HackDig : Dig high-quality web security articles for hacker

An advertising dropper in Google Play

2019-09-19 18:20

Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over the past month have indicated the presence of unwanted features.

After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.

Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.

Technical details about Necro.n

When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.

Next, the configuration file with the name “comparison” is decrypted.

Once we decrypt it, we obtain the following configuration with the addresses of the attackers’ servers.

{
  "hs": {
    "server": "https://abc.abcdserver[.]com:8888",
    "default": "https://bcd.abcdserver[.]com:9240",
    "dataevent": "http://cba.abcdserver[.]com:8888",
    "PluginServer": "https://bcd.abcdserver[.]com:9240"
  },
….
}

Dropper downloads an additional module from these URLs:

And then it executes its code:

The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.

IOCs

MD5

  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b
  • 96db624fa2532d14dd43c7ad3124c385
  • d07846903cb78babac78f0dd789d262e
  • a02811248a0d316a1f99d07e60aa808e
  • 74709014aa553b92fe079cf8941d64f6
  • f8b8fd44952ca199d292570ff6da5e8f
  • 9eff49dc969eea829e984bad34b7225c
  • 5bf2d280557e426e90c086fb89dc401f
  • e7705517e9e469921652ad33f87d7c22
  • dbb53ee8229cf4e8ae569a443bcd59d3
  • 3d37fbbffc45b7ca11e20ed06cc2f0f6
  • ec11fb61eababc7586e1874c92f7629e
  • b5c7b67e9650bf819b70d2c0a5ca7c63
  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b

C&C

  • https://abc.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240
  • http://cba.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240


Source: /69429/yalp-elgoog-ni-reppord/moc.tsileruces

“An advertising dropper in Google Play”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud