaporeans were targeted by phone calls that pretended to be from various courier services. These automated phone calls would say that the victim had received a package, and asked them to provide sensitive personal information such as their name, address, National Registration Identity Card (NRIC) number, passport number, and bank account details.
The calls in Singapore pretended to be from DHL, a major international courier company. DHL’s Singapore subsidiary went so far as to issue a warning on its Facebook page about this scam; local authorities warned the public as well.
Attacks like these are not completely unprecedented. In 2014, a similar scam took place in China where the attackers pretended to be from SF Express, one of the largest courier companies in the country. What caught our attention this time was that in some recent versions of this scam, victims were asked to install a malicious app as part of an “investigation” into their package, which the scammers claim includes illegal merchandise (fake passports or weapons).
Remember that the scam also tried to get the user’s bank information; the app was created so that the attackers could intercept and steal any authentication codes sent via text messages, which is a common tactic used by mobile malware. The malicious code itself appears to have been repurposed from an app targeting Chinese users in 2015.
The code below is a part of the malicious app that intercepts any text messages received by the user.
Figure 1. Code for intercepting text messages
The code below sends the intercepted messages to a hardcoded command-and-control (C&C) server:
Figure 2. Code for uploading messages to C&C server
This particular domain resolves to various IP addresses under legitimate ISPs. Two of these addresses, however, also contain other malicious sites, including a fake website for the Embassy of the United States in China.
We also noted that the malicious code was highly modular and well-organized. The module names clearly show what each module does:
Figure 3. Malicious code modules (click for full list)
Traces in Other Apps
The modular approach to this malicious code made us wonder if it exists in other apps. The answer was: yes. In July 2015, we found a fake China CITIC Bank app. It contains the same malicious module that was used to phish for the victim’s name, ID number, card number, password and phone number:
Figure 4. Fake China CITIC Bank app
We also found ListenSutra, a Buddhism-related app in Google Play that contains the same malicious code. It was released around the same time as the China CITIC Bank app.
Figure 5. ListenSutra app in Google Play
Figure 6. Malicious code modules (click for full list)
Although the app also contains the same malicious module as the previous versions, these are never called by any part of the app’s code, leaving the app harmless. Based on Google Play information, it was created by an app developer in Taiwan and this particular app was the only one he ever uploaded. He also maintained a separate website, which does not appear to have been updated since 2015 either. We already notified Google about this malicious app.
Our advice for users remains the same: be careful of downloading apps from third-party sources, or from unknown developers. Users should also have secure mobile security solutions that can mitigate mobile malware. Both Trend Micro Mobile Security Personal Edition and Mobile Security Solutions can detect all threats related to this attack.
We detect this threat as ANDROIDOS_FRAUD.A, and the SHA1 hashes are:
Additional insights and analysis by Ryan Flores and Lion Gu.