Doctor Web has detected a clicker Trojan in the official catalog of Android applications that can automatically subscribe users to paid services. Virus analysts have identified several modifications of this malware, named , ΠΈ . To hide their true purpose, as well as reduce the likelihood of detecting a Trojan, the attackers used several tricks.
At first, they built clickers into harmless applications - cameras and image collections - that performed the claimed functions. As a result, there was no clear reason for users and information security professionals to view them as a threat.
Secondly, all malicious programs were protected by the Jiagu commercial packer, which makes detection by antiviruses more difficult and code analysis more difficult. Thus, the Trojan had more chances to avoid detection by the built-in protection of the Google Play catalog.
Thirdly, virus writers tried to disguise the Trojan as well-known advertising and analytical libraries. Once added to the carrier programs, it was embedded in the SDKs from Facebook and Adjust that were present in them, hiding among their components.
In addition, the clicker attacked users selectively: it did not perform any malicious actions if the potential victim was not a resident of one of the countries of interest to the attackers.
The following are examples of applications with a Trojan embedded in them:
After installing and launching the clicker (hereinafter, its modification will be used as an example ) attempts to access operating system notifications by displaying the following prompt:
If the user agrees to grant him the necessary permissions, the Trojan will be able to hide all incoming SMS notifications and intercept text messages.
Next, the clicker sends technical data about the infected device to the control server and checks the serial number of the victim's SIM card. If it corresponds to one of the target countries, sends information about the phone number associated with it to the server. At the same time, the clicker displays a phishing window for users from certain countries, where it prompts them to enter a number on their own or log in to a Google account:
If the victim's SIM card does not belong to the country of interest to the attackers, the Trojan takes no action and stops its malicious activity. Researched clicker modifications attack residents of the following states:
- Austria
- Italy
- France
- Thailand
- Malaysia
- Germany
- Qatar
- Poland
- Greece
- Ireland
After transferring information about the number is waiting for a command from the control server. It sends tasks to the Trojan, which contain website addresses to download and JavaScript code. This code is used to control the clicker through the JavascriptInterface interface, display pop-up messages on the device, perform clicks on web pages, and other actions.
Having received the site address, opens it in an invisible WebView, where the previously accepted JavaScript with parameters for clicks is also loaded. After opening a site with a premium service, the Trojan automatically clicks on the necessary links and buttons. Then he receives verification codes from SMS and independently confirms the subscription.
Despite the fact that the clicker does not have the function of working with SMS and accessing messages, it bypasses this limitation. It happens in the following way. The Trojan service monitors notifications from an application that is assigned to work with SMS by default. When a message arrives, the service hides the corresponding system notification. It then extracts information about the received SMS from it and transmits it to the Trojan broadcast receiver. As a result, the user does not see any notifications about incoming SMS and does not know about what is happening. He will learn about the subscription to the service only when money starts to disappear from his account, or when he enters the message menu and sees SMS related to the premium service.
After Doctor Web specialists contacted Google, the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web anti-virus products for Android and therefore do not pose a threat to our users.
Source: habr.com