The month of the RAT in Google Play

Monday, March 30, 2015

A few days ago, Lukas Stefanko from ESET discovered a new remote administration system RAT for Android. Although there are some known RATs for Android, this malware had something special. It used Baidu Cloud Push notifications for sending commands to the victims. What we can confirm (not in the original blog entry), is that this RAT has been available not only in "alternative markets", but in Google Play, undetected for more than a month.

Several kind of RATs for Android exist. There are two basic conditions that defines an RAT:

  • What and how it is able to control the infected device.
  • How the victim receives the commands.

How the victim receives the commands opens a handful of possibilities: HTTP, SMS, jabber protocol, GCM (Google Cloud Messaging)... and now Baidu Cloud Push notifications. Cloud Push is a system where developers can register users. Registered users will receive push notifications in their devices (an special notification in the task bar). This is used in millions of legitimate apps, and Google allows the use of its GCM for free. This system has been abused to push ads in the past. Any developer may create his own CGM, and Baidu has a popular one in China. This time it has been abused to push commands to this botnet. This technique is quite new. So new, the malware has not been detected by antiviruses for months.

What does the RAT do?

It infects the system so is waiting for commands from the Command and Control server, which is a specially crafted Baidu Cloud Push instance. Basically, this picture below summarizes it all.

Commands that the attacker may send to the device
It shows the commands the device may get from Baidu. The app counts with every necessary permission to perform the tasks, so the infected user is completely at the attackers disposition.

All the information goes through "/mnt/sdcard/DCIM/Camera/%file_name%" before being uploaded to the Baidu cloud storage (BCS) and removed from the device.

But... this has not only been in alternative markets

Stefanko found the samples in alternative markets, which is, in a way, "expected". But some of these samples were indeed in Google Play... for more than a month. With more than 50.000 downloads, the victims may still be under the control of the attacker.

One of the RATs, available in Google Play

Thanks to Tacyt (although we did not found these samples on time...) we now know that some different samples with the same behavior were available in Google Play from, at least, November 2014. Some samples, under a certain developer, were signed during November 2014, and were available in Google Play since December. The apps were available in the main market until late January, when Google removed them. It seems that some others were available from September until late January as well, under some other fake account. These apps are still in lots of other markets.The developer seems to be from South Korea.

He has been using different names and emails: "zhengcaiai", "devzhemin520", "su weiyu"... This domain belongs to the attacker as well:

What about antiviruses?

The samples were not detected about five months ago, when it all started.

One of the RATs not being detected

Until March 17th approximately, it was fully undetected. ESET and Avira have been the first ones detecting them.

Some of the first engines detecting the samples

A few days later, some others have created a signature, but still not all the big players.

Some more engines detect the samples

They have named it "cajino" RAT because of the packageName that Stefanko found. They all started with[*] and a number. But the attacker has also used han[*] structure for naming the apps in Google Play.

Newer versions are less detected

For newer versions, the only ones catching them are Avast, DrWeb and ESET, the ones that created the original signatures. This perfectly shows the notion of "quality signatures" that protects the user from future versions as much as possible.


RATs are not "rare" in Android world, but they are not usual, either. Aside from the conclusions of the ESET researcher, the important issues to point out here are:
  • New methods to communicate have been used.
  • Apps have been undetected for researches/antiviruses for almost six months.
  • The attacker has been in Google Play (best place ever for attackers) for more than a month.
  • And it will still get more victims, because the app is still in a lot of different markets.
Is not usual to have "RATs" in Google Play. One of the last news were the detection  of Dendroid, a RAT system designed to evade Google Play filters, a year ago.

Some different hashes (aside from the ones ESET found) are:
  • 7a131e44d731995e51b7e439082273abbbf02602
  • 48412835d0855c565f213242b0db7a26480fcc2e
  • 4c9e505f1132528c68091fa32bb1844d7cbd2687
  • 31a645973554b7c83cc0bd6fb7709ec12937c962

The attacker is distributing (aside from other markets) the apk from here: hxxp://, so it may change in any minute.

Sergio de los Santos

More apps in Google Play subscribing to SMS premium numbers: JSSMSers

Monday, March 23, 2015

After finding the JSDialers, we should have figured it out. The attackers are using the exact same technique as in JSDialers to spread apps that subscribe the victims to SMS premium numbers. This way they have avoided Google Play protection systems and used new techniques based on JavaScript, more dynamic and smart. They are not statically detected by antivurs engines yet. Let's see how they work.

We have found 14 apps with the same behavior in Google Play that, with different pretexts (from jokes to recipes) subscribe the user to premium SMS numbers. Although the apps show a message about the subscription, they send an SMS by themselves confirming the subscription in a transparent way, so the user does not notice anything. The attacker got more than 100.000 downloads. Not all downloads translate into direct subscriptions because the attackers only allow important carriers from Spain, and if the device does not match with these conditions, the app will act normally.

What the user perceives

When the user downloads and installs any of these apps, something like this will be shown.

This is what the users sees if it belongs to the right carrier and country

It is true the attacker is really advising the user: you are going to be subscribed, but it automatically will send the SMS leaving no trace on the phone. In previous apps like this, the button used to be less explicit (maybe "Accept" or asking for your age) but at this point, the attackers used "Subscribe" which should make the users more aware about the problem.

The app will check if the device belongs to the right carrier and comes from Spain. By now, two different SMS have been sent, one to start the subscription and another to confirm it, but the user will notice nothing.

JavaScript code to check for carrier and country

What happens and how it works?

The whole program is launched under a WebView, and calls an index file that comes with the apk itself. When the two SMSs are sent, the apps use and interesting trick. They dynamically load the receiver to intercept the incoming messages. Usually, these receivers are declared in AndroidManifest.xml. Why dynamically? Possibly to avoid static analysis. Although the app has the permission of intercepting SMSs, a sandbox or analyst will think the developer does not really use it, because it lacks any routine to manage them. But the real thing is that it loads it only if and when necessary. The receiver works when the device receives a message, and makes the app mark it as "already read" so the user does not notice any welcome message to the subscription service.

Dynamic receiver to handle incoming SMSs

So, what is new?

There are several interesting parts on these apps.

  • First, the use of JavaScript and Cordova (the bridge between JavaScript and the apk) to send messages and avoid introducing code in the app itself. This takes the whole logic to the server, what makes it more powerful, dynamic and undetected.

  • Loading the receiver dynamically, may confuse a static analysis. The receiver is only declared under the right circumstances (right carrier and country) so it makes it stealthier. Aside, the receiver is loaded (and it may be unloaded too) via the JavaScript code, so it will only be listed if all conditions are satisfied in a dynamic analysis.

  • It does not use the usual system to send messages, but gives them directly to SMSProvider. This avoids the sent messages to be kept in "sent" or "outbound" folder. It provides the SMS text directly to the operative system provider.

Marking the incoming SMS as already read

Other apps like these

Who is behind these apps? Obviously they are related to the JSDialers we talked about a few weeks ago. The subscription company and domains just give us the right answers.

Screenshots of some of the apps we have found thanks to Tacyt, are these:

Some of the apps with this behevior
This is the title, packagename, and hash of the applications found.

  • Frases celebres bonitas cortas,com.thinkking,1e8568ccc54be7a73934965e97ff7e3fd9e4fec3
  • Imagenes amor fotos frases,com.romaticpost,2d26c676bcb5a5f8599f49a5b90599b7ff93dc11
  • Phrrasesfee,com.prasesfee,ca6ac2e1bf46087455fda358870070ec269faae6
  • Statetss,com.statetss,da045796efc737d42b9e86876ec5b854289212bc
  • New mensajes navidad y frases,com.navidad.extra,18db1cfb7e7340a5476a5c6e17f1f9d596045095
  • Postales perritos fondos,com.imagepets,bbc6e386281f2b1931ff2be7812bf4de4530d3fe
  • Funnyys,com.funnyys,9fc9e237903b02a2a47701139200c9177eec16a5
  • Fotos frases amor postales,com.prasesamor,65ce3043fc249cb906b4e50a23d581d5c70819fa
  • Gatitos tiernos fondos postal,com.cattss,f68ef39f5183da0745614c68a7ae135085298b54
  • Recetas de cocina dietas Salud,com.kitchenn,7fa17bed794a59dd3d914d05535fe25a357ab1cd
  • Chistes cortos buenos,com.chistescortos,daac73a325485f882b1dcda9758b16bb5f407770
  • Chistes Picantes buenos cortos,com.chistespicanticos,dc799bcc3f1f623e211e50fbb6ececb2e64753a6
  • Laughtter,com.laughtter,f569baf1c0f12c137a09e084c879979bbcfd11e1
  • Healthyy,com.recipesmart,0dd97d056fa7559a2cdb35d45850cefd400f4d6f

Sergio de los Santos

Juan Manuel Tirado