Global leaders are coming to Zenith Live. Are you? Learn More
Global leaders are coming to Zenith Live. Are you?
Learn More

RuMMS malware is back…with enhancements

By: Shivang Desai

Mobile Malware

RuMMS malware is back…with enhancements

Recently, the Zscaler ThreatLabZ team came across a nasty piece of malware hosted on a fake MMS website called mmsprivate[.]site. The site lures victims with what seem to be private photos, inviting them to take a closer look. Upon accepting the offer, victims fall prey to a malicious Android Package (APK) that downloads onto their phones. The malware disguises itself as Сooбщениe, which translated to english means Messages, and performs its malicious functionality by exploiting Android AccessibilityService, which assists those with disabilities in using Android devices and apps. It then hides itself in order to spy on its victims.

The variant we are analyzing shows some similar traits, with a few modifications, to malware named RuMMS, which was initially reported by FireEye researchers back in 2016. This new version includes various enhancements, so we have dubbed it RuMMS v2.0.  

App Details 

App name:  Сooбщениe
Hash: c1f80e88a0470711cac720a66747665e
Package Name: ru.row.glass

 

Detailed Description 

Download and installation 

The malware is spreading through the site url:mmsprivate[.]site/feel/, and was most likely shared via SMS or email. As soon as the link is clicked, the spyware lures the victim to click a button that leads to the dropping of the malicious APK. The content hosted on the URL is in Russian. You can view the translation in the screenshot below: 

 

Fig 1: Initial URL leading to the APK download

 

The APK is from an unknown source and, since Android systems do not allow direct-install, leads the victim via simple clicks to enabling the "Unknown Sources" option to install the malicious app. Each step is shown below starting from left to right. 

 

Fig 2: Install from Unknown Sources

 

Enabling AccessibilityService
Once installation is complete, the app masks itself as a messaging app (see the icon below). Upon first use, the app redirects the victim to enable Android AccessibilityService. Once enabled, the app disappears from the home screen. 

 

 
Fig 3: Enabling AccessibilityService

 

If the victim does not enable AccessibilityService, the spyware will continuously appear on the screen (see the second screen in the above snapshot) to encourage the victim to enable the service.

Once AccessibilityService is enabled, the spyware goes into action to make the SMS app the default messaging app. It does this by using the functionality of AccessibilityService to automatically choose “Yes” when asked to confirm the app as the default messaging choice, as shown in the below screenshot.  Users will not be able to see this message box because the choice is made for them. 

 

Fig 4: Accessibility Service in action

 

Communication

Our investigation showed that once the initial setup is done, the malware starts sending details to a command-and-control (C&C) server. The C&C details were hardcoded. Requests and responses from the C&C were encoded using Base64. The screenshot below shows the decode values being sent and received:

 

Fig 5: First request

 

The above screenshot shows details of a victim's device being sent to a C&C. The C&C replied with command "40" and the names of apps. We noticed that command "40" was used for disabling the apps. 

 

Fig 6: Initial response

 

In this instance, the list of apps to be disabled contained well-known antivirus (AV) apps, including: 

  • Trend Micro 
  • Dr. Web
  • AhnLab
  • Avira
  • Sophos
  • McAfee
  • F-Secure

The malware makes sure that all of these AVs, if present, remain inoperable. As soon as a victim tries to open one of these apps, the malware abruptly closes it. It behaved similarly with an app from a well-known Russian bank, Sber Bank. The malware did not allow any Sber Bank apps to open. 

SMS: Sending and stealing

The spyware waits for commands from the C&C server and accordingly exhibits its functionality. As in the case below, we found that command number "11" was used for sending SMS messages to any desired number with the body of the SMS instructed by C&C

 

Fig 7: Response containing SMS command

 

Upon further analysis, we also found the spyware to be stealing SMS messages from the victim's device. This functionality could also be used to steal bank-related one-time-password codes and other relevant information. The screenshot below shows this functionality in action:

Fig 8: Stealing SMS messages

 

Stealing Contacts

The malware is also able to steal contacts from the victim's device. We believe this functionality is used to further spread the malware with a well-known technique called SMS-Phishing (or SMiShing).  

Fig 9: The app stealing contacts

 

Calling 

The malware also has calling functionality. In the example below, the number to be called was sent from the C&C server in the encoded manner seen here. 

Fig 10: Calling functionality

 

One of the more interesting things we noticed was the way the malware was being distributed. Every time we visited the link, we were presented with a new malicious app exhibiting the same behavior explained above but with different app name, different package name, and even signed with a different Android certificate. We also found that apps had different C&C servers with the pattern http://<domain-name>.com/<random-chars>/index.php. We noticed the below mentioned domain names in association with the C&C servers: 

 

Sr # Domain Name # of apps contacted
1 sisirplus[.]com 172
2 vietusprotus[.]com  50
3 glowbobget[.]com 45
4 hellowopung[.]com 102
5 quostpeopls[.]com 24
6 bannerincbest[.]com 102
7 campuphome[.]com 9
8 wewelowertick[.]com 3
9 bigslogous[.]com 25
10 zavannerweb[.]com 55

 

Conclusion

A new and improved RuMMS is back in full force as RuMMS v2.0 with enhancements and updated features. In the last 10 days of May 2018, the Zscaler ThreatlabZ team uncovered 580+ similar apps making the rounds in the wild. It is always advisable to stay clear of unknown links. Do not trust any suspicious-looking URLs received either in SMS messages or emails, and only download apps from official app stores. 

Zscaler customers are protected from such types of attacks at multiple security levels.

Below is the sha256 hash list of recent samples found in last week. The complete list of 580+ apps can be found here.

 

2cc08d98b2bc11047791e722c2f0e7639f4c5772cda0fb5ecabec1b55914a3c2
6ec7fba253b76d3b8090a98c6e87c662af8bcda1694a617cce7db59feb08e6f1
96a8393e583ff1a12df458534790dfd2551861a4fd600f741e36023682d9d9be
1092d809488da433c5d5433a4a1efdc2e32445637e44b6dc77b7fa0e4d536c43
762c5d1b1b95c46aa6727a49ae27e2b19863d406da2091e50ffe13c79211ffac
af6773b1dcec3c3a1d05964ed9d245c2271e96835ffbe3fc543912dc602a64f9
cfc50b2e3da760a2369dbb5bf45fc8d3cdc37a2ad020084aafe2acb53d8603d6
707456abf552e13ba4ece378d0a7a672bd8fbc22185a478478c81fc7e5c96ce9
a8352f93f7c23953a6deeace67205216c1d37d7f8f6207147d7b93cf272fca9c
751f1ed896639b62e433fcbce5d87b1baeb7a5a82c3a855d30fa4c4c8dddfd81
a1ff7ca12de6cbf36a67aa10ee95202f0c37b8b953f916e9f1780a10042e36af
4a429aae275be2e06ce751537deae327ba377e2e96fc040611f910957b64fcf5
83728b3d17974df0ac424845668496a2bbf6eaa166e899ef2bf842dae2359bf6
be4ceb20c9ddf2ddba90988a41ee68f43f205860d9a66d5ac8da500f55fb9d21
09aefb181d949be189a580e5415b74f372d61a13edd86930e6aa0046231813fe
b5a7683172d38220c4d179c525b9dd8ffaa28b6b5cb9c1b45bac7a72327b7da6
383ddecdcdbe2e43035e34307a026e66f79e0b5556f231684db876b3104f0e10
d6f172b04d2e4d1eb7d5e58b16d9768cfe59c32d987ca9b4534e9cf859cce8f4
f18f523d581acb3136e85cb7b2a056f88e48f2d1dfe21f003ef3f12269e470e1
47e105ef7874e30903d6edadeaa5c2731280663f48c7fb5004cc7668a3ac2a81
d3ca7e61067f527f7cefdddabb0b770ae8ad6d38a89b0f0bccbed995893cea19
1c66a552c0090f81f7b2ce11c8974bbd2aea75afc1092ad5e8d6f8a1ccf416f3
21569d8d302180098231efa76482c5a673f344cba8b4654130fada58aad7e62f
f2c1b8bd0777cd69329fe22fec8519d810e41b000b92ee13de5629dcd3e875ad
98ab7f612c7a1dc3fd44fbd045a6cf21d8c9240dbad08f847423df5f22d7b460
758fbbd8a142933f9c5a9866ea7b7c26789da293c93ec3223f5661f62939325c
0b246a1ba24761fb4d6f105d210af9e9c2507b475f13084780a7f9e8145a91a6
eb607863d2e6a56a53893d4c6253896f3e7ab229a75ad29b32762f27bbd398e5
642be174b9ad9d14b4079472d0a641b9c73f6eb3d8a40152025d438619e22ad5
bd800b6cc3ea900aa111c88adcffca2b31f8c47e00928df985d62bf4cc0daf2d
6858491a04ba906f912d0baf86b37e8ef42c63c505e0db3ffffdf5b543e0c829
2518d9deb54ed0fa373b0b22a16da5b7a8f02502470987aeeba34398e083c15c
f0dabdc7f4364e810e1870afccfd6af14f844f494cd9026879dc2b3becdba8a7
5e4f663d867ab14c7a2ad6e5f35aa315e34ea0e01c50dbb8d63667c405437e1c
389393e8642e61e8f884ae288be53b71aa9ff5846c5760d013e57c6843e14440
2dfa3d51b031976f8418d8f7d05f8fa803b937cfc6711f9d4ffeca45ca3db0a5
b4dd995909b8f99d2b519d347c27386b0bfa434332eb7b0c7483a10f0d1d864c
f260bb6965405aac4a79de75650f184911185c34e27cc43d27c88efca86ab712
bf170d05c2ae2738ae298b851390eca2bed6fb6db729e3150d3809179c02bec7
e191bc75a21a613232cf5cff2f4874106f3cd64f867b5096b193a7fcf9dc74c4
88b1fc39c3e89e790fa7fdba78516ac52b489209e9fb38c39aac416f53fdde90
64647593a8cdfba26a39441cdf49216fbb687652f490cbed230ebc2061aa6b17
027c3f91df5b5f413c4ce117d4e1a4eb33c050a4be96a0385e8a4cc1c445c027
ee996791fcabcc88d1bc082060a9989fdb1b7079c2e66583002443ac43da87ec
a97e2e39a29ebd7ace2895621a6cf2f4a53990d55752816957034b916a149a31
c170ee01c009f4d1a960f6dca3edd2d96fd4e31fad29b7bac248314947d09d1d
b0d4b92653518def16f6b08739cf47ba463a6a18f6c7c85ace7be9d6f4145084
7cffccf41385f1c82c5383a68d79999a1ff506b403cbb00879351bb247a09371
59746db01df4c33edebf4b4b6cfb44d297cde45f23ec6678ef0f2ca15b40d6e9
b2a940600d50d862f539eead80d636b556d32aabc462156fe8b29d44c3337ab8
8e839d560f08ae14d5ca457ace9735419e8d5e06f8c30febb48d2997145ff1b6
5bbecc8c2eaea918ce06e37fa8fda338861662d682cfa43e26ebca6c1075114d
d186eaaf72c80289e755ab20a604e4ff20dc98349dfb56206848a4ec79d9388f
cc978d00329bbb2c2bf60055d5762dd7b407f44b8df2a31f0d1e54a0958271d8
d507332483bb124158b2b02bf0f3d7b07977bf7fa1c34df5a1b001979a2e2a66
65d34b945cccd91ce48eb77458768aba34be86be9372f36162e6d42198416775
bce3428913c048d7f8114d07fffacecb7273d65a41e0c7b8bff3f63abb1913b1
a801e38fb832b7f4f9713fb4fbb35f4c5de156c5787718d7fdbe636499e99cf0
048e3bc98ae1d8ac57eb5e55c5b2cbc6661a77992650a10e35a5d0fbbc1227cf
cbb5b11f0e934e8e13c1590c5868dce72f1a364ab32e7ba408f2ad9fa8d5145b
d1259c1461d71e238ac9984baf96b94c2c145a820ea44d487b6f2fc4e196ef70
09ead1fcde087a14da07d58b8db8bed1b18e08701ee4ee300d2af3dbe1a6bd55
a36e780153fb6c26e28ab5cb4c51ebfeb6dd1e04ec6f4489d9ea67c710015b74
71567ed7c3c0b14a09b5cbd712fcdc777a6bb5d0685c24cccc82e1d1ac3d5d3f
319246f91aff8b444037474ce845cc51785b160a2b650a54cfbe402621598de5
c14c22ddb3d492ef6b40afb3918a97a4b9a8def4dfb6dc944bcdb476e347f1a5
790654bcb118cf14a6ffcb82a73d18620ab1a993f570d6186f3a1571b6d2b2e8
04ae5d0126670a8a1eab95373e39db662c921ee468ea7d842d9f894e3d1270c6
f7cb9474374badcc8881bd5c48ff9d0ac3149de053d93abc9a1cad45c319ad04
bb58e7eb3aa7f212c4d8a4bab1dbd086b8d5621441f50b774d6550b811978897
2202684f0ff5b627baa8473f2068ee3b1d976d7d860f9c188a9178253d356cb3
d130b94a85a8ded1f52469b68977f601617bd536df34c279d37674b03119eb9c
359f8c5ced61249c52655de6ff263c76878c15be12577a920d667f4dcf52e033
b51a6a66778db92878578f3e45cba90fcdb64ca8ece738053b399430bde9e94c
0da9e58ce9b435726f691e869e3efa8f331a8fc2c877c0cee48430837685ec0e
f2176c17ee41cb242db184db275d782293e1a71b7d19fd160d56872b17c75096
c9bfea7a58aa8a3b60198832d891622da61d48ace0d97d42aa5616c76382b828
8d7bfebd2a5255b4caeff9b0f4e76c62336cf15bd6a860fc77cdd9f36d01c340
d717066af883382082fe4672fbc38cc87b52046207f7570f523225f64abe4a25
d14542d7d725a7854433d53fc21447931f54d28858f2847c8db6f19de43d2b81
edb2edbed8bedb3ef25e131e5ea6ed415bae66799323761f113a8a86c2b935fa
41df2e51a18c37acf0564f54ccd2e06ea62122c29a1d705cf1e2a4c31338a2f1
6e3b96097a635992b10bc51ff5cd72d0cf5b09aaceeeafd3b3ca84d744706ce0
565c9f86c8c4692a1ca018dd0b0b9cf91c54bdb320172214efa4abac2954e075
2f9137c1c1e31a7e58a6ad469bd7c268e3a5cd5582e6f930944580a8b1ff827a
d1df4dbc7333e4ec1948a0ea180227ed9439aabb78e49bd30d41c86ed901bda1
c28ce42efe922a393eedd3b398dd8a6465d08e40c9dddcf170e6eae7d349c196
1945682074a418ca389dbc5e69660c7bc0a236fcf90bb8f90c7aa5e03a029d03
3d344839de28dcbd9101059d2c1dd66aa14e1aceb68f528177f9fe6cd1051419
79ac737775f6e568bfc62b4e1bde90c615e1e9d41604a4f68d889a7352b5a359
51ee98b8e02cf3a81a85fd98c8ff9dded3e1b22abee12b308abd2f3aedfda6d7
b0bd2ce89516c6e83a0cffd10db0bb371e84de902c7e91be342353bcae147e90
94536a9c413b0577f7a81bd6a782e308d40d2f3563f3b6b25f295ae256c074f0
600b931a3106c63dc29324aa40dbc75c17ccac0ddbbf44c4c657682dadf9c3d5
0c38da53878c2cbf18edbbd080d8f4b3f9973c16244a2f80c3c74c415fcb5694
af9d21489a18c551a2eaf4f4b7917539bab44547b38f2f0a7348e2b645fcca8e
85f4189eb0f0b6ce91e4d7f93e1e6bec98c4b27950c2b86a5e8f8e05b0e69aac
9ff6093319e604690b114f853df4c708e214e65407962ac37299490d5202023e
4dfc360fdb55e74f7108daefb7e5becc6790510854bba92e83e1eddc2f16e86b
8089f7ea0c96dc24457d9643097a9632c94f9a26bdf8fc6523a5aad555cc4513
60231f05a17ca19d8a51c5450cebf7bb1a1bc2464cb88a2530bd933c88f1420c
614fcccaf4f988743897200cf0e4330f8878f64ecb395f322b7174f89c08522e
a6649912c00dc0f501aeabad050620101ab31ce9088201fe6cf065988b269fe3
d5600a87602f0b268dd04436676229ba146dd01571c19678fb6214826101ce11
998b7c089ac7441697284bc09024acfcc3e0ea835549e2d9d926f24595ee2f42
1661346435dbd53231d06ff769bfe58020bdb124208dc7b67b5fae1f3059342a
3ae5dc40e3d4a575762da2d053f38ac82fb2e90fe3beb5292267f85d07b3044b
01e1d9835d4447987c9758c18a02b3348b7feb5fef6be284081d71760786e217
e41636b8f0972afd36d4f3764775d7f5c861147d770ea9a6ea5d723033ba4ad3
51b97227a6c0866af7a01a7dde873626506f724dad2d555cfba0d5c79b8c9d00
ed2007c3b031391c1ff9117e3f166ebf2b34a4dd3045ca1f4de4251bad88e5a2
e2f6a49245ce98bad73877cc9b5ba71c141c6cd6f16d2147b800744d485d513f
72d1b44ca07b64f608cf5ea4ae28a0b501ad646e071cfea0782186458efe9326

 




Suggested Blogs