Infostealer APK Posing As Microsoft Word Document

The Zscaler Experience
Your world, secured

Experience the transformative power of zero trust.

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

Get the full report

The Zscaler Difference

Experience the World’s Largest Security Cloud

Customer Success Stories

Analyst Recognition

Machine Learning and AI at Zscaler

Reduce Your Carbon Footprint

Zero Trust Fundamentals

What is Zero Trust?

What is Security Service Edge (SSE)?

What is Secure Access Service Edge (SASE)?

What is Zero Trust Network Access (ZTNA)?

What is Secure Web Gateway (SWG)?

What is Cloud Access Security Broker (CASB)?

What is a Cloud Native Application Protection Platform (CNAPP)?

Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.

Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.

Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Posture Control

Partner Integrations

Industry and Market Solutions

Solution Areas

Propel your business with zero trust solutions that secure and connect your resources

Stop Cyberattacks

Protect Data

Zero Trust App Access

VPN Alternative

Accelerate M&A Integration

Optimize Digital Experiences

Zero Trust SD-WAN

Build and Run Secure Cloud Apps

Zero Trust Cloud Connectivity

Zero Trust for IoT/OT

Zero Trust for Private 5G

Find a product or solution

Find a product or solution
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform built on the world’s largest security cloud.

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

Secure Your Business Goals

Achieve your business and IT initiatives

Ensure Secure Business Continuity

Accelerate M&A and Divestitures

Recession-Proof Your Enterprise

Secure Your Hybrid Workforce

Download Zscaler Client Connector
Resources
Learn, Connect, and Get Support.

Explore tools and resources to accelerate your transformation and secure your world.

Resource Center

Stay up to date on best practices

Resource Library

Blog

Customer Success Stories

Webinars & Demos

Zpedia

Events & Trainings

Find programs, certifications, and events

Upcoming Events

Zenith Live

Zscaler Academy

Interactive Zscaler Whiteboard Workshop

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools designed for you

Security and Risk Assessment

Security Advisory Updates

Disclose a Vulnerability

Executive Insights App

Ransomware Protection ROI Calculator

Community & Support

Connect and find support

Customer Success Center

Zenith Community

CXO Revolutionaries

Zscaler Help Portal

Download Zscaler Client Connector

Industry & Market Solutions

See solutions for your industry and country

Public Sector

Healthcare

Financial Services

Education

See all
Company

About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Explore best-in-class partner integrations to help you accelerate digital transformation

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards
Request a demo

Recently, we came across a piece of Android malware which was neither a porn app nor a battery status app, but was instead designed to look like a Microsoft Word document. This malicious app portrays itself as a document with an icon resembling Microsoft Word.

Due to the ubiquitous nature of mobile devices, its no wonder that PC based malware techniques are appearing in mobile domains. In early Windows malware attacks, attackers would often name the malicious files with eye-catching titles and use common icons to entice victims to open the file. We're seeing this same practice used for Android based malware.

Overview:
The malware portrays itself as a data file with an icon similar to that used by Microsoft Word documents and is entitled '资料' (Data). It runs with Administrative access and hence cannot be easily uninstalled. Once installed, the malware scans the device for SMS messages and other personally identifiable information such as the IMEI number, SIM card number, Device ID, victim's contact information, etc. and sends this to the attacker via email.

Malicious APK posing as Microsoft Word File

Technical Details:
Once the malware is installed, it appears on the Android home screen as shown below:

Microsoft Word Icon

Initiation:
As soon as victim tries to start the app, it shows an explicit error stating "Installation errors, this software is not compatible with the phone" and the icon then disappears from the device screen.

Fake Error Message

When this error is being displayed, the app executes a few major functions as noted below:

Sends SMS messages to a hard-coded number.
Starts an Android service, named MyService.
Starts an asynchronous thread (SmsTask) which runs in background.
Starts another thread named MailTask, which also operates in background.
Calls phone numbers specified by Attacker.

Sends SMS

Initially malware tries to send the victim's device IMEI code in a message body to a hardcoded number.

Calling SendMsg function

Assets.getInstallFlag gets the IMEI (or ESN number in case of CDMA devices)

IMEI code fetching

And finally sends the message.

Sending Message

MyService Service:
The main task performed by MyService is to collect all the SMS messages from inbox of the victim's device. Once that is done, it stores all the messages in its local logs.

Service fetching inbox messages

SmsTask Thread:
Apart from logging SMS messages, MyService was not sending these messages anywhere. This functionality is exhibited in the SmsTask thread.

SmsTask will also read the SMS messages and exfiltrates them.

Fetching inbox messages

Once the messages are collected, the app then sends them to attacker via email.

Calling SendMail method

A username and password for an email id were found hard-coded in the malware.

SendMail functionality

MailTask Thread:
MailTask's main role is to collect contact information from the victim's device and send it to attacker via the same functionality explained in case of SmsTask.

SmsTask Thread

Sending Mail:
The app sets up an SMTP host on port 465 for sending email.

Sending Mail

localMimeMessage contains the necessary data to be sent to attacker via email. In the case of SmsTask as mentioned above, localMimeMessage's body contains an SMS message list and in the MailTask instance, it contains contact numbers from victim's device.

Calling Functionality:
The malware was also designed to call phone numbers provided by an attacker via SMS.
It has a broadcast receiver registered to trigger whenever a new SMS is delivered.
The malware reads the SMS received from the attacker and acts accordingly.

In one instance, malware was trying to fetch phone numbers received in SMS messages and then calling them, as shown in screenshot below:

Broadcast Receiver

We were able to confirm that the campaign was initiated on October 10, 2015 and almost 300+ users had fallen prey to this malware. The attacker was able to successfully retrieve message details and contact lists from the infected users.

The following screenshots shows the list of emails received by the attacker:

Inbox

Further, each email titled "Message list" consists of full SMS conversations from the victims phones and email with subject "Contact list" contains a list of all the phone numbers fetched from victims contact diaries.

Messages from victim's device

Contacts from victim's phone

There were 300+ such emails found in the C&C admin panel. Such malware creates a significant privacy & financial risk as it obtains contact information and private SMS messages.

Prevention:
It is recommended that users download apps only from official Android stores like the Google Play store. If you are infected with malware, you can follow the steps mentioned in our previous blog for removing the malicious app.

Zscaler named a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge

Your world, secured

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

The Zscaler Difference

Zero Trust Fundamentals

Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Products

Solution Areas

Zero Trust Exchange Platform

Transform with Zero Trust Architecture

Secure Your Business Goals

Learn, Connect, and Get Support.

Resource Center

Events & Trainings

Security Research & Services

Tools

Community & Support

Industry & Market Solutions

About Zscaler

Partners

News & Announcements

Leadership Team

Partner Integrations

Investor Relations

Environmental, Social & Governance

Careers

Press Center

Compliance

Zenith Ventures

Security Insights

Infostealer APK Posing As Microsoft Word Document

Author

Shivang Desai

Recommended for You

Coverage Advisory for CVE-2023-34362 MOVEit Vulnerability

Threading the needle on innovation and security with ChatGPT

Make generative AI tools like ChatGPT safe and secure with Zscaler

3CX Supply Chain Attack Campaign

Get the latest Zscaler blog updates in your inbox