"Not today downloaders": New downloaders techniques in Google Play

Friday, February 27, 2015

Downloaders are not new in Android, but lately, they are getting more and more important for attackers as a method to avoid Google Play barriers and malware detection. In Eleven Paths we have detected downloaders that, under the appearance of innocent apps, are able to download a much more dangerous apk (literally, anything). It needs user interaction and the "install from unknown sources" checked, but the trick it uses to fool the victim is quite ingenious, and allows a second app to run without the user associating the future problems to the first one installed. Let's see how.

Downloaders are an old trick in PC and relatively not new in Android. These apps try to "find their way" to the victim, using less permissions, or even giving whatever feature they promise. This is how they get to Google Play. Then, in some future version, once they are consolidated in the market, they mutate. They become downloaders of some other much more complex adware or malware. Attackers are much more successful with these techniques. There are lots of techniques. Let's see a new one.

How it works

The apps we have found are not very detected by antivirus yet and, if they are, is mostly because of the aggressive ad techniques it uses, not for the download technique itself. Even a lot of them are still in Google Play. We are analyzing this one, which is still online.

One of the downloaders in Google Play

It is supposed to be a voice changer, and it indeed is, just saving a .wav file and modifying the frequency of reproduction. The app itself has three different SDKs from three different ad providers. This means the downloader itself floods the device with aggressive ads. But that is not enough... The app declares a receiver called "USER_PRESENT".


USER_PRESENT receiver, to activate when the user unlocks the device

This an official event that is launched every time the device "wakes up" by an user, in other words, basically when it is unlocked. This is the code when the event is received:

Code activated when the telephone is unlocked
Basically, what the app is doing is assuring that it has connectivity. Then it checks that is only launched once a day. This happens even when we are "out of the app". The app counts the times (with "k" variable) it has been executed and stores it in its preferences.

Downloading... but not today

The app does not download anything the same day the downloader has been installed. So it will avoid any "dynamic analysis". The user will install this voice changer, but will not notice anything strange until, at least, the next day. And then, the next day, another check is done. Every 2 out of 3 times it will visit the URL shown in the image. There, a txt file is pointing to some other app in Google Play, so the developer floods with "ads" the screen.

But the interesting part occurs when the app does not enter in this "if" clause and goes down the code. This method Gfveaqwfea checks for the existence of com.facebook app. It is not the official Facebook app (it is com.facebook.katana), but the adware that will be installed.

Checking if com.facebook exists, and if not, downloading the new app

The app checks if the device is ready to install apps from outside Google Play. This is very common in certain countries where the use of Google Play is limited. It is a common configuration as well as in the user's devices that like to install "unofficial" apps, so it will be very successful in these scenarios. If so, a.apk is downloaded from the URL and saved as xxx.apk.

Checks for "install from outside Google Play" permission. If available, it tries to download the new apk


The new apk in the "Download" folder
The user will see nothing and no question will be made. Then it is launched. Depending on the configuration of the device, if the user has associated automatically the execution to Verify Apps or Install Directly, an app selector will be shown or not. When this second app is being installed, this is what the user will see:

Looks like a legitimate Facebook update

It is important to remember that this image will appear when the user unlocks the telephone, the day after the original app was installed, and only 1 out of 3 times until it is installed... so it is very unlikely that the user associates the first installation of the "voice changer" for example, with this "update" that seems like a legitimate installation/update of Facebook. The icon is quite similar and the name makes it even more messy.


Downloader general scheme


This new downloaded app may be literally anything. In this case is impersonating Facebook and the icon disappears just a second after being installed. If the user has the real Facebook, he or she will think Facebook is just updating itself, and probably will forget about it. But the real thing is that a very aggressive adware has been installed by the user with this "social engineering" trick.

The icon of the fake Facebook will disappear
Conclusions

Attackers are getting more and more specialized right now in getting an app reaching to Google Play, and transforming it into adware/malware in the long term. This long term operation will give them more victims and we are detecting this pattern more and more in malicious apps. The trick about executing the app only when the telephone is unlocked, gives it an extra of "credibility" to the victim.

With Path5, we have found the person behind these apps (a Polish programmer). He has been operating since late 2014. There are right now about 20 apps like this still up in Google Play, from more than 100 from this same developer that have been in Google Play lately. The app we have just analyzed here is us.free.voice.changer.funny.voices.lolapps, with SHA1: c0eb7cde5a1b3818a1d7af2f580f8ea3fa1e8d61

The ones that seems to be from the same person, using the same techinque, and still online, are these:

  • TV remote controller, us.tv.remote.pilot.television.free.tool2, 88287f102bbd9cf3a3e5e7601b5bc8ee760d4525
  • Faster Wifi PRANK, us.phonehelper.wifi.booster.free, 74b2cc8d95c001832a4d4fb11ea3cb9638daf5e8
  • Visión nocturna gratis, us.night.vision.nightvision.free.useit, 1606ce1f616e3ba29ac021e4ce1ac1cb5e84b7a4
  • Funny voice changer, us.free.voice.changer.funny.voices.lolapps,c0eb7cde5a1b3818a1d7af2f580f8ea3fa1e8d61
  • Fake phone call, us.free.fake.call.caller.lolapps, 3b0a2b88effd264235e75984cea3bc77a6304e8b
  • Fake connection, us.fake.call.caller.free.usapps, 2f3c8a8cd1e5ecdad0e348484c72f25aff45d755
  • Faster internet PRANK, us.phonehelper.internet.booster.free, c2b083d0ce9d13e8df2f680f2901cd54778d385e
  • Increase battery life PRANK, us.phonehelper.battery.booster.free, 4890c7437268b65ef376515047c13e0eecffdd9a
  • Funny voice changer, us.free.voice.changer.funny.voices.lolapps, a97c7f6669c41ead0ba54928ebe2cad5ba706bc5
  • Transparent phone HD, us.transparent.screen.diaphanous.phone.lolapps, 64e44c0d234f96eff5f0e44305d25b35242b0e51
  • Flash-Player installation, us.flashapps.free.flashplayer, 9f0c9145f2a265d476b936830fa9dde3d024eab6
  • Diáfano teléfono (gratis),us.transparent.screen.diaphanous.phone.free.smartools,c6c2617f7cf512669f553876939e5ca367c9e746
  • Increase volume sound PRANK, us.phonehelper.sound.booster.free, 3e360ee39146cbd834280c18d656e3e9f6d0df2f
  • Termómetro electrónico gratis, us.digital.electronic.thermometer.free.measure.temperature.temp, 722f7f2c10c4b656ded858cf9f91a8c55ea226b6
  • Ski jumping 2015, us.ski.jumping.free.game.full.sportgames, 638a1c331e76bec73b1a46a451e4d1de6cd20879
  • FlashPlayer, us.flashapps.free.flashplayer2, 9f7aa1bc90770748681b08e3ee63dcb974195f7a
  • Falsa llamada entrante, us.free.fake.call.caller.smartools, fb9c05094eb1fdcfa8aec07eeff1e95ee7814e76
  • Increase network signal PRANK,us.phonehelper.signal.booster.free,495b151c5e709bfa50c671c8fb93cbeaee29e025
  • Control remoto para la TV, us.tv.remote.pilot.television.free.tool, dbfd108973388d6c1a506ac68b79463df8271f5c
  • Fake phone call, us.free.fake.call.caller.lolapps, e96d2ab7d8d0c7990be07bd42b9e9bc079e70f3a
  • Tonos para Navidad, us.christmas.ringtones.free.carols.mp3.ringtonedownloader, fa57543faf60073f56041caee0f1524cfc9f77dd


Sergio de los Santos
ssantos@11paths.com

Juan Manuel Tirado
juanmanuel.tirado@11paths.com


SmartID and SealSign on Mobile World Congress 2015

Monday, February 23, 2015

In this increasingly digital world, where users’ identity and privacy are exposed to continuous threats, from Telefónica and ElevenPaths have created a secure digital ecosystem which allows users to keep control of their personal data, preserve their digital identity and safeguard their privacy.

As already announced, we have incorporated in our identity and privacy solutions, SmartID, what is known as “strong authentication”, based on biometry, and, SealSign, as robust digital signature technology which prevents possible identity theft and opens up more ways to safely digitise business processes such as legal and commercial documents.

Both solutions will be on display at the Telefónica stand at the Mobile World Congress 2015 (MWC15), to be held from 2 to 5 March in Barcelona.

Currently, many of the security breaches we see involve an attack on people’s identities, so dealing with this is one of the most complex, but important, issues faced today. The reduction of fraud and problems related to identity theft must be a priority for individuals and companies in order to retain confidence in digital services and applications. Through these two new ElevenPaths solutions we are in a strong position to help provide this much needed protection as well as opening up new ways of working and accessing digital services.

1. SmartID is a solution which allows for more secure user authentication when accessing applications and physical equipment, by combining different elements such as smart cards, RFID/NFC devices and biometric fingerprint recognition.

SmartID essentially combines something you are (such as your fingerprint, face and voice recognition); something you have, such as your eID or your mobile phone, and finally, something you know, such as your user name, password or PIN to provide more complete identity protection and verification. Through a combination of these factors, identity theft in the authentication process is dramatically minimised in scenarios like accessing an e-commerce website, logging into your personal or work email account or when passing through security control at an airport. SmartID can also be integrated with Latch, the ElevenPaths “digital padlock” service which minimises the exposure time of personal data, therefore further reducing the risk of cyber-attacks and identity theft.

This solution is compatible with the new Spanish electronic ID, DNIe 3.0, which allows for secure identification and replaces common passwords with multi-credential systems which combine at least two factors to establish the user’s digital identity. By using SmartID Spanish companies can implement security solutions based on the new identity card quickly and easily, reducing fraud and identity theft.

2. SealSign is an electronic document-signing platform for companies, compatible with digital certificates, biometric systems, One-time Password (OTP) systems and the long-term storage of signed documents. This service offers a solution based on behavioural biometry, such as a user’s voice or signature. Biometric recognition coupled with electronic signatures allows user payments, among other things, to be protected, permits access to sensitive information to be safeguarded, and also enables electronic document signing in a safe way - saving businesses time and money.

To demonstrate the effectiveness of SealSign visitors will be challenged to forge the signature of a well-known personality showcasing the reliability and accuracy of the SealSign biometric signature solution.

Come to Hall Stand 3J2O and participate in our demos!

» Download press release in PDF

JSDialers: apps calling premium rate numbers (with new techniques) in Google Play

Friday, February 20, 2015

During last year, a lot of "made in Spain" malware was found in Google Play. It was basically malware that tried to silently subscribe the victim to premium SMS numbers. From a while now, the problem has vanished, and it was hard to find this kind of apps, at least in Google Play. In Eleven Paths we have found seven apps during these last weeks that use new techniques based in JavaScript, more dynamic and smart. They managed to upload fraudulent apps to Google Play. We have called them JSDialers. Let's see how they work.

With Google Play more vigilant about SMS premium apps in their market, the attackers have tried some other techniques that avoids Java and focus in JavaScript received from the servers. Besides, they do not only subscribe to SMS premium services, but they make phone calls to premium rate numbers. Everything in a very smart way, because, for example, they try to mute the telephone and microphone during the phone calls, tries to hide the phone call itself from the screen... and take the whole code from the servers instead of embedding it.

What the user perceives

When the user downloads and installs any of these apps, something like this will be shown.


First views of the apps

These are the typical "terms and conditions" that probably nobody will read. Accepting them implies making the phone call in an automatic and transparent way for the user. The image "Aceptar" image shown, is taken from this jpg file:

hxxp://www.contentmobileapps.com/called/images/continuar_call_100.jpg

Whatever the user responds about the age, the device will show an animation (a GIF taken from here hxxp://www.contentmobileapps.com/called/images/loading.gif) while the actual phone call is done to a premium rate number.

GIF shown to the user while the phone call is done

It seems that, depending on the phone, a green bar may appear during a few seconds, but the developer tries to hide it.

The device making the call may be detected in the background

The attacker mutes the telephone and microphone so the user is unable to hear the message of the phone calling and the locution.

On the last line one can observe the attempt to mute the microphone and device volume

The victim will be subscribed to this service and will have to face the costs of premium rate calls. The user will now be able to browser the recipes, but the phone call has already been made.

The app is just some links to a web, but the phone call has been made

Once clicking on the "Help" button, the option to unsubscribe is given.

The app offers instructions on how to cancel the subscription

What happens and how does it work?

These apps depend strongly on the servers and work via Cordova plugin. It is a set of device APIs that allow a developer to access device functions via JavaScript... The permissions of the analyzed app are these, although they are not the same in all of them. Some of them lack of the SMS permissions.


Permissions in one of the apps. Some of them lack SMS permissions

The first thing the app does is executing a WebView with Cordova that shows an internal HTML.

The obfuscated domain starts the real communication with the server
A request like this is done: hxxp://highmas.com/alcalinas/home.php?movil=ffffffff-XXXX-ffff-ffffd6de17fd&version=16&modelo=GT-XXXX%20(goldenxx). The user will receive a welcome screen and will be asked for his/her age. Whatever is clicked, the app will go to the same function that gathers some information with a form. The value in CAPTCHA field is useless. It seems to belong to some discarded proofs.

Form sent to the server
A web redirect after the request, takes the user to a webpage where the country and carrier is checked.

The app checks the country and carrier via JavaScript
Once everything is checked, terms and conditions are shown. When accepted, the app calls"term_acept.asp", which finally returns dynamically the premium rate number to be called.

The premium rate number is returned. The app will make an unnoticed phone call

With Cordova's help and a dialler plugin, it finally makes an actual phone call.


Some other interesting info and more apps

The developers have found a way to get back to fraudulent activity with premium rate phone calls. Who is behind these apps? The domains being used and terms and conditions are very clear. We are investigating the developers and some other apps they have, and will try to offer a report soon.

With Path5, we could find similar apps. Some of them have already been removed, but not all of them. They are working on uploading fraudulent apps since early January.





Some examples of found apps

Some apps have mutated from apps related with cars (in Japanese), to porn. This is the preferred way to hide better in Google Play.


App that changed at some point
These are the applications, package names and hashes. Only one of these apps has been analyzed in Virustotal, and it was not detected by any engine so far.

  • Videos hd peliculas porno sexo, com.gepekline, 6f1c3a596920298873f1e38842f751991875e6d6
  • Peliculas videos sexo Porno hd,com.wheelpvies,34b2bba921e9b7d9c8242d31e2cc011908684d9a
  • Videos hd peliculas porno sexo ,com.spportss,ada71fc53f9aae5f84cc69814b58f65f1e273067
  • Canciones infantiles y videos, com.sursongsonline, 1fcce1b8effdcbdef54cc02675eefc5214fec67b
  • Peliculas videos porno sexo hd,com.escarsysview, 031490dd0b824c02be7d0fe728d67f998ef7c914
  • Cine estrenos peliculas online, com.filmsmeka, e856cd2d4a366abbb1df18c8bc53c7a35a6da535
  • Un millón de recetas de cocina, com.recippes, 194362c46b124161a5289d1d3c4c56f93b142044

With our database, we have been able to locate some other apps, and prove that the developers behind  them come from Valencia and have been working on these frauds for a few months now.

Fraudulent JSDialers in our data base


The whole document is available here:




Sergio de los Santos
ssantos@11paths.com
@ssantosv

Juan Manuel Tirado
juanmanual.tirado@11paths.com

Miguel Ángel García
miguelangel.garcia@11paths.com

New Tool: JavaRuleSetter for creating Devployment Rule Sets in Java

Sunday, February 15, 2015

Oracle introduced the notion of whitelisting in Java 7 update 40. It was called Deployment Rule Set. In Java update 51, it introduced a new feature, that was close to whitelisting as well, but very different. It was called Exception Site List. In this post, we are going to make clear the differences and introduce a new tool we have just developed, that may be seen like some kind of Java firewall. It is called JavaRuleSetter.

Deployment Rule Set

In the beginning, there was just the Deployment Rule Set to try to create white and black lists of Java applets executions. It was basically meant for administrators to block RIAs (Java applets and Java Web Start Applications, known collectively as Rich Internet Applications) by domain, certificates or name. This was great but quite difficult to implement. The steps to get this rule sets,were:
  • Create a ruleset in xml. You have to know the syntax... for example:
    <rule>
      <id location="http://*.java.com" />
      <action permission="run" version="SECURE-1.7" />
    </rule>
    <rule>
    <id />
      <action permission="block">
      <message>Bloqueado por las reglas del sistema</message>
    </action>
    </rule>
    </ruleset>

  • Compile it with Java (you would need the JDK).
  • Sign it with a trusted certificate of your own. If you do not have one,you have to create it
  • Copy it to a standard place in the system.
The result was that, when visiting a web page with an applet, this is the decision tree Java follows to run it or not. The rule may block it completely, or allow but only if digitally signed properly. The applet is run without prompts. If set to "default", it goes to the exception lists decision tree.

When browser detects a RIA (applet or JWSA) it first goes through this decision system for Deployment Rule Sets
That was really hard for an administrator and even impossible to achieve for a standard user, so Java reacted creating the Exception Site List. But Rule Sets may very well be used by single users, not only administrators. This is one of the reasons we have just created this tool. To simplify creation of rules for advanced users, and, for creating the whole system for less savvy users (create a certificate, sign it, etc).

Exception Site List

This was created in January 2014 (just months after Deployment rules) for users. It does not require administrative privileges and it is all done via Java interface. It may be seen as a second way to whitelist, but not as powerful as Rule Sets, and as a first layer of defense for a single user.

In a nutshell, Exception Lists affect prompts. It will never make them disappear, but will never make an applet be blocked either, even if security is set to "high". Exception Lists makes no difference if security level is set to medium. This diagram shows it:

Exception List flow

For creating an Exception List, just run javaclp.exe and add a domain. It will work one way or another depending on the Java security configuration.

How Exception Lists are configured in Java 7. I may differ a bit in Java 8

The file controlling the Exception Site List is stored in the user’s deployment location C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites in Windows.

Rule Sets VS Exception Site Lists

So the main differences are:
Comparison between Exception Site List and Deployment Rule Set

Rule Sets allows to create a rule set and distribute to several computers. It wins over Exception Site Lists in case of conflict, and may be modified just by an administrator (not by the user). Another interesting thing is that Rule Sets works on a very early stage. If some day, security levels are defeated, exception site lists would be bypassed, but not the rule sets.

The whole picture

Java is complicated right now. This is the decision flow when executing and applet (or RIA, in general). This is the best way to understand how security has improved in just two years. The complete flow of Java applets executing or not depending on JRE version, Deployment Rules, Exception Lists, etc, is this. Deployment rules work on the second level from start, and Exception lists work on the fifth level.


Java, the whole decision picture about RIAs

The tool

Java Rule Setter is intended for users that are really worried about Java security (they all should) and have to work with it (if you don't, just uninstall it from the browser).

If you have no idea of what you are doing, just add a domain you need Java to run and click on "Apply changes". The program will create default settings and apply them.If you are a savvy user, you can use your usual keystore and sign the Deployment Rule file, and skip the whole process. Click on "Advanced mode" for more information.


Blocking everything will avoid the execution of any applet in a very early stage
Browser blocking rules because of the program

Adding a new domain to be whitelisted

Domain added to be allowed domains


For more granularity, the advanced mode may be used

There is very basic way to use it. Just run it and add a rule with a domain you want to have in your whitelist (wildcards supported). Click on "Block everything else" and apply changes. You will need to elevate privileges twice: one for adding a cert (only the first time) and one for copying the Rule Set file to system32.

The tool works in GNU/Linux and Mac OS X, although it has not been fully tested in those platforms.

We have created two versions, for Java 8 and Java 7. This tool is in alpha version, so it may contain some bugs. Please report so we can fix them.

To deeply get to know the Deployment Rule Set system and take full advantage of the tool, we recommend reading this official documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

More information and instructions are available here.


Sergio de los Santos
ssantos@11paths.com

Winners of the Latch Plugins Contest

Thursday, February 12, 2015

As you know, last 16th of October 2014, as part of our annual "Security Innovation Day" event, we announced the launch of the "Latch Plugins Contest", the first Latch competition aimed at developing innovative and useful plugins for the Latch service.

The story tells the that something went wrong in the latest ElevenPaths job, and Chema Alonso needed your help. He promised to reward anyone who succeeded in making the best Latch plugin with a financial prize of up to US$10,000 (in bitcoins). Take a look at the video and remember the story!

January 15th was the deadline for registrations, and then it was up to our jury. A top-notch panel featuring Chema Alonso (CEO of ElevenPaths) José Palazón (Head of Software and Product Development), David Barroso (Technical Manager) and Olvido Nicolás (Head of Marketing).

Well, here they are, these are the winning plugins in the first Latch Plugins Contest:

First prize – US$10,000
Winner: Carlos Rodríguez

Plugin: Devise_latcheable

Description:


  • The Latch plugin for Ruby on Rails enables Latch to be integrated in the user authentication and registration process.
  • This plugin makes Latch a gem for Ruby on Rails and allows an additional security layer (2FA) to be added to the authentication progress in any Ruby application.
  • What we liked about it:
  • It provides knowledge and a security solution for a community of developers at Ruby on Rails.

  • Second prize – US$5,000
    Winner: Gregorio Juliana Quirós

    Plugin: Latch for electronic door locks using DNIe, NFC and mobile app identification

    Description:


  • The idea of the prototype consists of a system for locking and unlocking electronic doors activated by a mobile app or smart cards based on NFC.
  • This plugin allows Latch to be integrated in electronic locks using DNIe, NFC and identification via mobile apps to allow or deny access in the user authentication process. How? Easy: In the case of fraudulent use of your identity, Latch will warn you with an alert on your Latch app on your cell phone.
  • What we liked about it:
  • It's a usable, simple and convenient security application.

  • Third prize – US$1,000
    Winner: Javier Pena Rendo

    Plugin: Latch Plugin for Liferay

    Description:


  • The Latch plugin for Liferay enables Latch to be integrated in the user authentication process in any instance of Liferay.
  • What we liked about it:
  • The quality of its implementation and that it may be used in any Liferay product .

  • Special mention – 200
    Winner: David Garduño
    Plugin: Latch Plugin for Asterisk

    Description:

  • The Latch plugin for Asterisk enables Latch to be integrated in an Asterisk switchboard to be able to set the call operations. That means we can block or unblock a certain kind of calls and even program the time segment when we wish to be disconnected. For example, if we went to bed and didn't want to receive any calls, we could do this with the Latch plugin for Asterik.
  • What we liked about it:
  • The innovation and originality of the idea, the clarity of the documentation, and the capacity to convey it.

  • Congratulations to the winners!

    Detected some "clickers" in Google Play simulating apps and games

    Tuesday, February 3, 2015

    During the last days, some apps have appeared in Google Play that work like "clickers", between them an app simulating Talking Tom (that was online for just a few hours) and a "Cut the Rope". In this case they visit ads and porn websites and simulate clicking in the banners, so they get some benefit. This is a known schema that affects the data plan of the user, because the apps will keep on requesting pages in the background and the victim will not be aware. ElevenPaths has detected in an early way the apps in the market, that work in an interesting way and that seems to be created by someone in Turkey.

    Since December, a developer has been uploading apps to Google Play, with the only intention of booting with the device and make GET requests in the background. Promising different kind of apps (from remote controls and X video searchers to flight simulators and games) these apps sum up to 50.000 downloads between all of the 32 apps we have spotted. Obviously not all the downloads translate into an infection (VerifyApps and other factor may affect) but they seem to be quite popular.




    Some of the apps are just "clickers" under different "disguises"to attract victims
    One of the apps is a scientific calculator with the description text in Italian. We have asked Google to remove the application that was still online (maybe because it was a little more advanced than the others and passed unnoticed) and that we have located thanks to Path5.

    App that wasn't removed from Google Play. One of the latest remaining.
    It worked in a more sophisticated way than the others.

    What the app does

    When it starts, it always shows a dialog with the text "Application is not compatible" in Italian, Turkish and Spanish, between other languages.

    The app always shows the same dialog when it starts
    It hides its icon, modifiying values in the Manifest, after the first time it runs and after showing the message. It does nothing else until it receives a change in WiFi, data connection or a reboot. It connects to this encoded URL (it is not base64, although it looks like it).

    Encoded URL
    Decoded, it turns out to be: hxxp://1.oin.systems/check.php. If it responds with a "True" (which is  pretty much always by now), its activity will start.

    Other variants connect to other URLs like this one:

    Or this, depending on the sample: hxxp://pop.oin.systems/commands.php.

    Every time a new request is made, the apps get instructions on where to go and click. In every connection they get new domains to connect to.

    Request for the place it has to visit
    In just a few minutes, the device has generated dozens of requests. For the user standpoint, the problem will be the data consumption if he has a paying data plan. Apps are activated when the device boots so, although the app itself is not active or launched, the device will be consuming data all the time.

    Extract of the traffic generated by the device during a few minutes.
    Most of them are porn sites
    Indiscriminate visits will be done through a service that builds a WindowManager with a weight and height of "-2" so the user is not able to actually see it in the screen, where a WebView is added. There is where the URLs are loaded.

    It will take some other values from some other URL. Every 15 seconds (time to load the web) it will call:


    Another task will take care of executing this JavaScript over the loaded URLs. This will result in random clicks on the web.

    This strategy of hiding the icon, avoids the user to even bothering in uninstalling an app, because he will think it was never installed in the first place. Moreover, if it keeps quiet until next reboot or when connectivity changes, there are more chances of the user forgetting about it.

    Permissions are not very blatant.

    Permissions of these apps

    Detection

    The app was not deteced by any engine during December and January. January 20th we sent it (for the first time) to VirusTotal from ElevenPaths' lab.


    Detection in January

    Eventually in February, some engines started detecting it. Engines have created a specific signature for this family, called Riskware.Clicker.

    Detection in February

    The attacker

    This is a typical schema, but quite witty in its implementation. We have detected that the attacker has been acting since later December and that he probably is Turkish (thanks to the information obtained from its ad-hoc certificate). Its current timezone is GMT+2, added to the language used in some apps, makes us think that it's someone developing from Turkey, although with some Italian relationship. Some other specific characteristics has allowed us to spot the other apps very quickly.

    The strategy has been the usual one. During most of the time, the app starts in Google Play like an anodyne app. It consolidates in the market and maybe someone downloads it. For the next version, the apps mutate into something more attractive to the user, maybe it changes the code, maybe the icons and description. In this moment a "race" starts, because Google will remove it quickly but it will try to get the more the better installations.

    The app was something called Beklre (up in Google Play)
    and then mutated into a fake Talking Tom (down in Path5)
    The app was something called "Sebebi Neydi ki" ("Which is the reason" in Turkish) 
    and then mutated into a fake Cut the Rope for some hours (down in Path5)
    The domains being used tell us about the person behind the app, because the data in the Whois database seems to offer real names and emails, used before in some forums. Some other apps in our database show that this domain has been used legitimately before. The developer created some apps about movies (in February 2014) and now has reused the server for this fraud. Something about Italy appears again.

    Some other apps that seem to belong to the attacker
    Anecdotal, in some of these apps, is a homemade photo of a minor manipulating a mobile phone (taken in the middle of the past decade) which may be found inside the APK. It doesn't seem to be a public photo (a search in Google does not show anything).

    In a few days, we will make public a more advanced and detailed study about the way this threat works technically.

    Sergio de los Santos
    ssantos@11paths.com
    @ssantosv

    Miguel Ángel García
    miguelangel.garcia@11paths.com
    @nodoraiz