By: Shivang Desai

Fake BatteryBotPro ClickFraud, AdFraud, SMS & Downloader Trojan

Click Fraud

[UPDATE #1 - July 8, 2015] We would like to clarify that at the time of our analysis, the app was not present on the Google Store. We found references to this fake app being hosted on the Google Play store during our research where it showed that the App has been removed from the Google Play store already as seen below:
 
Link to Google Play Store for the fake app
.....

[UPDATE #2 - July 9, 2015] Google Android security team confirmed that the fake application was uploaded to the Google Play Developer Console by the miscreants.

Google Play Developer Console enables developers to easily publish and distribute their applications directly to users of Android-compatible phones

However, as per Google's Android team the fake app did not make it to the official Google Play Store as Google's security system flagged the fake app during scanning.
.....

Malware authors tend to follow one of the following two methods for malware development:
  1. Create a malware app from scratch.
  2. Compromise a legit app by embedding malicious modules into it. 
With Android being open source and an Android app being easily reversible, most of the malware developers tend to stick with the second option.

Spoofed Functionality and Ads:

We came across a malicious app recently that followed this path. This time the spoofed app was a copy of a legit app named BatteryBot Pro. The spoofed app had the package name of 'com.polaris.BatteryIndicatorPro' and was removed from the Play Store as soon as Google became aware of it's malicious intent.

We also saw a spoofed version of BatteryBot Pro available for free during our research. The actual price of BatteryBotPro on official Play Store is Rs.179.99. The legit BatteryBotPro app demanded for minimal permissions as shown below:
 
Legit app permissions
 
In contrast, the fake app was requesting many more permissions, raising a red flag as can be seen in the screenshot below:
 
 
Permission requested by Malware
 
The screenshot below shows a comparison between the actual app and the fake app. The legit app functionality was modified and embedded at a different location within the fake app:
 
 
legit app vs fake app
 
 
Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim's device.
 
Request for Administrator access
 
Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.

 
opening BatteryPro screen

ClickFraud and AdFraud activity

Though the app seems to be working normally, at the back-end it tried to load various ad libraries, ultimately delivering a click fraud campaign.
 
Requests sent in back-end
Some of these URLs were hard coded in the app and some were sent by the remote server.
 
Hard-coded URLs in database
 
The malware tries to collect the following information from the victim device:
-Memory available in device
-IMEI
-Phone Operator
-Location
-Langauge
-Phone Model
-Sim Card availability
The following screenshot shows the data being collected.
 
Parameters sent to server
 
Parameters sent to server
On the basis of various parameters and conditions in the server request, the malware starts receiving a list of ads to be displayed, along with the URLs from where to fetch the ad.s
 
Response from server containing ad URL

The malicious app then downloads and installs additional malicious APKs without the user's consent:
 
  
Downloaded Apps by malware
Apart from the implicit downloads, the malware also displays pop-up ads to the user:
 
Pop up Ads

This malware was not only built with the purpose of displaying ads, it was also designed with more evil intentions.

Sending SMS messages: 

The main Activity Screen is identical to original app but when the user clicks on "View Battery Use", the malware sends a few requests to its Command & Control server to retrieve short codes. These short codes were premium rate SMS numbers where a message was sent. This will result in financial loss to the affected user.

Requests sent to server can be seen below:
 
Device info sent in request

Though the content was encoded, we did not have to work hard to determine what was sent as the malware developer forgot to remove the logs. The server responds with short codes that are used for sending messages. The following screenshot shows a premium SMS response received from the server.
 
Logs showing server response
 
Uninstall FAILED: 
 
Apart from displaying ads and sending SMS message, the malware is also very persistent. Being run with administrator privileges, the user cannot delete the app after installation.
 
Uninstall not possible
 
"Persistence" Effect:
While  in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.

This acts as a service and sends requests to hard-coded URLs found in the app.
The screenshot below shows the hard coded URLs.
 
Hard-coded URLs
 
 
The service started by this app continually sends requests to aforementioned URLs, some of which will deliver new APKs.

Conclusion: 

The Malware we saw in this blog was designed with multiple evil intentions including ClickFraud, AdFraud, Premium rate SMS fraud and the download & installation of additional malicious APKs.
 
A few traces of command execution were also seen in the app but were not fully implemented. Perhaps the developer is working on an upgraded version of the malware with proper "command-execution" functionality.

The ThreatLabZ team will continue monitoring new mobile malware threats and ensure protection for Zscaler customers.


 

Learn more about Zscaler.