Android users are frequently advised to limit app downloads to those from their corporate app store, or from Google’s official Google Play store. Despite this, users are often tempted to visit the more dangerous third-party stores offering exotic apps or apps with copyright protection removed.
Researchers at Zscaler have reported on one of these third-party app stores: Smart Content Store, available via sexy.smartcontentstore[.]com and games.smartcontentstore[.]com, and offering new and updated apps. But Smart Content Store doesn’t deliver standard Android apps — it always delivers an APK for one particular malicious app.
“We started seeing payloads for this strain from mid-February,” Deepen Desai, VP of security research and operations at Zscaler, told SecurityWeek; “and have seen 47 unique payloads all of which have different package names and certificates, but exhibit the same functionality.”
If the APK is installed, the new app doesn’t present an icon or app name, just a blank space on the screen. But if the blank space is clicked, the unknown app’s first activity is to offer the user a choice between Smart World free content, or Sexy World 18+ content. If either of these options is selected, the app asks for administrator privilege with the message, “To view all the porn videos you need to update. Click to activate.”
As soon as admin rights are obtained, a separate domain is contacted. No reply is received is received from this domain, and the researchers suspect that this is simply to inform the attackers when each device has been successfully compromised.
Meantime, the app contacts a separate C&C server, sending basic device information: version, current date, country code, carrier and device ID. The malware then responds to a message received from the server. If the message starts with “status”:”OK”, the app performs the remainder of the response. In the tested example, this included a telephone number and a message (actually ‘estate mexican legal flour’). The app initiates and sends the message as an SMS to the provided phone number.
“During this phase of analysis,” say the researchers, “we observed several attempts to send SMS messages to different phone numbers with different text as the message body.” The messages detected so far are meaningless; such as ‘luther exercise queens’, ‘brush accepted role’ and ‘cafe activists our constantly’.
These meaningless messages make it difficult at this stage to understand the purpose behind the malware. However, among the high-level permissions — some of which the researchers are still analyzing — is permission to view the victim’s contact list. Using known contacts and injected text messages would make phishing for other purposes relatively simple, or just to spread the malware further.
Zscaler is uncertain of the overall intent of this new strain of malware, and thinks it may still be under development. The most obvious possibility is simply to send SMS spam — at other people’s cost — with messages containing links to advertisements or other malware.
However, Desai told SecurityWeek, “There were misspelled strings related to election and vote in the package (bote.vote.democracy.mesa.eleccion), so the other potential use here could be to spam politically motivated messages using victim’s phone incurring huge financial loss to the victim.”
While we do not yet understand the ultimate purpose of this new malware, it is clear that the attackers have gone to some trouble to set up a delivery methodology that could be used directly by themselves or hired out as a service to spammers or other criminals to deliver different malware. Zscaler hasn’t seen this malware before, but if the delivery methodology proves successful, it is an approach that could easily be adopted by other criminals with other malware.
It reinforces the need for Android users to be very careful about downloading apps from unknown third-party app stores.
San Jose, California-based Zscaler raised $100 million dollars in a Series B funding round in August 2015 and had an initial public offering (IPO) in March 2018. In August 2018 it announced the acquisition of TrustPath, an artificial intelligence algorithm developer. The purpose was to enhance Zscaler’s ability to extract intelligence from the 50 billion transactions processed daily on its cloud platform.