9 New Fake Apps on the Play Store Which Can Hijack SMS Notifications to Carry Out Billing Fraud

This time cybercriminals used Google’s play store as a playground to carry out attacks on millions of Android users. Researchers uncovered nine fake apps on the play store which can hijack SMS notifications to carry out billing fraud. Let’s see more details about the apps and the malware used to carry out the billing fraud.

Table of Contents

. Who Can Be The Victim Of The Fake Apps On The Play Store?

. List of 9 fake apps on the play store which is reported malicious:

. How Cybercriminals Managed To Publish These Fake Apps On The Play Store To Carry Out These Attacks?

. How Does This Malware Work?

. Identified Indicator Of Compromise (IoC) During Malware Analysis Process:

. IoCs

. URL

Who Can Be the Victim of the Fake Apps on the Play Store?

As per the research from Trend Micro and McAfee, Android users from Southwest Asia and the Arabian Peninsula have become victims of these malicious apps. It has been said that more than 750,000 users have downloaded these fake apps from Google's play store.

List of 9 Fake Apps on the Play Store Which Is Reported Malicious:

Here are the nine apps McAfee researchers found malicious on the Play store. Please check your phone for these apps if you spot any of these apps on your phone. Immediately remove those and check for any bank account, credit card, debit card, or any unauthorized transactions.

• Keyboard Wallpaper
• PIP Photo Maker
• 2021 Wallpaper and Keyboard
• Barber Prank Hair Dryer, Clipper, and Scissors
• Picture Editor
• PIP Camera
• Keyboard Wallpaper
• Pop Ringtones for Android
• Cool Girl Wallpaper/SubscribeSDK

How Cybercriminals Managed to Publish These Fake Apps on the Play Store to Carry Out These Attacks?

• Android Joker Malware:?Cybercriminals fooled Google with a malware strain called ‘joker‘, which has successfully bypassed Google’s security several times over four years.
• Versioning: defense is that Cybercriminals use a unique technique called versioning. In this technique, malware authors first upload the clean apps to the Play store to build the among the users. In the later stage, deliver malware codes to the user’s app in the form of app updates.
• Dynamic Encrypted payloads:?The dynamic code update function with encrypted payloads helps the malware to cover itself from Google’s defense system.
• Most downloaded app categories: These fake apps on the play store impersonate themselves as legitimate photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, which were found to be the most downloaded app categories by users.

How Does This Malware Work?

1. At first,?app servers send malicious codes to the Android device in the form of updates. These?files will be stored inside the ‘assets’ folder?in the names such as?“cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files.
2. Malicious code?opens the ‘1.png’?file saved inside the ‘assets’ folder. Malicious code will?decrypt the file?using the RC4 protocol with the package name as the key. It stores the?decrypted file in the mane of ‘loader.dex’ file.
3. The loader.dex file?creates an HTTP request to the C2 server requesting AES keys?to decrypt the second payload ‘2.png’.
4. The?C2 server sends the keys?to decrypt the second payload for execution.
5. As we said in the previous section, this malware is loaded with a dynamic code-loading function. Malicious code will?either execute the ‘2.png’?or it will?download the new content from the URL and execute that?whenever it receives the URL from the C2 server.?Note: the server doesn’t respond to all the requests and shares the key.
6. The?payload tries to hijack the Notification listener service?to read the SMS like Android Joker malware. The?malware then processes the SMS data to the final stage and sends the data?to the C2 server.
7. Upon further analysis, it was found that the malware can send this information, including carrier, phone number, SMS message, IP address, country, and network status, along with auto-renewing subscription?information.

Identified Indicator of Compromise (IoC) During Malware Analysis Process:

IoCs are nothing but?indicators of compromise. Suppose you found any files which have these hashes. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our responsibility to give the details as much as we can.

IoCs

08C4F705D5A7C9DC7C05EDEE3FCAD12F345A6EE6832D54B758E57394292BA651 com.studio.keypaper2021

CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C com.pip.editor.camera

007587C4A84D18592BF4EF7AD828D5AAA7D50CADBBF8B0892590DB48CCA7487E org.my.favorites.up.keypaper

08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 com.super.color.hairdryer

9E688A36F02DD1B1A9AE4A5C94C1335B14D1B0B1C8901EC8C986B4390E95E760 com.ce1ab3.app.photo.editor

018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C com.hit.camera.pip

0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 com.daynight.keyboard.wallpaper

50D498755486D3739BE5D2292A51C7C3D0ADA6D1A37C89B669A601A324794B06 com.super.star.ringtones

URLs

d37i64jgpubcy4.cloudfront.net

d1ag96m0hzoks5.cloudfront.net

dospxvsfnk8s8.cloudfront.net

d45wejayb5ly8.cloudfront.net

d3u41fvcv6mjph.cloudfront.net

d3puvb2n8wcn2r.cloudfront.net

d8fkjd2z9mouq.cloudfront.net

d22g8hm4svq46j.cloudfront.net

d3i3wvt6f8lwyr.cloudfront.net

d1w5drh895wnkz.cloudfront.net

Please share this article with others and make them aware of these new fake apps on the play store. If you find this article interesting, read more such articles here:

This post is originally published at?thesecmaster.com.

We thank everybody who has been supporting our work and request you check out?thesecmaster.com?for more such articles.