• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   GhostTeam Adware can Steal Facebook Credentials

GhostTeam Adware can Steal Facebook Credentials

  • Posted on:January 18, 2018 at 12:03 am
  • Posted in:Malware, Mobile, Social
  • Author:
    Mobile Threat Response Team
0

by Kevin Sun (Mobile Threat Analyst)

We uncovered a total of 53 apps on Google Play that can steal Facebook accounts and surreptitiously push ads. Many of these apps, which were published as early as April 2017, seemed to have been put out on Google Play in a wave. Detected by Trend Micro as ANDROIDOS_GHOSTTEAM, many of the samples we analyzed are in Vietnamese, including their descriptions on Google Play.

Their command-and-control (C&C) server points to mspace[.]com[.]vn. This, along with the considerable use of Vietnamese language, may indicate that the apps were from Vietnam. For instance, GhostTeam’s configurations are in English and Vietnamese. English will be the default language if the malware detects the geolocation to be outside Vietnam.

The apps pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner), and more notably, social media video downloaders. The use of video downloaders as social engineering hooks — enticing users with features that allow them to download videos for offline viewing — concurs with our detections for GhostTeam. India, Indonesia, Brazil, Vietnam, and the Philippines, reported to have the most Facebook users, are also the most affected by GhostTeam.

While we haven’t seen active cybercriminal campaigns that use the stolen Facebook credentials so far, it’s not farfetched to think they would. As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.


Figure 1: Top countries most affected by GhostTeam

Another clue pointed to the apps’ developers: The string “ghostteam” appears in the early versions of the malware’s code. The ghostteam package contains code that urges users to install a payload. These are disguised as a package name spoofing a legitimate internet and technology service provider.


Figure 2: Icons of the Facebook account-stealing apps


Figure 3: Code structure containing the ghostteam package

How GhostTeam steals Facebook credentials
To ensure infection, the malware will only retrieve the payload after confirming that the device is not an emulator or a virtual environment. The payload disguises itself as “Google Play Services”, pretending to verify an app. If the unwitting user opens Google Play or Facebook, it displays an alert urging the would-be victim to install the fake Google Play Services. After installation, the payload will also prompt the user to activate/enable device administrator.

As exemplified by various Android mobile ransomware, adware such as TOASTAMIGO, and the GhostCtrl backdoor, device administrator privileges are abused as a persistence mechanism to put off users from uninstalling apps.

GhostTeam targets Facebook accounts. Once the user opens the Facebook app, a dialog will prompt him to verify his account. The verification process is a typical login procedure. Behind the scenes, however, it executes a WebView (responsible for rendering web pages in Android apps). The malicious code injected in the WebView client will steal the email and password used to log in to the Facebook app, which it sends to the C&C server.



Figure 4: Code snippet (encrypted above; decoded below) responsible for stealing Facebook credentials

Figure 5: GhostTeam sending the stolen credentials to the C&C server

GhostTeam also pushes ads
Besides stealing Facebook credentials, GhostTeam aggressively pops up ads. It keeps the device awake by showing ads in the background. It will display full-screen ads on the home screen if the user is interacting with the device.



Figure 6: GhostTeam posing as a video downloader

Best Practices
While advertisements from apps aren’t inherently bad, it becomes a perennial problem when they become intrusive, collect more information than necessary — or even become doorways for other malware. Users can significantly mitigate GhostTeam by disabling the device administrator feature, which is typically reserved for helping develop security-aware applications like homegrown enterprise, BYOD management, and antivirus apps.

Being security-aware also helps. Keep the device’s OS and apps updated and patched. Check the app’s reviews first before installing them, as they can help raise red flags if they show suspicious behavior such as requesting superfluous permissions. And more importantly, manage what you share online. Even a seemingly innocuous bit of data such as an email address can be used against you.

We disclosed our findings to Google, which promptly removed all the malicious apps in Google Play. Updates have also been made to Google Play Protect to take appropriate action on apps that have been verified to have violated Play policy. Google Play Protect has implemented expanded protections to ensure robust and scalable protections across the ecosystem. We also coordinated and shared our findings with Facebook. In an official statement, they said, “we are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials.”

A list of Indicators of Compromise (IoCs) comprising related hashes (SHA256), package names and app labels, is in this appendix.

Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Updated as of 9:30 PM PDT, January 23, 2018 to clarify the payload and update the chart showing GhostTeam detections (Figure 1).

Related posts:

  • Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users
  • Cybercriminals Use Malicious Memes that Communicate with Malware
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: adwareFacebookGhostTeam

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.