Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Trojan Infrastructure Serves Fake Adobe Flash Apps

The recently discovered Red Alert 2 Android Trojan is using an infrastructure that serves fake Adobe Flash Android apps to unsuspecting users, RiskIQ has discovered.

The recently discovered Red Alert 2 Android Trojan is using an infrastructure that serves fake Adobe Flash Android apps to unsuspecting users, RiskIQ has discovered.

The threat was first detailed last month, when SfyLabs researchers revealed that communication between infected bots and the command and control (C&C) server was performed using Twitter. Written from scratch, Red Alert is capable of stealing login credentials, intercepting SMS messages, and stealing contacts.

Targeting financial institutions and media organizations, the malware is using overlays to steal banking credentials and can also block and log incoming calls from banks, thus preventing intrusion detection.

Now, the RiskIQ researchers say they have managed to identify the infrastructure related to the malware. Starting from a single domain (that resolves to IP address 185.48.56[.]83), the researchers were able to find the email address used to register the domain ([email protected]), and discovered additional eight domains of interest.

Thus, the researchers found two malicious apps purporting to be Adobe Flash Player updates and which were hosted on two of these sites, namely g-shoock[.]xyz and g-shoock[.]ru.

These malicious apps can access network state, get tasks, connect to the Internet, read phone state and SMS, receive SMS messages, and write SMS. They also support commands such as RECEIVE_BOOT_COMPLETED, SYSTEM_ALERT_WINDOW, and WAKE_LOCK.

The two domains, which started resolving around the beginning of June 2017, revealed connections to a larger actor-owned infrastructure. They overlap via passive DNS on the same IP address first associated with Red Alert.

Advertisement. Scroll to continue reading.

The security researchers also discovered that the infrastructure is still active and that additional Adobe Flash typosquatting domains have been registered by the actor in recent days. These domains too are used for the downloading of APK files.

“While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious,” the security researchers note.

Last month, SfyLabs revealed that Red Alert would also masquerade as popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates. The researchers also noted that the Trojan was targeting at least 60 banking applications with HTML overlays.

Related: New “Red Alert” Android Banking Trojan Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.