By: Viral Gandhi

Fake Porn Site Serving Chinese SMS Trojan

Malware

 
 
The majority of Android malware continues to target Android devices that permit the installation of apps beyond the official Google Play store. Often, the malicious Android apps are delivered via third party app stores, but we do also see rogue apps delivered directly from malicious sites. Recently, we came across a fake porn site which is serving a Chinese SMS Trojan.
 
http://baidu-google{-}sogou-soso-360-qq.lrh6.com/cdn/index.html?l{}=banmeng&uid=3002&t=ar
 
Malware payload.
 
The above screenshot shows the malicious APK file being downloaded following user acceptance. When a user visits the page and attempts to view a video they will then be prompted to install an app. The user is social engineered into believing that installing the app is necessary to view the video, but in doing so, they are actually installing the malicious app that will carry out SMS fraud.

File Info:
Name: GA2161.apk
Size: 0.9 MB.
Package name: iickcf.ndakik.feockk.gcahbp.oefdnc.omeonn
 
Interestingly, the payload filename is dynamically generated and will change with each new download. This is likely an attempt to bypass basic blacklisting of a known malicious app name.
 
Changing APK names
 
Upon successful infection, the following icon is visible to the end user on their mobile phone:
 
 
Icon of installed malware
The malware then declares a Broadcast Receiver, which is registered to intercept all future SMS messages received by the user. The received message is analyzed by the malware to determine where it was received from. Once the sender's identity is confirmed, it parses the content of the received messages and matches it against certain hard coded message strings as seen below:
 
Receives SMS.
The following is the list of hard coded Chinese message strings and their English translations:
 
Hard coded message strings.
Translated Chinese message strings [Credit: Google]
 
The intention of the malware author is clear from these message strings. The app generates fraudulent transactions from an infected device by purchasing on-demand videos and premium SMS services controlled by the attacker. SMS messages are generated by the app to initiate a purchase. The app then monitors incoming SMS messages to identify the purchase validation message, which must be accurately responded to in order to complete the transaction. When the validation message has been intercepted, it is parsed and matched against the hardcoded strings in the image above, to determine and submit the appropriate response. Once this occurs, the transaction is complete and the victim will be charged by their mobile provider.


 
SMS Trojan Fraud cycle
 
SMS send function.
The malware also leverages the International Mobile Subscriber Identity (IMSI) property for determining the location of the device, as well as service provider information as seen below:
 
Checks for IMSI.
After a successful SMS send operation, the app submits a POST request to its Command & Control (C2) server 'msg-web.pw' on port 8456.
 
Post request.
The app sends the following information to the C2 server:
 
Post request capture.
We were able to observe portions of the C2 server panel used by the malware author due to a lack of authentication applied to specific web pages. The administration panel used to manage the Trojan can be seen in the screenshots below:
 
C&C Panel Login
 
 
C&C Panel Actions
It also sends the same information to IP Address 115.28.252.178, which appears to be an alternate C2 server for the same Trojan:
 
Portal 3
 
Post request.
The malicious app then sends a POST request checking for updates and in response, receives a URL pointing to a JAR file named "firstpay_v7.0.jar" as seen below:

 
Jar file location
This jar file consists of a Dex file which is capable of running on the infected mobile device as seen below:
Dex execution.
 
Below you can see the warning message dislayed by the phone when sending an SMS message which may incur additional charges.
 
Money warning
 

Conclusion
This malware is yet another addition to the Android SMS Trojan Family. It scams the user by purchasing subscriptions for porn services, on-demand videos and sending premium rate SMS messages. SMS fraud remains the most common form of monetization that we see with malicious mobile apps and it is almost exclusively a problem on the Android platform. One simple yet effective defense, involves restricting app installation to reputable App stores such as those operated by Google & Amazon.
 
Research & Analysis by Viral and Shivang.

Learn more about Zscaler.