By: Shivang Desai

Malicious Android Ads leading to drive by downloads

Drive by downloads causing chaos

The Zscaler ThreatLabZ team recently identified an Android app that was downloading itself from advertisements posted on forums. Malvertising is a growing problem and one that we have covered on past occasions, especially given the rise in SSL sites that serve malicious ads.  On one such forum we found entitled “GodLikeProductions,” visitors complained about the automatically downloading app, but those messages were either removed or ignored by the forum's hosts, allowing the problem to perpetuate. In this particular instance, the app uses the insidious mask of a "security update" to get a user to complete the installation. 

Here is our detailed analysis of how the malicious app works. 

The following screenshots showing  user complaints on the "GodLikeProductions" forum before the messages were removed:

 
                                                                                   Fig. 1: Discussion about the app on a forum

We were not able to locate the ads that were spreading this malicious app, but we did capture the Android Package (APK).

The APK, known as “kskas.apk,” portrays itself as "Ks Clean," an Android cleaner app, upon installation.

 

Fig. 2: KsClean icon and permissions

 

Once installed, the app displays a fake system update message in which the only option presented to the user is to select the "OK" button, forcing the user to accept the message.

Fig 3: Pop up message

 

As soon as the user presses “OK,” the malware prompts the installation of another APK named Update. This APK is stored locally inside the assets directory of the app. Once installed, the Update app immediately asks for Admin rights, as shown in screenshot below:

 

Fig. 4: Payload app - "update.apk"

 

The Zscaler sandbox quickly flagged this malicious app. The screenshot below depicts the main issues flagged by the sandbox:

Fig. 5: Zscaler Sandbox

 

Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional "Uninstall" option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges.

An Android receiver is an Android component that gets triggered in accordance with registered events and actions. In this case, it registers a receiver for an event titled, "DEVICE_ADMIN_DISABLED," which locks down the device for few seconds whenever the user tries to disable admin privileges.

The following screenshot shows this action in code:

Fig. 6: Locking code. 

 

Here's a video of this functionality which shows how phone gets locked for few seconds when victim tries to remove Admin rights from this app. (Please enable subtitles) 

From a permissions point of view, the app is capable of performing various suspicious activities, including:

  • Mount/Unmount filesystems
  • Read/Write bookmarks history
  • Overlay system window
  • Write Settings
  • Download Without Notification

The ads that carry the automatically downloaded app are displayed as follows:

Fig 7: ads are shown outside of the app

 

We also noticed that the app connects with its Command & Control (C&C) server to fetch the various parameters it needs to operate.

Fig 8: C&C communication

 

After inspecting the network traffic we saw that the traffic is encrypted and needed to be decrypted in order to understand what it's trying to communicate. We found that the traffic is encrypted by AES algorithm and the key-IV is found to be hardcoded inside the code. After manually decrypting this traffic, here's the plaintext version of it:

Fig 9: Decrypted network traffic

 

In the decrypted response, we can see the "update_content" parameter contains the message that will be shown to the user (see Fig. 1). It also receives an update interval to update its dynamically loaded .dex (present inside .jar) and a native library (.so) file. The dynamically loaded .dex file is responsible for advertisement-related activities and the .so file runs a daemon process, which helps the app execute even if the app is force closed.

We saw over 300 instances of malicious APKs being blocked in past 2 weeks from this campaign affecting users in U.S. and U.K.as seen below: 

Fig 10: Infections seen over cloud

 

Conclusion

The dropper app frightens the user with a message saying that there is a security loophole in the device and the user must install an update in order to prevent the loss of account and personal information. The update app asks for administrator privileges; if granted by the user, there is no way to revoke them. After that, there is nothing that can stop the malware from popping the ads even when the user is using other apps.

Zscaler ThreatLabZ is actively monitoring this malware campaign to ensure that Zscaler customers are protected from infection.​ Android users can take the following preventive measures to safeguard against this threat:

  • Do not click on unknown links
  • Disable "Unknown Sources"  
  • Disable auto-download in Android browsers

Indicators of Compromise

                             MD5    Package Name  
66a1dda748d073f5e659b700339c3343 com.master.clean Dropper APK
e159f598f1db355dc930c60662f77c6c com.Airie.CleanupRadar Dropped APK

 

Research performed by Shivang & Gaurav

Learn more about Zscaler.