Top of the app charts. Shuabang: automated malware made in China

Have you ever wondered how some apps rocket up the charts so quickly? Sometimes you’ll spot one that seems like a curveball, like a pub rock covers band hitting number one in the download charts. At the Barcelona eCrime symposium ElevenPaths presented some new thinking on new Android malware trend called «Shaubang» – a term used in China to describe the shady methods whereby certain apps are being «gamed» in app stores to get them to the top of charts.

Get downloading – a whole industry in China

«Shuabang» is to app markets what «Black SEO» is to search engines and is sold as a service sometimes for a few hundred or thousands of dollars.

http://www.theverge.com/2015/2/12/8024861/top-10-app-store-manipulation-photo

This image of a factory line process, with workers employed solely to download apps to boost their ranking, was picked up widely in the media earlier in the year. But there’s a stumbling block to the number of downloads you can get… Google accounts. In Google Play a Gmail account is needed to download an app. Moreover, you not only need a Gmail account (that requires CAPTCHA authentication) but you need this account to be associated with a device ID.

But to get their fake download rate up, companies would need thousands of registered accounts. There’s only so many people you can employ to hit download all day and that isn’t exactly an efficient way to run a business. This brings us to the question – «where can we get the other thousands of accounts?» It’s possible to steal them or buy them in the black market but that carries all sorts of risks. Then, of course, there’s always malware – a malicious program that can do much of the heavy lifting for you by infecting numerous devices. There’s already services in China that can break CAPTCHAs, but device IDs, which are harder to get, are also required for downloading. You can’t just invent device IDs either, as Google will spot them and ban the account from the outset taking you back to square one.

The big (Shua)bang

What Eleven Paths found (thanks to Tacyt) was a new kind of malware spread via Google Play that associated fake accounts with existing device IDs. People infected with the malware were unknowingly giving away their own device’s ID to the malware creators, which were then associated with these fake Gmail accounts.

The attacker created more than 12,000 Gmail accounts and made them available to malware providers via simple web requests. They then created a malicious app that sent a request for a Gmail account every ten minutes in the attackers’ server. The program then simulated the whole registry process against Google services – thereby creating a new, seemingly human, profile. With this the attacker had all they needed to automate the Shuabang system.
These apps were disguised as downloads and spread in Google Play between September and November 2014, getting millions of downloads in the process. Users who thought they were downloading a wallpaper, for example, were actually feeding this army of fake accounts for a Shuabang company.

Steal, buy or… do it yourself with malware

ElevenPaths found and alerted Google about these apps, which were then removed. The team studied them and even had access to attackers servers. The apps showed a reversing of how Android worked during the account registering process. The server got millions of hits with results fuelling the 12,000 registered accounts over millions of innocent devices. Victim’s real accounts were not compromised, but the harm for them came in consumed traffic and the potential that their device ID could be banned for fraudulent use. The attacker created a whole system connected to a «legal» company in China that offered «positioning services» for Android apps.

New malware methods

This attack was extremely interesting, not only for the code of the malware itself, but because they managed to fool Google Play by uploading these apps hundreds of times. Antiviruses were not aware of the attack until ElevenPaths told them, and they had to invent a new variant of malware to find them.

But the work did not stop there. ElevenPaths has been following the gang since the apps were removed and got to know about their new plans. They have found new malware that does not just associate an account with a device ID, but creates the Gmail account from scratch, although it’s not believed this particular malware has spread yet. This time the new malware does not get assigned Gmail accounts but, using data from the attackers server, asks Google to create the Gmail account, sends the CAPTCHA to this service, breaks it and associates the device ID… all without the victim noticing anything.

What can the user do?

Common sense is always the best policy. It’s still very unusual for malware to take advantage of Android vulnerabilities so wider prevention is all about making users aware that they have to physically install the malware themselves. We’d recommend that people whitelist their apps, so they only install the most reputed programs. Here’s a couple of tips to make sure you don’t become a victim:

• Never install apps from outside Google Play, or markets you really trust. If in doubt, research the developer.
• Never trust very «new» apps. Wait until they’ve been around few months and had a few thousands downloads.
• Ban apps you do not feel comfortable with. If an app requires too many permissions, downloading it is probably a bad idea.
• Use an antivirus on your phone

So next time you see an app that’s simply too good to be true, the chances are it probably is. Prevention is always the best cure, so exercise due caution and don’t let the Shaubangers get the better of you.

* A version of this article has originally been published by SCMagazine, here.