[UPDATE #1 - July 8, 2015] We would like to clarify that at the time of our analysis, the app was not present on the Google Store. We found references to this fake app being hosted on the Google Play store during our research where it showed that the App has been removed from the Google Play store already as seen below:
 |
| Link to Google Play Store for the fake app |
.....
[UPDATE #2 - July 9, 2015] Google Android security team confirmed that the fake application was uploaded to the Google Play Developer Console by the miscreants.
Google Play Developer Console enables developers to easily publish and distribute their applications directly to users of Android-compatible phones
However, as per Google's Android team the fake app
did not make it to the official Google Play Store as Google's security system flagged the fake app during scanning.
.....
Malware authors tend to follow one of the following two methods for malware development:
- Create a malware app from scratch.
- Compromise a legit app by embedding malicious modules into it.
With Android being open source and an Android app being easily reversible, most of the malware developers tend to stick with the second option.
Spoofed Functionality and Ads: We came across a malicious app recently that followed this path. This time the spoofed app was a copy of a legit app named
BatteryBot Pro. The spoofed app had the package name of '
com.polaris.BatteryIndicatorPro' and was removed from the Play Store as soon as Google became aware of it's malicious intent.
We also saw a spoofed version of BatteryBot Pro available for free during our research. The actual price of BatteryBotPro on official Play Store is Rs.179.99. The legit BatteryBotPro app demanded for minimal permissions as shown below:
 |
| Legit app permissions |
In contrast, the fake app was requesting many more permissions, raising a red flag as can be seen in the screenshot below:
 |
| Permission requested by Malware |
The screenshot below shows a comparison between the actual app and the fake app. The legit app functionality was modified and embedded at a different location within the fake app:
 |
| legit app vs fake app |
Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim's device.
 |
| Request for Administrator access |
Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.
 |
| opening BatteryPro screen |
ClickFraud and AdFraud activity
Though the app seems to be working normally, at the back-end it tried to load various ad libraries, ultimately delivering a click fraud campaign.
 |
| Requests sent in back-end |
Some of these URLs were hard coded in the app and some were sent by the remote server.
 |
| Hard-coded URLs in database |
The malware tries to collect the following information from the victim device:
-Memory available in device
-IMEI
-Phone Operator
-Location
-Langauge
-Phone Model
-Sim Card availability
The following screenshot shows the data being collected.
 |
| Parameters sent to server |
 |
| Parameters sent to server |
On the basis of various parameters and conditions in the server request, the malware starts receiving a list of ads to be displayed, along with the URLs from where to fetch the ad.s
 |
| Response from server containing ad URL |
The malicious app then downloads and installs additional malicious APKs without the user's consent:
 |
| Downloaded Apps by malware |
Apart from the implicit downloads, the malware also displays pop-up ads to the user:
 |
| Pop up Ads |
This malware was not only built with the purpose of displaying ads, it was also designed with more evil intentions.
Sending SMS messages: The main Activity Screen is identical to original app but when the user clicks on "View Battery Use", the malware sends a few requests to its Command & Control server to retrieve short codes. These short codes were premium rate SMS numbers where a message was sent. This will result in financial loss to the affected user.
Requests sent to server can be seen below:
 |
| Device info sent in request |
Though the content was encoded, we did not have to work hard to determine what was sent as the malware developer forgot to remove the logs. The server responds with short codes that are used for sending messages. The following screenshot shows a premium SMS response received from the server.
 |
| Logs showing server response |
Uninstall FAILED:
Apart from displaying ads and sending SMS message, the malware is also very persistent. Being run with administrator privileges, the user cannot delete the app after installation.
 |
| Uninstall not possible |
"Persistence" Effect: While in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of
com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.
This acts as a service and sends requests to hard-coded URLs found in the app.
The screenshot below shows the hard coded URLs.
 |
| Hard-coded URLs |
The service started by this app continually sends requests to aforementioned URLs, some of which will deliver new APKs.
Conclusion:
The Malware we saw in this blog was designed with multiple evil intentions including ClickFraud, AdFraud, Premium rate SMS fraud and the download & installation of additional malicious APKs.
A few traces of command execution were also seen in the app but were not fully implemented. Perhaps the developer is working on an upgraded version of the malware with proper "command-execution" functionality.
The ThreatLabZ team will continue monitoring new mobile malware threats and ensure protection for Zscaler customers.
