We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX.
These malware pose as legitimate Facebook or Chrome applications. They are distributed from polluted DNS domains that send a notification to an unknowing victim’s device. The malicious apps can steal personally identifiable and financial data and install additional apps. XLoader can also hijack the infected device (i.e., send SMSs) and sports self-protection/persistence mechanisms through device administrator privileges.
As with our earlier reports in late March, the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router’s DNS settings. A fake alert will notify and urge the user to access the malicious domain and download XLoader.
XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges. Once granted permission, it hides its icon from the launcher application list then starts a service that it keeps running in the background. The background service uses the reflection technique (a feature that allows the inspection and modification of Java-based programs’ internal properties) to invoke the method com.Loader.start in the payload.
Monitoring Broadcast Events
XLoader registers many broadcast receivers in the payload dynamically (to monitor broadcast events sent between system and applications). Registering broadcast receivers enable XLoader to trigger its malicious routines. Here is a list of broadcast actions:
Creating a Web Server to Phish
XLoader creates a provisional web server to receive the broadcast events. It can also create a simple HTTP server on the infected device to deceive victims. It shows a web phishing page whenever the affected device receives a broadcast event (i.e., if a new package is installed or if the device’s screen is on) to steal personal data, such as those keyed in for banking apps. The phishing page is translated in Korean, Japanese, Chinese, and English, which are hardcoded in the payload. It will appear differently to users depending on the language set on the device.
XLoader as Spyware and Banking Trojan
XLoader can also collect information related to usage of apps installed in the device. Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls. XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device.
XLoader can also start other attacker-specified packages. A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions. By monitoring the package installation broadcast event, XLoader can start their packages. This enables it to launch malicious apps without the user’s awareness and explicit consent.
We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies. XLoader also prevents victims from accessing the device’s settings or using a known antivirus (AV) app in the country.
XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control (C&C) server, as shown below:
Here’s a list of the modules and their functions:
- sendSms — send SMS/MMS to a specified address
- setWifi — enable or disable Wi-Fi connection
- gcont — collect all the device’s contacts
- lock — currently just an input lock status in the settings (pref) file, but may be used as a screenlocking ransomware
- bc — collect all contacts from the Android device and SIM card
- setForward — currently not implemented, but can be used to hijack the infected device
- getForward — currently not implemented, but can be used to hijack the infected device
- hasPkg — check the device whether a specified app is installed or not
- setRingerMode — set the device’s ringer mode
- setRecEnable — set the device’s ringer mode as silent
- reqState — get a detailed phone connection status, which includes activated network and Wi-Fi (with or without password)
- showHome — force the device’s back to the home screen
- getnpki: get files/content from the folder named NPKI (contains certificates related to financial transactions)
- http — access a specified network using HttpURLConnection
- onRecordAction — simulate a number-dialed tone
- call — call a specified number
- get_apps — get all the apps installed on the device
- show_fs_float_window — show a full-screen window for phishing
Of note is XLoader’s abuse of the WebSocket protocol (supported in many browsers and web applications) via ws(WebSockets) or wss(WebSockets over SSL/TLS) to communicate with its C&C servers. The URLs — abused as part of XLoader’s C&C — are hidden in three webpages, and the C&C server that XLoader connects to differ per region.
The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time. XLoader abuses the MessagePack (a data interchange format) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission.
XLoader will not download malicious apps if the Android device uses a mobile data connection. Nevertheless, users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router’s security gaps. Employ stronger credentials, for instance, to make them less susceptible to unauthorized access. Regularly update and patch the router’s software and firmware to prevent exploits, and enable its built-in firewall.
For system administrators and information security professionals, configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats. Everyday users can do the same by checking the router’s DNS settings if they’ve been modified. Even threats like DNS cache poisoning employ social engineering, so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware.
We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature. No instances of these apps were found in Google Play.
Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and access to fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
Hashes detected as ANDROIDOS_XLOADER.HRX (SHA-256):