Avast found multiple downloaders on Google Play that can download malware designed to steal Facebook credentials
Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.
The original downloader apps we found pose as various entertainment and lifestyle apps, such as barcode scanners, voice recorders, and a chess game; targeting English and Vietnamese Android users. We also found additional downloaders uploaded to the Play Store by other developers that specifically target Vietnamese users. Avast has reported the apps to Google and the developer accounts have been blocked.
While the apps do contain some of the features they promote, most of them display an abundance of advertisements, contain code that downloads additional malicious apps, which can trick users into giving up their Facebook login credentials.
There is one app made by developer, Mplus Group, called HayLive that is not malicious. The app looks different from the rest, has a few more users than the other apps, a webpage that goes along with the app, and the app’s APK structure is unlike the others. We can only speculate, but it could be the app developer originally only developed HayLive and it became relatively popular. In order to monetize more, the app developer possibly decided to use HayLive’s success to promote malicious apps via the “more apps from this developer” notification.
The downloaders (the apps uploaded to Google Play) themselves do not contain any real malicious features, which is how they managed to get past Google’s security checks. The only negative thing the apps do is aggressively show ads. There is a catch though, the apps can download pieces of code to use in runtime or can even download other apps to the device.
The downloaders contact a server setup by the people behind the downloaders, to check a list of available servers and send a request to one of them. The server then gives the downloader a package for it to download on the infected device. The package is outright malicious and if removed, it can be downloaded again, or be replaced with another one.
The malicious apps downloaded by the downloader request device admin permissions right away. If these are not granted, the apps continuously display fake crash dialogues, whenever the user attempts to open any application on their phone. The dialogue usually says the app the user is trying to open has failed and Google Play services have been disabled, convincing the user to activate device administrator rights for Google Play services in order to “avoid unwanted bugs”.
The apps the user tries to open are not actually crashing. In fact, they run normally, but the fake failure dialogue the malicious app puts on top of them covers the apps so that the user cannot recognize something is wrong. This annoyance most likely convinces people to give the malicious app, unknowingly, admin rights, so they can continue using their phone as usual.
Once the app is granted admin permissions, the dialogues disappear and a request is sent to the server, letting the server know the rights have been granted (/manager/update_state.php).
The downloader app collects information about the device, such as unique device ID, location, language and display parameters. The device’s location is obtained from the IP address that is used when contacting online services that offer geolocation information for IPs. The services the app uses are:
This method does not require the app to have permissions for accessing the device's coarse or fine location, but it can only be used when the device is connected to the internet. If the user is using a VPN, this method will report the location of the endpoint the device is connected to through the VPN service.
Information about the device is sent to a server (/manager/insert_device.php, manager/get_facebook_ads_manager_v4.8.php). Data regarding the device’s location is frequently reported as an update to the server, tracking the victim whenever they are connected to the internet.
The malicious apps go even further and steal Facebook login credentials. The apps, however, do not steal the credentials from the Facebook app itself, nor do they abuse any system or app vulnerabilities. Instead, they trick the user into giving up their credentials by pretending to be Google Play services or another app that many users will most likely recognize and trust.
The dialogues used claim there are issues with the user’s Facebook account, for example, someone tried to hack their Facebook account and it has been suspended or the server is unavailable. These dialogues are shown to worry the user.
Above the malicious apps’ SharedPreferences XML file created when the credentials are entered into the Facebook login page. The password and email are saved along with info received from the server, which include a list of packages to download.
The stolen credentials are saved into the SharedPreferences of the malicious app and are sent to a remote server. The connection to the remote server is done using HTTP, which is unencrypted, meaning if someone is monitoring user’s communication, they can also steal their credentials in plaintext.
The credentials are sent over an unencrypted channel to the server.
Although Facebook can detect and block account logins if it suspects the account’s credentials were stolen (usually in cases when the user’s credentials are suddenly used on the other side of the world), this login activity will most likely not raise any red flags because it is coming from the usual location and device used by the user.
The page identifier part of the Facebook URL for a targeted application is sent to the device from the server (/manager/get_push.php). This way, the developer can offer these shares, likes or even generic comments to businesses or users looking for quick promotion from real users. They are authentic users which means they won’t be flagged as fake accounts by Facebook’s check and their value is also therefore higher. Going through users’ list of friends and accepting all friend requests or adding all suggested friends can make the collected accounts more valuable, as they will have greater outreach and the shares can be sold for even more.
The apps contain several advertising platforms that can display ads and video ads, and also contain a feature that enables the app to click on the ads shown within it. The apps manipulate the device’s keyguard, turning on the screen and dimming its brightness so that the user doesn’t realize the malicious app is secretly clicking on ads on the user’s behalf.
If an uncaught exception, or problem, occurs in the app, a full stack trace (a full report) is retrieved and reported to the server so the developer can fix the problems.
The original entertainment and lifestyle apps we discovered target both Vietnamese and English speaking Android users.
All alerts and messages in these downloaders and the additional apps they download are available in both English and Vietnamese. The apps try to determine the user’s location by checking the location, the language the phone is set to and who the mobile operator is. Depending on the outcome of these checks, the apps display in either Vietnamese or English.
So far, users around the world have encountered the app, presumably because they are available in English.
We suspect the people behind the malicious apps are Vietnamese. In addition to most of the *apps* being in Vietnamese, another hint that points to this is many of the downloaded apps use package names of popular Vietnamese apps.
There are clues that suggest the various other downloaders uploaded under different developer accounts, which we discovered later on, were uploaded by the same person or group that uploaded the original downloaders we discovered. The apps contact the same server and contain code nearly identical to the original downloaders. Further hints include some of the downloaders contacting a different server with the exact same interface and scripts used by the original downloaders.
Downloaders on Google Play that downloaded malicious APK:
com.softedu.sieumaytinh 3D04094251D48AC7F42D52FA460AB46384AF656581EC39D149F76DB8DCA058AE 50CAD37A8FC9E317FD521F32A2ADAA0B2B5013832864DEEDD10B078A7F661CF4
Apps on Google Play that contacted the same server, downloaded, but failed/decided not to process/install/save:
Downloaders (have the capability) that did not download:
com.lichcom.tuvi.lich.mautuat 2A714C1BB6EF061D6BCF0AFBFA4B7609CCD40D0EB4C13F15143652C034B02402 77A67D58CBCA8E3F50329EAD2F6DBA6B75833AE6E240FB1BEF0E5027EAA14146
Information belonging to over 100 Italian banks breached by the Ursnif banking trojan was obtained by Avast Threat Labs, which then shared the data with as many of the victims as could be identified.
Avast researchers obtained information that the Ursnif banking Trojan has targeted 100 Italian banks and may have thousands of victims.