Bestehen Bedenken im Hinblick auf VPN-Sicherheitslücken? Erfahren Sie, wie Sie von unserem VPN-Migrationsangebot inklusive 60 Tagen kostenlosem Service profitieren können.

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Fake BatteryBotPro ClickFraud, AdFraud, SMS & Downloader Trojan

image
SHIVANG DESAI
Juli 06, 2015 - 5 Lesezeit: Min
[UPDATE #1 - July 8, 2015] We would like to clarify that at the time of our analysis, the app was not present on the Google Store. We found references to this fake app being hosted on the Google Play store during our research where it showed that the App has been removed from the Google Play store already as seen below:
 
Image
Link to Google Play Store for the fake app
.....

[UPDATE #2 - July 9, 2015] Google Android security team confirmed that the fake application was uploaded to the Google Play Developer Console by the miscreants.

Google Play Developer Console enables developers to easily publish and distribute their applications directly to users of Android-compatible phones

However, as per Google's Android team the fake app did not make it to the official Google Play Store as Google's security system flagged the fake app during scanning.
.....

Malware authors tend to follow one of the following two methods for malware development:
  1. Create a malware app from scratch.
  2. Compromise a legit app by embedding malicious modules into it. 
With Android being open source and an Android app being easily reversible, most of the malware developers tend to stick with the second option.

Spoofed Functionality and Ads:

We came across a malicious app recently that followed this path. This time the spoofed app was a copy of a legit app named BatteryBot Pro. The spoofed app had the package name of 'com.polaris.BatteryIndicatorPro' and was removed from the Play Store as soon as Google became aware of it's malicious intent.

We also saw a spoofed version of BatteryBot Pro available for free during our research. The actual price of BatteryBotPro on official Play Store is Rs.179.99. The legit BatteryBotPro app demanded for minimal permissions as shown below:
 
Image
Legit app permissions
 
In contrast, the fake app was requesting many more permissions, raising a red flag as can be seen in the screenshot below:
 
 
Image
Permission requested by Malware
 
The screenshot below shows a comparison between the actual app and the fake app. The legit app functionality was modified and embedded at a different location within the fake app:
 
 
Image
legit app vs fake app
 
 
Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim's device.
 
Image
Request for Administrator access
 
Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.

 
Image
opening BatteryPro screen

ClickFraud and AdFraud activity

Though the app seems to be working normally, at the back-end it tried to load various ad libraries, ultimately delivering a click fraud campaign.
 
Image
Requests sent in back-end
Some of these URLs were hard coded in the app and some were sent by the remote server.
 
Image
Hard-coded URLs in database
 
The malware tries to collect the following information from the victim device:
-Memory available in device
-IMEI
-Phone Operator
-Location
-Langauge
-Phone Model
-Sim Card availability
The following screenshot shows the data being collected.
 
Image
Parameters sent to server
 
Image
Parameters sent to server
On the basis of various parameters and conditions in the server request, the malware starts receiving a list of ads to be displayed, along with the URLs from where to fetch the ad.s
 
Image
Response from server containing ad URL

The malicious app then downloads and installs additional malicious APKs without the user's consent:
 
Image Image 
Image
Downloaded Apps by malware
Apart from the implicit downloads, the malware also displays pop-up ads to the user:
 
Image
Pop up Ads

This malware was not only built with the purpose of displaying ads, it was also designed with more evil intentions.

Sending SMS messages: 

The main Activity Screen is identical to original app but when the user clicks on "View Battery Use", the malware sends a few requests to its Command & Control server to retrieve short codes. These short codes were premium rate SMS numbers where a message was sent. This will result in financial loss to the affected user.

Requests sent to server can be seen below:
 
Image
Device info sent in request

Though the content was encoded, we did not have to work hard to determine what was sent as the malware developer forgot to remove the logs. The server responds with short codes that are used for sending messages. The following screenshot shows a premium SMS response received from the server.
 
Image
Logs showing server response
 
Uninstall FAILED: 
 
Apart from displaying ads and sending SMS message, the malware is also very persistent. Being run with administrator privileges, the user cannot delete the app after installation.
 
Image
Uninstall not possible
 
"Persistence" Effect:
While  in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.

This acts as a service and sends requests to hard-coded URLs found in the app.
The screenshot below shows the hard coded URLs.
 
Image
Hard-coded URLs
 
 
The service started by this app continually sends requests to aforementioned URLs, some of which will deliver new APKs.

Conclusion: 

The Malware we saw in this blog was designed with multiple evil intentions including ClickFraud, AdFraud, Premium rate SMS fraud and the download & installation of additional malicious APKs.
 
A few traces of command execution were also seen in the app but were not fully implemented. Perhaps the developer is working on an upgraded version of the malware with proper "command-execution" functionality.

The ThreatLabZ team will continue monitoring new mobile malware threats and ensure protection for Zscaler customers.


 
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.