This month, we evaluated apps on GooglePlay. 10,029 apps are collected from China, America, Russia and Turkey regions. Among these apps, we found 22 apps in total are malwares or graywares (termed as PHA by Google), they are:
(GooglePlay has removed some of these apps, but all of them can be accessed via Janus)
2. Interesting Findings
1. Most of the PHAs are Adwares.
2. Tricky SMS fraud apps take a variety of techniques to bypass the vetting process of GooglePlay, e.g.,e9a2786a318968184fabdc21244dae7ef1058de9 sends SMS under the control of C&C server, dfb182f6d277acc54a63a629794e4e2cba42dabc sends SMS if it is lunched via AD network.
3. “Your are the winner, but you should pay for the delivery in advance”. The fraudulent story in web is now migrating to app, and 2ea95471a4f490b12afa138ab1ffe228a528d112, which targets the Russia user, is an instance.
4. End-users are enticed to pay, after that, they found they are fooled. 5e7322607a7d0575d4bee48115aaec4c700a9274 is the case.
3. About US
In 2014, Pangu Team (@panguteam) founded PWNZEN InfoTech Co., LTD, a startup company at Shanghai, China, and expanded its research team to the Pangu Lab, with more general research interests from iOS jailbreaking, to IoT security, App security auditing, Android security, etc.
A few days ago, we found a toll fraud app on GooglePlay. This is a brief description for the toll fraud app.
How the toll fraud app works. The initial spotted app can be accessed via Janus. The app is tricky, that is, if the app is started by luncher, it works normally. But if the app is started via deeplink, the app changes the view and starts the subscription process.
Tips for analyzing include:
If the app is started from luncher, there is no subscription (Upgrade to premium button in the menu).
However, if the app is started via clicking an ad (by assumption), the app works different. We think this is the reason why the app bypassed GooglePlay’s vetting process and is still alive even if users complain about this app.
The app integrate the MobiBox third-party library for subscription (http://mymobibox.mobi/).
The toll fraud app only works in limited country/region (Lebanon/South Africa by observation).
Disclaimer for subscription is controlled by developer.
Find more fraud apps in GooglePlay. We explore Janus by taking the signature of the subscription library, then we find 2 additional toll fraud apps on GooglePlay and 3 apps in Baidu App Market. Summary of these apps:
There are 210k downloads in total of these apps in GooglePlay.
These apps have hosted on GooglePlay for over 1 month.
Views of these apps are almost the same even though published by different developers and adhere different description.
Hash of the toll apps:
Advices for GooglePlay:
Respect more end-user than vendor/developer.
Remove these apps immediately.
Invest these apps and the library, API_KEY in string.xml maybe helpful.
According to Appthority’s report, the unsafe usage of Firebase allows unauthorized access to the hole database by simply appending /.json to the server URL.
Following this tip, we search potentially vulnerable Apps in our Janus by using RULE. There are 14645 Apps are found enclosing this URL, the total unique URLs are 3632. We try these URLs later automatically by using script.
Surprisingly, we found there are still vulnerable projects on Firebase and gigabytes can be retrieved from these databases.
Rather than mitigating the attack case by case, it’s a more convenient way to fix this issue by refusing the /.json request. Since there are still Firebase project vulnerable to this flaw, we are curious about why Google does not fix this problem from the ground up.