From third-party Android store to SMS Trojan
In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com.
|Fig 1: Third-party app store homepage|
At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page.
Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs.
|Fig 2: Zscaler dashboard|
These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.)
APK Name: smartworld_-_WIN_-_500929091890143_-_.apk
Package name: vaya.bailecito.epore.saturda
Size: 2100203 bytes
As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World.
|Fig 3: Invisible app icon and the first activity|
During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below.
|Fig 4: Initial requests|
Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image).
|Fig 5: Admin privileges|
As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not.
|Fig 6: Request upon enabling admin rights|
After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request:
- Android version
- Installation date
- Date (Date of request)
- Country code
- Device ID
The screenshot below shows the request and response taking place between the compromised device and attacker:
|Fig 7: Request and response related to the SMS message|
The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages.
|Fig 8: Sending SMS functionality|
During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim.
Some examples of the SMS messages can be seen in the table below:
|Phone #||Message Body|
|6768482371||message:france athletes employed|
|6857215675||message:experience iran yarn combines field|
|6768482371||message:luther exercise queens|
|2347003300131||message:hungary contributing task bird|
|6857215675||message:boolean wisconsin criticism verification republic|
|2347003300131||message:exchange audience nc medicaid|
|2347003300131||message:ut controlled salt customized consider|
|6768482371||message:legislative wayne brand hungarian|
|6768482371||message:consulting gui contrary eclipse|
|79697530171||message:boards tits difficulties|
|6768482371||message:royalty relay mv|
|6768482371||message:boards sie gabriel computer|
|6768482371||message:mods html chronic|
|6768482371||message:integer coleman monsters|
|6745596671||message:capabilities labels addiction|
|6768482371||message:checking upskirt football possibilities|
|6745596671||message:academics actively matrix ga|
|2347003300131||message:incidence quality mrs estimated default|
|6745590060||message:estate mexican legal flour|
|6768482371||message:cleared connectivity divx|
|2347003300131||message:cafe activists our constantly|
|6745596671||message:brush accepted role|
|6745596671||message:plain weed senators reform framing|
|6745596671||message:represents fig answers signup|
|6745596671||message:animation failure lucas browser poetry|
|2347003300131||message:biodiversity present solving herbal regulations|
|6857215675||message:shakira wanna movie freight|
|6768482371||message:shipping uzbekistan senators optimize basically|
|6857215675||message:folks tamil cooper|
|6857215675||message:picking maine shapes men wives|
This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings.
The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below.
|Fig 9: Zscaler Cloud Sandbox|
Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device.