By: Shivang Desai

Fake Security App For AliPay Customers - Android SMS Stealer

Mobile

During an ongoing analysis to protect our customers from the latest mobile threats, we came across an Android malware that disguised itself as a security feature for a famous Chinese online payment app, AliPay. Upon analysis, we discovered that the fake app is a malicious SMS stealer Trojan.

The malware developers were interested in targeting AliPay due to its widespread customer base.

Alipay is a third-party online payment platform with no transaction fees, with more than 65 financial institutions including Visa as well as Mastercard. Globally, more than 300 merchants use Alipay. It currently supports transactions in 14 major foreign currencies. AliPay is also considered the PayPal of the East.

Fake AliPay Security Controls App
Appname (app label) : 安全控件
Md5 : fad55b4432ed9eeb5d7426c55681586c
Package Name : com.bing.receive
Virus Total Detection : 2/55 (at the time of analysis)

The app portrays itself as "Security Controls" tricking victim to think it’s an app enhancing AliPay security. Upon installation, the app hides itself and the icon disappears, which is a usual technique for a malware to stay hidden. Once installed, the malware registers Android services, which steals SMS and forwards them to the Command and Control (C&C) server.

Technical details 

Upon installation, the app shows itself as a part of AliPay group.

App Icon

As soon as the victim tries to use the app, it displays an introductory screen and it was programmed to disappear after 3 seconds. Both the screen and the icon are gone at this instance.

Introductory Screen

The victim might think that the app must be faulty and was removed implicitly by Android OS.  Lesser does s/he knows that malware is activated in the background and achieves its tasks through services.

Android services are components that can run in background and perform long running tasks without user's knowledge. Following are the services used and defined by the malware:

  • MyService
  • DealService
  • TestService

The malware also registers few broadcast receivers alongside. Broadcast receivers are Android components which acts upon activation of particular events they are registered for.

Following are the receivers registered by malware:
  • System Boot Receiver 
  • Massage Receiver (Note the typo - Massage instead of Message)
  • Screen-On Receiver
The function MainActivity of malware hides the icon and starts the service named, MyService.
 
Main Activity
As soon as MyService is started, it initiates other tasks and registers SystemBootReceiver and MassageReceiver.
MyService Service

MassageReceiver is a broadcast receiver and is triggered whenever an SMS is received. Its main task is to look for any incoming SMS message and fetch its details. Once the details are fetched, it calls DealService and passes the SMS data along with the call.

MassageReceiver Broadcast Receiver

DealService's task is to get the SMS messages from receiver and send it across to the C&C server. It starts an Asynchronous task (AsyncTask, as shown in screenshot below) which then forwards the messages to C&C server in the form of POST request.

Fetching SMS and POST request

SMS details are sent to the C&C server using POST request, as seen in screenshot below. Unfortunately the C&C server was already taken down during the analysis and so further details related to campaign could not be fetched.

SMS data sent to CnC

Along with MassageReceiver, another receiver named SystemBootReceiver plays an important role for malware's persistent nature by making sure that the motive of malware is achieved all the time.

SystemBootReceiver is a broadcast receiver that triggers itself at every system reboot.
Its main task is to make sure MyService is up and running. At every reboot, it starts MyService as seen below:

System Boot Receiver

The main motive of malware developer was to collect SMS messages from victim's phone. The malware author's end goal is unknown at present but we will be actively looking for traces of this campaign.

Work Flow of Malware: 

Work Flow

Mitigations
We always suggest that our customers and everyone, do not trust apps from unknown parties and only download items from the official app stores that are trustworthy, like Google's Playstore.

The only official apps provided by AliPay are as shown in the screenshot below. There is no mention of any app named AliPay-Security Controls.

Playstore - Official AliPay Apps

Removal
Since the malware does not ask for Administrator privileges, removing it is not a difficult task.

The victim can traverse to Settings option in the Android device.

  • Settings --> Apps
  • Find the app in the list and click on it
  • Then, click on Uninstall option
  • Click Ok

We urge users to not trust any unknown links received via messages or emails. Additionally, disable the option of "Unknown Sources" under Settings of your device. This will not allow installation of apps from unknown sources. 

Learn more about Zscaler.