22 popular backdoor apps found on Google Play

22 popular backdoor apps found on Google Play The other day, information security specialists from Sophos found There are 22 applications on Google Play with more than 2 million downloads, and each of these applications has been infected with malware. One of these applications is Sparkle Flashlight, which has been downloaded about 1 million times since it appeared in the program catalog.
The backdoor was contained in programs not from the moment applications appeared in the catalog. Approximately from March to June of this year they were updated, with the addition of a “secret” component. Some, however, received a backdoor from the very beginning and were uploaded to the directory along with it.
Google removed all these applications only at the end of November, so they managed to cause a lot of harm to the users who downloaded them. The malware family was relatively new, so malware detection algorithms in the Google directory failed to recognize them in time. This family was named "Andr /Clickr-ad" from Sophos, the specialists of this company were the first to discover malware.
According to the head of the research group, Chen Yu, the representatives of the family are well-designed software, whose potential for harming users is quite large. The applications themselves generate ad-hoc requests for ad networks in a special way, so the creators of the application receive funds from advertising providers for mobile applications. Roughly speaking, we are talking about linking - a method that causes significant losses to advertisers.
As for the harm done to users of infected devices, it is not direct but indirect. The problem is that infected applications are active all the time, which means that the smartphone battery is quickly depleted. In addition, there is a constant data exchange, and for those users whose volume of Internet traffic is limited by the operator, there may be a problem - the Internet will either turn off after the tariff limit has been exhausted, or you have to pay for extra traffic.
Infected mobile applications are controlled by the cybercriminals domain mobbt.com. Applications load specialized modules and execute commands from intruders. Data exchange occurs every 80 seconds. Malware modules force the application to make hundreds of fake ad clicks. Its infected applications make it invisible to the user - the window size is zero pixels in height and zero pixels in width. In fact, the user can not see the work of malicious software, it can only be “detected” by discharging too quickly.
In order to create the impression of clicks on advertisements produced by ordinary users of various devices, the application modifies the user-agent string. Below is a screenshot of the decryption requests for such software.
Below is another screenshot showing the activity of the malware in the Twitter advertising network. This application was launched from a virtual device, but the application itself was disguised as software running on the Samsung Galaxy S7.
After a detailed analysis conducted by Sophos, it turned out that malware sends information about a wide variety of mobile devices to the user-agent. This is the fifth to the eighth iPhone, plus 249 different models of Android gadgets, with Android versions from ??? to 7.x.
The fake user-agent simultaneously performed several tasks. For the iPhone, this is a higher cost per click - some advertisers set a higher price for iPhone users of different models, considering it is likely that their owners are somewhat more solvent than Android users. The second task is to pretend that real users of real gadgets are active.
In order to bring the maximum profit to their owners, the malware was launched in automatic mode every time after rebooting the phone. BOOT_COMPLETED was used for this. In the case of the forced termination of the application, it was launched again - just not immediately, but three minutes later. Software checked on the attackers server for updates every 10 minutes.
Cybersecurity experts believe that the measures taken by Google, are insufficient - after all, the attackers were not one month. It may well be that even in the application directory there are some programs that are infected with malware of the above-mentioned family. As for the applications themselves, discovered by experts, here is their list.
In order to protect against such applications, Sophos recommends carefully reading the description, as well as viewing reviews from other users. True, this does not help in all cases - after all, some applications actually perform their functions, but they are infected with a malicious module that does the dirty work.
+ 0 -

Add comment