«Alarmware» in Google Play: will not stop an alarm until you install another malicious appElevenPaths 12 junio, 2015 In ElevenPaths, we have spotted a few samples of downloaders in Google Play that work in a very special way. The app hides its icon and installs a service that will download another application from a server. We have seen this before… but the interesting part is that, to make sure the downloaded app is installed, it will start a kind of alarm that will start every few seconds until this new package from outside Google Play is indeed installed. One of the offensive apps We have found several alive samples of a new variant of a downloader known as «Stew.B» that we covered a few months ago. But this time they work in a different way, even more annoyingly. They maybe should be called, «alarmware». How it works The apps are supposed to be Minecraft or Clash of Clans guides. Even pizza recipes or weigh loss advice. The analyzed app shows some ads and then it just removes the icon from the desktop, so the user is not able to launch it again. Although, in the background, the app installs a service that will launch itself on every reboot. Part of the configuration of the service This service is ready to respond to two events, when the screen locks and unlocks and when an app is installed or uninstalled. The service has a random function to calculate how many hours or minutes to wait since the first application has been installed until it visits again the attacker’s server and gets some instructions. Between them, the URL pointing at a package to be downloaded that could be literally, anything. The program requests which new app to download and what message to show Then this fresh downloaded APK starts and… it will really try hard to be installed. Even if you do not have your phone configured to install from outside Google Play. Basic scheme of the malware program Many of the devices will maybe have the security measure enabled: «do not install APKs from untrusted sources» (outside Google Play). So the just downloaded attacker’s program will not be able to be installed and one of these screens will appear again and again. APKs from outside Google Play are not allowed, and the telephone is not configured to use VerifyApps by default And, showing these screens again and again, the user experience with the telephone will become quite annoying. Using a trick with a toast component (a special notification text that appears when you are connected to a new Wi-Fi or any other important system message) it will start popping again and again a message and a very annoying sound. Even vibrating. If you cancel or go back, it will start again (sound and message) trying to convince you it is a Google Service update or something like that. This will happen every few seconds. If the user does allow to install APKs from outside Google Play, or it finally configures it because he can not stand the sound anymore, this screen will appear. Just before installing the downloaded APK The installation toast message and alert will keep on appearing and beeping again and again. Even if the device is silenced. The shown text will be in the browser language (it was taken from the attacker’s server). It will be very difficult to use the telephone normally anymore, unless you uninstall the original app (if you can in such a short time with the annoying screen request and sounds). It will continue annoying the user until the downloaded app is installed or the original app from Google Play uninstalled. If the user finally installs it, the alarm will stop, and there will be «two» Google Service programs… who will dare to uninstall any of them? One of the Service Google Play is fake Funny enough, the application installed (the fake Google Service program) is just again the same code as the original one, which is weird. It is supposed the attacker is testing, but this could change in any minute. This attacker is from Russia, and used a similar technique back in March, but Google removed them. Some apps of the same kind were removed back in March A few weeks ago, the attacker got to upload some other apps again. Some of them are still online. These are the ones we found thanks to Tacyt, as we have done before with JSDialers, JSSMSers, Clickers, Shuabang, etc. Guide minecraft game, com.appalexk.mcs, 965559baa77650d9c6249626d33ad14c5210c272 Guide Minecraft Free, com.appalexk.aam, bde1502855e2d9912937906c1d85bec24b3b6246 Guide for Clash of Clans, com.appalexk.cofc, 30c4db4033478007a1bdc86a40e37b5cd4053633 Recipes Pizza, com.appalexk.pizza, a84197a150285f04aee1096e96374255ccf5c2aa Гайд для Earn to Die, com.appalexk.dde The APK downloaded from the server is (right now): a2123233d8d972b68c721c01c6ad1785d8189fb9 Sergio de los Santos ssantos@11paths.com @ssantosv Juan Manuel Tirado juanmanuel.tirado@11paths.com Qué hemos presentado en el Security Day 2015 (I): éxito empresarial con la firma biométrica manuscritaQué hemos presentado en el Security Day (II): Metashield Protector 3.0 – Los vengadores
Martiniano Mallavibarrena Ciberseguridad en el cine: mito vs. realidad con 10 ejemplos Los múltiples aspectos de la ciberseguridad (ataques, investigaciones, defensa, empleados desleales, negligencia, etc.) llevan años siendo parte del argumento de infinidad de películas y series de TV. En la...
Daniel Pous Montardit Resiliencia, clave en sistemas Cloud-Native En el primer post de la serie Cloud-Native, ¿Qué significa que mi software sea Cloud Native?, presentamos la resiliencia como uno de los atributos fundamentales que nos ayudan a...
Telefónica Tech Boletín semanal de Ciberseguridad, 21 – 27 de enero Killnet apunta contra objetivos en España Esta semana el grupo hacktivista Killnet anunció una campaña de ataques contra Alemania, dando lugar a la realización de ataques de Denegación de Servicio...
Gonzalo Fernández Rodríguez ¿Qué significa que mi aplicación sea Cloud Native? El término Cloud Native es algo que va más allá de mover las aplicaciones alojadas en un data center a una infraestructura proporcionada por un proveedor Cloud, sea Cloud...
Telefónica Tech Boletín semanal de Ciberseguridad, 14 – 20 de enero Vulnerabilidades críticas en los router Netcomm y TP-Link Se han descubierto una serie de vulnerabilidades en los routers Netcomm y TP-Link. Por un lado, los fallos, identificados como CVE-2022-4873 y CVE-2022-4874, se tratan de un...
Jorge Rubio Álvarez Consecuencias de un ciberataque en entornos industriales Podemos encontrar entornos industriales en cualquier tipo de sector que nos podamos imaginar, ya sea en empresas de tratamiento de agua, transporte, farmacéuticas, fabricación de maquinaria, eléctricas, alimentación o...
I enjoy looking through an article that will make people think. Also, thank you for permitting me to comment! Responder