Blogs > Security Research

From third-party Android store to SMS Trojan

Published on:

Authored by:

Shivang Desai

Shivang Desai

Category:

Abuse

From third-party Android store to SMS Trojan

In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com.  
 

Fig 1: Third-party app store homepage

 

At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page.  

Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs.

 

Fig 2: Zscaler dashboard

 

These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.)

 

App summary

APK Name: smartworld_-_WIN_-_500929091890143_-_.apk
Package name: vaya.bailecito.epore.saturda
Size: 2100203 bytes
MD5: 091E91A9ED7202CD44DC5E1C4B3DCC90


Technical details

As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World.  

 

Fig 3: Invisible app icon and the first activity

 

During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below. 

 

Fig 4: Initial requests 

 

Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image).

 

Fig 5: Admin privileges

 

As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not. 

 

Fig 6: Request upon enabling admin rights

 

After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request:

  • Android version
  • Installation date
  • Version
  • Date (Date of request) 
  • Country code
  • Carrier 
  • Device ID

The screenshot below shows the request and response taking place between the compromised device and attacker:

 

Fig 7: Request and response related to the SMS message

 

The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages.

 

Fig 8: Sending SMS functionality

 

During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim.

Some examples of the SMS messages can be seen in the table below:

Phone #Message Body
6768482371message:france athletes employed
6857215675message:experience iran yarn combines field
6768482371message:luther exercise queens
2347003300131message:hungary contributing task bird
6857215675message:boolean wisconsin criticism verification republic
2347003300131message:exchange audience nc medicaid
2347003300131message:ut controlled salt customized consider
6768482371message:legislative wayne brand hungarian
6768482371message:consulting gui contrary eclipse
79697530171message:boards tits difficulties
6768482371message:royalty relay mv
6768482371message:boards sie gabriel computer
6768482371message:mods html chronic
6768482371message:integer coleman monsters
6745596671message:capabilities labels addiction
6768482371message:checking upskirt football possibilities
6745596671message:academics actively matrix ga
2347003300131message:incidence quality mrs estimated default
6745590060message:estate mexican legal flour
6768482371message:cleared connectivity divx
2347003300131message:cafe activists our constantly
6745596671message:brush accepted role
6745596671message:plain weed senators reform framing
6745596671message:represents fig answers signup
6745596671message:animation failure lucas browser poetry
2347003300131message:biodiversity present solving herbal regulations
6857215675message:shakira wanna movie freight
6768482371message:shipping uzbekistan senators optimize basically
6857215675message:folks tamil cooper
6857215675message:picking maine shapes men wives

 

This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings.

 

Conclusion

The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below.
 

Fig 9: Zscaler Cloud Sandbox

 

Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device. 

 

IOCs

Domains
app.in-spicy(dot)com
insidecontentsp(dot)com
incontsmart(dot)com

 

MD5
044b97016fdcd22c8c2211014e65c562bb5a4cea098a29ac8533c561784908b4
58f237f346d81385eaa2005cd642e28cf50091fbe2fef0c9501f242afb356c96
2cbf13b90b76300f9668c2660b9cbc355c68ff95c2278da0fcc13b4c46f7978b
091e91a9ed7202cd44dc5e1c4b3dcc9088c2ccec249ff6df0fd525e09e700861
8ac5e78f4bc7212fcadd805c924ba67ceaa2f149f33e35906095857064721044
60772ad9808a5bab595f3459e8d5bb4c9f4ff0d5425f1542fe4aef50cb1b20dd
64d5bba5e3a18f971ee5904ccc9b782620614d2d2471b2a7fcfbbf67f0fdbfb6
6f31a49153b6b504ce8804c91113852fd717c2c4ebce47d40aea491e911b1c5d
3124ae1a165d2fd1f5ab4e6b83a1100a4f3289108728c33866e62e99a1fed40d
1a027810c28fad34c7590ddb18dc6a514fd81f83d8cb40f6fb0bd1ad94b8ea7f
32131606ac4448683dad9148e4754f81afe96ae477648b152e7434ac5c0790c6
793fc48a4947a3c19efc570ba8af123562ff00af19ad0ed02ab65f3d8a6ceb27
61d9506df0a016435297829bb386e4b861ded4d4c3268c354a794dc4c6dea530
81685083658d7e839e68489391f15a052bcc9865edb66883b82f43c34e6ac19d
a8a75b3055a9aa27a26d3260611732878dbbcdfa3d4d1207e325890680f98d4a
58271be93858eb5baeaa401fe1d583bba350e8b88d586e26e9dc858c83407ebc
a5219ee0c3c10ca8db991d05fe34b9b0ca17d9260a247e6457876a2f98e3fab7
064a46635c0bda86bcc42ae484ee5c25874e3af735b6e17ddd596c29e2fc55d5
cfe0d20dbf674f8619584c850eda21860cadfdf04df0f3dba0e8a0fdb087993b
dada3ef23b89c9e0f535aa7dd49360e1b34d3dbd6241f63670e010f7da05630b
43a70f5f1929e882894a023a67ffe23f00b9c19f229892ad6f0c45f75a5bf729
154ee512e7142f56118209ec9375433d4cd7745e9f0043ed3da046f88249b221
1efefb04a779b5cd7ccfc1aa4b104fc1 
22b5cec87a9227abbaa6f120f4809230 
0648e6c78d85ce62eed06fbb94283712


Suggested Blogs