Android PHA

Protected: 61 Click Fraud apps uncovered on Meizu, Xiaomi, PPAssistant, Baidu, Huawei, Jinli, Liqu and Sogou app market.

1. Summary

This month, we evaluated apps on GooglePlay. 10,029 apps are collected from China, America, Russia and Turkey regions. Among these apps, we found 22 apps in total are malwares or graywares (termed as PHA by Google), they are:

dfb182f6d277acc54a63a629794e4e2cba42dabc
de50aa590dc5725dd5a7f05c10bd7da60e43fafc
d0b54ea39666fa861419af19504d61268ddb1fb3
53478be46d7a6277f4622d6e6c543a650ed3178d
5079a73d9bfe2aab2a724c07cda046fc996b8f44
211ff7a732ad23874543480a80fef3f896133a4a
0c682a35ab3e19d8b1b15ea55603e94788f6eaf0
5592679ec134e755cb29000656afe5fecf6ffa46
7af5062e3290cdc62fba8efd64b85a1a437bce89
9685c0469755f9e58e7a58ec57f5dafb8428e66e
5e7322607a7d0575d4bee48115aaec4c700a9274
2ea95471a4f490b12afa138ab1ffe228a528d112
283df15e52e26f39241f2abfb438dcf8316ad9c4
e9a2786a318968184fabdc21244dae7ef1058de9
e43c8b292c0e1388d79637eec54ea21dfde802fc
b2423caebbf7fc83b9f10aa960caf1b1e1ba6630
4702c888dfc41fedc27f55e9f5978804d3887dbf
d3eec415c2986ef35a96d6a218ff74eee13d13a9
bd49f1e52fd68eb49bc737236c5f0ec7f0b3a01f
c91e1f8bdc175b438acfea8ea2fcd18bcedaa772
aebd9a6d918c88844066e0aea48ee08a6fca43df
d76224d80a99af9869644093de094b7e34532fc6

dfb182f6d277acc54a63a629794e4e2cba42dabc

de50aa590dc5725dd5a7f05c10bd7da60e43fafc

d0b54ea39666fa861419af19504d61268ddb1fb3

53478be46d7a6277f4622d6e6c543a650ed3178d

5079a73d9bfe2aab2a724c07cda046fc996b8f44

211ff7a732ad23874543480a80fef3f896133a4a

0c682a35ab3e19d8b1b15ea55603e94788f6eaf0

5592679ec134e755cb29000656afe5fecf6ffa46

7af5062e3290cdc62fba8efd64b85a1a437bce89

9685c0469755f9e58e7a58ec57f5dafb8428e66e

5e7322607a7d0575d4bee48115aaec4c700a9274

2ea95471a4f490b12afa138ab1ffe228a528d112

283df15e52e26f39241f2abfb438dcf8316ad9c4

e9a2786a318968184fabdc21244dae7ef1058de9

e43c8b292c0e1388d79637eec54ea21dfde802fc

b2423caebbf7fc83b9f10aa960caf1b1e1ba6630

4702c888dfc41fedc27f55e9f5978804d3887dbf

d3eec415c2986ef35a96d6a218ff74eee13d13a9

bd49f1e52fd68eb49bc737236c5f0ec7f0b3a01f

c91e1f8bdc175b438acfea8ea2fcd18bcedaa772

aebd9a6d918c88844066e0aea48ee08a6fca43df

d76224d80a99af9869644093de094b7e34532fc6

(GooglePlay has removed some of these apps, but all of them can be accessed via Janus)

2. Interesting Findings

1. Most of the PHAs are Adwares.

2. Tricky SMS fraud apps take a variety of techniques to bypass the vetting process of GooglePlay, e.g.,e9a2786a318968184fabdc21244dae7ef1058de9 sends SMS under the control of C&C server, dfb182f6d277acc54a63a629794e4e2cba42dabc sends SMS if it is lunched via AD network.

3. “Your are the winner, but you should pay for the delivery in advance”. The fraudulent story in web is now migrating to app, and 2ea95471a4f490b12afa138ab1ffe228a528d112, which targets the Russia user, is an instance.

4. End-users are enticed to pay, after that, they found they are fooled. 5e7322607a7d0575d4bee48115aaec4c700a9274 is the case.

3. About US

In 2014, Pangu Team (@panguteam) founded PWNZEN InfoTech Co., LTD, a startup company at Shanghai, China, and expanded its research team to the Pangu Lab, with more general research interests from iOS jailbreaking, to IoT security, App security auditing, Android security, etc.

Android PHA (3)

Tricky toll fraud apps with 210k downloads are spreading through GooglePlay.

Janus Team

10th January 2019

No Comments

A few days ago, we found a toll fraud app on GooglePlay. This is a brief description for the toll fraud app.

How the toll fraud app works. The initial spotted app can be accessed via Janus. The app is tricky, that is, if the app is started by luncher, it works normally. But if the app is started via deeplink, the app changes the view and starts the subscription process.

Tips for analyzing include:

If the app is started from luncher, there is no subscription (Upgrade to premium button in the menu).
However, if the app is started via clicking an ad (by assumption), the app works different. We think this is the reason why the app bypassed GooglePlay’s vetting process and is still alive even if users complain about this app.
The app integrate the MobiBox third-party library for subscription (http://mymobibox.mobi/).
The toll fraud app only works in limited country/region (Lebanon/South Africa by observation).
Disclaimer for subscription is controlled by developer.

Find more fraud apps in GooglePlay. We explore Janus by taking the signature of the subscription library, then we find 2 additional toll fraud apps on GooglePlay and 3 apps in Baidu App Market. Summary of these apps:

There are 210k downloads in total of these apps in GooglePlay.
These apps have hosted on GooglePlay for over 1 month.
Views of these apps are almost the same even though published by different developers and adhere different description.

Hash of the toll apps:

128e96e48c707c90eb7a46a735505a26a8c04c91
177fa46fa285522d50817f0937d892482a513bb0
c4f45ff297690069fa6f8075a72045f891f88252
d0b54ea39666fa861419af19504d61268ddb1fb3
de50aa590dc5725dd5a7f05c10bd7da60e43fafc
dfb182f6d277acc54a63a629794e4e2cba42dabc

Advices for GooglePlay:

Respect more end-user than vendor/developer.
Remove these apps immediately.
Invest these apps and the library, API_KEY in string.xml maybe helpful.

Android PHA (3)

Protected: 61 Click Fraud apps uncovered on Meizu, Xiaomi, PPAssistant, Baidu, Huawei, Jinli, Liqu and Sogou app market.

GooglePlay Security (Monthly Recap, Jan. 2019)

1. Summary

2. Interesting Findings

3. About US

Tricky toll fraud apps with 210k downloads are spreading through GooglePlay.