Mobil  2024  2023  2022  2021  2020

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware
24.6.22  Mobil  Thehackernews
A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

Google
An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside
23.6.22  Mobil  Thehackernews
A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign.

The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point said in a report.

"Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary."

SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack.

The fact that the binary doubles up as SMS Bomber and a backdoor suggests that the attacks are not just aimed at those who are users of the tool — a "rather unorthodox target" — but also highly targeted in nature.

Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record of striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.

Calling the Chinese-speaking collective "notably sophisticated and well-equipped," Trend Micro last year pointed out the group's ability to evolve their TTPs to stay under the radar and rely on a broad range of custom tools to compromise its targets.

The latest attack chain documented by Check Point begins with the tampered SMS Bomber tool, the Nimbda loader, which launches an embedded executable, in this case the legitimate SMS bomber payload, while also also injecting a separate piece of shellcode into a notepad.exe process.

This kicks off a three-tier infection process that entails downloading a next-stage binary from an obfuscated IP address specified in a markdown file ("EULA.md") that's hosted in an attacker-controlled GitHub or Gitee repository.

The retrieved binary is an upgraded version of a trojan named Yahoyah that's designed to collect information about local wireless networks in the victim machine's vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.

Yahoyah, for its part, also acts as a conduit to fetch the final-stage malware, which is downloaded in the form of an image from the C2 server. The steganographically-encoded payload is a backdoor known as TClient and has been deployed by the group in previous campaigns.

"The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind," the researchers concluded.

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."

Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users
13.6.22  Mobil  Thehackernews
Web3 Wallets for iOS and Android
A technically sophisticated threat actor known as SeaFlower has been targeting Android and iOS users as part of an extensive campaign that mimics official cryptocurrency wallet websites intending to distribute backdoored apps that drain victims' funds.

Said to be first discovered in March 2022, the cluster of activity "hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered," based on the macOS usernames, source code comments in the backdoor code, and its abuse of Alibaba's Content Delivery Network (CDN).

"As of today, the main current objective of SeaFlower is to modify Web3 wallets with backdoor code that ultimately exfiltrates the seed phrase," Confiant's Taha Karim said in a technical deep-dive of the campaign.

Targeted apps include Android and iOS versions of Coinbase Wallet, MetaMask, TokenPocket, and imToken.

SeaFlower's modus operandi involves setting up cloned websites that act as a conduit to download trojanized versions of the wallet apps that are virtually unchanged from their original counterparts except for the addition of new code designed to exfiltrate the seed phrase to a remote domain.

Web3 Wallets for iOS and Android
The malicious activity is also engineered to target iOS users by means of provisioning profiles that enable the apps to be sideloaded onto the devices.

As for how users stumble upon these websites offering fraudulent wallets, the attack leverages SEO poisoning techniques on Chinese search engines like Baidu and Sogou so that searches for terms such as "download MetaMask iOS" are rigged to surface the drive-by download pages on top of the search results page.

If anything, the disclosure once again highlights how threat actors are increasingly setting their sights on popular Web3 platforms in an attempt to plunder sensitive data and deceptively transfer virtual funds.

IT threat evolution in Q1 2022. Mobile statistics
6.6.22  Mobil  Securelist
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures
According to Kaspersky Security Network, in Q1 2022:

6,463,414 mobile malware, adware and riskware attacks were blocked.
The largest share of all detected mobile threats accrued to RiskTool programs — 48.75%.
516,617 malicious installation packages were detected, of which:
53,947 packages were related to mobile banking trojans,
and 1,942 packages were mobile ransomware trojans.
Quarterly highlights
In Q1 2022, the level of activity among cybercriminals remained roughly the same as it was at the end of 2021 when comparing the number of attacks on mobile devices. But in general, the number of attacks is still on a downward trend.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q1 2022 (download)

What makes this quarter interesting is that many different fraudulent apps are distributed via official app stores. It’s not uncommon for apps published in the store to be accompanied by inflated ratings with fake reviews posted on the page for the app which are of course all positive. These types of apps occupy seven out of the twenty places in our malware ranking for Q1.

One of the schemes used by scammers which has been becoming more popular since last year are scam apps for receiving social benefits. The mobile apps redirect to a webpage where users are prompted to enter personal data and shown a large sum of money they’re supposedly entitled to. In order to claim their benefits however, users are told they need to pay a commission to cover the transfer cost or legal assistance. Once the money has been transferred, the app’s objective is considered achieved, and the user receives nothing in return.

Scam apps targeting Russian-speaking users
Scam apps targeting Russian-speaking users
Scam apps targeting Russian-speaking users

Another common scheme deployed by scammers are fraudulent trading apps which grant access to an investment platform for certain gas stocks. The app brings the user to a fake website where you can “raise your investment capital”. Needless to say, all the money invested is sent straight to the cybercriminals.

Other types of fraudulent apps begin charging a hefty weekly subscription fee a few days after the app is installed or even sign the user up for premium SMS subscriptions.

Keto diet app for meal planning which deducts money from the user's bankcard without receiving prior consent

Keto diet app for meal planning which deducts money from the user's bankcard without receiving prior consent

Keto diet app for meal planning which deducts money from the user’s bankcard without receiving prior consent

Other finds which stood out this quarter were various apps for taking out payday loans targeting users in Mexico and India. In our system of classification, these apps belong to a family of potentially unwanted software called RiskTool.AndroidOS.SpyLoan, which request access to user’s text messages, contacts list and photos. If a payment is late, debt collectors can begin calling people from the user’s contacts list or blackmail the user by threatening to disclose their personal information.


We observed a similar case in Brazil, where people were encouraged to install an app to take out payday loans which locks users out of their phones if they miss a payment.

Mobile threat statistics
In Q1 2022, Kaspersky detected 516,617 malicious installation packages, which is 79,448 fewer than the previous quarter and down 935,043 against Q1 2021.

Number of detected malicious installation packages, Q1 2021 — Q1 2022 (download)

Distribution of newly detected mobile malware by type, Q4 2021 and Q1 2022 (download)

Almost half of all threats detected in Q1 2022 were potentially unwanted RiskTool apps (48.75%), which is a reduction of 3.21 p.p. compared to the previous quarter. Most apps detected in this category belonged to the traditionally dominant SMSreg family (61.37%).

Adware apps came second (16.92%), which also saw a decrease of 10.01 p.p. The worst offenders belonged to the Ewind family (28.89%), which were encountered more frequently than any other adware we detected. It’s followed by Adlo (19.84%) and HiddenAd (12.46%) families.

Third place was taken by various trojans whose share increased by 10.32 p.p. to 14.68%. The trojan families that had the greatest impact were Mobtes (44.35%), Piom (32.61%) and Boogr (14.32%).

Top 20 mobile malware programs
Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 20.45
2 Trojan.AndroidOS.Fakemoney.d 10.73
3 Trojan-SMS.AndroidOS.Fakeapp.d 7.82
4 Trojan-SMS.AndroidOS.Fakeapp.c 5.36
5 Trojan-Spy.AndroidOS.Agent.aas 4.93
6 Trojan.AndroidOS.Fakeapp.ed 4.45
7 Trojan.AndroidOS.Fakemoney.g 3.28
8 Trojan-Dropper.AndroidOS.Agent.sl 2.94
9 DangerousObject.AndroidOS.GenericML 2.55
10 Trojan.AndroidOS.Fakeapp.dw 2.40
11 Trojan-Ransom.AndroidOS.Pigetrl.a 2.14
12 Trojan.AndroidOS.Soceng.f 2.14
13 Trojan.AndroidOS.Fakemoney.i 2.13
14 Trojan-Downloader.AndroidOS.Agent.kx 1.63
15 Trojan-SMS.AndroidOS.Agent.ado 1.62
16 Trojan.AndroidOS.Fakeapp.ea 1.55
17 Trojan-Downloader.AndroidOS.Necro.d 1.47
18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.36
19 Trojan.AndroidOS.GriftHorse.l 1.26
20 SMS-Flooder.AndroidOS.Dabom.c 1.19
* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The malware rating for Q1 2022 featured many new arrivals, which we discussed in the quarterly-highlights section. But let’s go back to the top of the ranking. First place was defended by the traditional title-holder DangerousObject.Multi.Generic (20.45%), which is a verdict we use to describe malware detected using cloud technology. The trojan identified as Trojan.AndroidOS.Fakemoney.d (10.73%) moved up from third to second place. Other members of this family have also occupied seventh and thirteenth place in the rating. These are fraudulent apps that invite users to fill out a fake application for social benefits. The majority of users targeted in these attacks live in Russia, Kazakhstan and Ukraine.

The trojans in third and fourth place (7.82% and 5.36%) are members of the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is able to send text messages and call specified numbers, display ads and hide its icon on the device. Fifth place is taken by a trojan referred to as Trojan-Spy.AndroidOS.Agent.aas (4.93%), which is a modification of the popular WhatsApp Messenger containing a spy tool.

Trojan.AndroidOS.Fakeapp.ed (4.45%) took sixth place. This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Eighth place is occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.94%), a dropper that installs and runs banking trojans on devices. The majority of users attacked by it were located in Russia, Germany and Turkey.

Ninth place was taken by the verdict DangerousObject.AndroidOS.GenericML (2.55%). These verdicts are assigned to files recognized as malicious by our machine-learning systems. The verdict in tenth place is Trojan.AndroidOS.Fakeapp.dw (2.40%), which is used to describe various scam apps, such as apps claiming to offer an additional source of income.

The trojan in eleventh place is Trojan-Ransom.AndroidOS.Pigetrl.a (2.14%), which locks the device’s screen and asks for a code to unlock it. The trojan doesn’t provide any instructions on how to obtain this code, and the code itself is embedded in the body of the malware.

The trojan which came twelfth was Trojan.AndroidOS.Soceng.f (2.14%), which sends text messages to people in your contacts list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window. The trojan in fourteenth place is Trojan-Downloader.AndroidOS.Agent.kx (1.63%), which downloads adware.

A trojan known as Trojan-SMS.AndroidOS.Agent.ado (1.62%), which sends text messages to short premium-rate numbers is in fifteenth place. The next row down is occupied by Trojan.AndroidOS.Fakeapp.ea (1.55%), another fraudulent trading app for investing in gas.

The trojan in seventeenth place is Trojan-Downloader.AndroidOS.Necro.d (1.47%), which is used to download and run other forms of malware on an infected device. It is followed by Trojan-Dropper.AndroidOS.Hqwar.gen (1.36%), which is used to unpack and run various banking trojans on a device.

The trojan in nineteenth place is Trojan.AndroidOS.GriftHorse.l (1.26%) — another fraudulent app mentioned in the quarterly-highlight section. It subscribes users to premium text-messaging services. The next line is occupied by SMS-Flooder.AndroidOS.Dabom.c (1.19%), which has the main aim of bombarding people with spam text messages.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q1 2022 (download)

TOP 10 countries by share of users attacked by mobile malware

Countries* %**
1 Iran 35.25
2 China 26.85
3 Yemen 21.23
4 Oman 19.01
5 Saudi Arabia 15.81
6 Algeria 13.89
7 Argentina 13.59
8 Brazil 10.80
9 Ecuador 10.64
10 Morocco 10.56
* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) are excluded from the ranking.
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In the rating for Q1 2022, Iran (35.25%) is still the country with the most infected devices. The most frequently encountered threat in this country was annoying adware from the Notifyer and Fyben families. China came second (26.85%), where the most frequently encountered threats were Trojan.AndroidOS.Boogr.gsh and Trojan.AndroidOS.Najin.a. Third place was taken by Yemen (21.23%), where the most widespread mobile threat was Trojan-Spy.AndroidOS.Agent.aas spyware.

Mobile banking trojans
The number of installation packages for mobile banking trojans, which dipped in the first three quarters of 2021, continued to grow: we detected 53,947 of these packages in the reporting period, which is 15,594 up on Q4 2021 and a year-on-year increase of 28,633 against Q1 2021. The increase in the number of packages is largely due to the Trojan-Banker.AndroidOS.Bray family — its share accounted for 80.89% of all mobile banking trojans detected. The second most frequently detected package was Trojan-Banker.AndroidOS.Fakecalls (8.75%), followed by Trojan-Banker.AndroidOS.Cebruser (2.52%) in third place.

Number of installation packages for mobile banking trojans detected by Kaspersky, Q1 2021 — Q1 2022 (download)

TOP 10 most common mobile bankers

Verdict %*
1 Trojan-Banker.AndroidOS.Bian.h 18.68
2 Trojan-Banker.AndroidOS.Anubis.t 12.52
3 Trojan-Banker.AndroidOS.Svpeng.q 8.63
4 Trojan-Banker.AndroidOS.Agent.ep 8.24
5 Trojan-Banker.AndroidOS.Asacub.ce 4.98
6 Trojan-Banker.AndroidOS.Agent.eq 4.56
7 Trojan-Banker.AndroidOS.Sova.g 2.75
8 Trojan-Banker.AndroidOS.Gustuff.d 2.62
9 Trojan-Banker.AndroidOS.Agent.cf 2.39
10 Trojan-Banker.AndroidOS.Hqwar.t 2.32
* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q1 2022 (download)

TOP 10 countries by shares of users attacked by mobile banking trojans

Countries* %**
1 Spain 1.80
2 Turkey 1.07
3 Australia 0.54
4 China 0.35
5 Italy 0.17
6 Japan 0.15
7 Colombia 0.13
8 Yemen 0.09
9 South Korea 0.08
10 Malaysia 0.07
* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain (1.80%) was where the most unique users were attacked by mobile financial threats in Q1 2022. The trojan behind almost three quarters of attacks (74,58%) in this country was the TOP 10 leader Trojan-Banker.AndroidOS.Bian.h. Turkey (1.07%) came second, where Trojan-Banker.AndroidOS.Bian.h (42.69%) was also encountered more frequently than any other threat. Australia (0.54%) took third place, where one trojan was more active than all the rest: Trojan-Banker.AndroidOS.Gustuff.d (95.14%).

Mobile ransomware trojans
In Q1 2022, we detected 1,942 installation packages for mobile ransomware trojans, which is 2,371 fewer than the figure recorded in the previous quarter and a year-on-year decrease of 1,654 against Q1 2021.

Number of installation packages for mobile ransomware trojans detected by Kaspersky, Q1 2021 and Q1 2022 (download)

TOP 10 most common mobile ransomware

Verdict %*
1 Trojan-Ransom.AndroidOS.Pigetrl.a 78.77
2 Trojan-Ransom.AndroidOS.Rkor.br 5.68
3 Trojan-Ransom.AndroidOS.Rkor.bs 1.99
4 Trojan-Ransom.AndroidOS.Small.as 1.89
5 Trojan-Ransom.AndroidOS.Rkor.bi 1.59
6 Trojan-Ransom.AndroidOS.Rkor.bt 1.58
7 Trojan-Ransom.AndroidOS.Rkor.bp 1.41
8 Trojan-Ransom.AndroidOS.Rkor.bh 0.93
9 Trojan-Ransom.AndroidOS.Rkor.bn 0.88
10 Trojan-Ransom.AndroidOS.Rkor.bl 0.76
* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The top ransomware trojan held onto its title in the ranking for Q1 2022: Trojan-Ransom.AndroidOS.Pigetrl.a (78.77%). It’s worth noting that 94% of all attacks involving this trojan targeted Russia. The next runners-up trailing far behind the leader are two members of the Trojan-Ransom.AndroidOS.Rkor family: Rkor.br (5.68%) and Rkor.bs (1.99%).

Geography of mobile ransomware trojans, Q1 2022 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans

Countries* %**
1 Yemen 0.43
2 Kazakhstan 0.34
3 China 0.28
4 Kyrgyzstan 0.08
5 Moldova 0.03
6 Saudi Arabia 0.02
7 Russian Federation 0.02
8 Egypt 0.02
9 Ukraine 0.02
10 Lithuania 0.02
* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

Yemen (0.43%) tops the list of countries where the greatest number of users were attacked by mobile ransomware trojans. It’s followed by Kazakhstan (0.34%) with China (0.28%) rounding out the top three. The trojan which users in Yemen encountered most frequently was Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and China encountered members of the Trojan-Ransom.AndroidOS.Rkor family.

Mobile subscription Trojans and their little tricks
5.6.22  Mobil  Securelist
Billing fraud is one of the most common sources of income for cybercriminals. There are currently a number of known mobile Trojans specializing in secretly subscribing users to paid services. They usually pay for legitimate services in a user’s name and scammers take a cut from the money billed. These types of subscription fees tend to be fleeced from the phone balance.

A user who is genuinely interested in subscribing to a service normally needs to visit the content provider’s website and click “subscribe.” As Trojan apps are capable of simulating a click on this icon, service providers sometimes require a confirmation code sent in a text message to complete subscription. In other cases, marketplaces try to make it harder to automate subscription by using a CAPTCHA, while others analyze traffic and block subscription scams using anti-fraud solutions. Yet there are some types of malware which can bypass at least some of these protections.

Jocker: Text message thief in Google Play
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name. The trojanized apps fulfill their original purposes in most cases, and the user won’t suspect they are a source of threats.

To bypass vetting on Google Play, the Trojan monitors whether it’s gone live. The malicious payload will remain dormant while the app is stalled at the vetting stage.

Checking availability on Google Play

Checking availability on Google Play

While trojanized apps are removed from the store on a daily basis, it’s constantly flooded by new ones to take their place. The screenshots below show examples of apps for messaging, monitoring blood pressure, and document scanning using your phone’s camera, all of which were still available on Google Play at the end of February.

From left to right: messaging app, blood pressure app, and document scanning app

From left to right: messaging app (d3d8dbb9a4dffc1e7007b771e09b5b38), blood pressure app (ab168c7fbfa2f436d7deb90eb5649273), and document scanning app (77a6c1c2f782c699d1e73a940f36a527)

Jocker functions
Once the infected app is installed on your device, it requests access to text messages if its legitimate functionality requires it — for example, if it poses itself as a messaging app. Otherwise, it requests access to notifications. Pop-up notifications about messages received also contain the text of these messages, so access to notifications allows the malware to intercept the confirmation codes to complete subscription.

Once launched, the malware downloads and launches a new file which inherits permissions from the infected app. The earliest versions of the Trojan downloaded the subscription app straight away. But presently Jocker is a staged downloader.

Downloading of Jocker's stage 1 payload. The scammers call their software SDK

Downloading of Jocker’s stage 1 payload. The scammers call their software SDK

Launch of the first stage

Launch of the first stage

The scammers avoid detection by using different options for the initial payload download and launch. The entire process can involve a staged download of four files to deliver the final payload to the infected device, where only the last file is responsible for the main aim of subscribing the user.

Launch of stage 2 payload (SDK)

Launch of stage 2 payload (SDK)

Launch of the main payload (SDK) for subscription

Launch of the main payload (SDK) for subscription

 

The main payload basically follows a standard scheme: it receives a URL of the subscription page from the C&C server and opens it in an invisible window. Once the page is loaded, the Trojan injects it with scripts which request a subscription and confirm it using an intercepted code from the text message.

Code of Jocker's main payload

Code of Jocker's main payload

 

Main “SDK” also has code for bypassing anti-fraud systems. For example, the malware can modify the X-Requested-With header in an HTTP request, which can be used to identify the particular app requesting a subscription. Jocker can also block or substitute anti-fraud scripts.

Substitution of anti-fraud script

Substitution of anti-fraud script

Geography of Jocker attacks
From January 2021 to March 2022, Jocker most frequently attacked users in Saudi Arabia (21.20%). Poland came second (8.98%) with Germany in third place (6.01%).

Geographical distribution of Kaspersky users attacked by the Jocker family, January 2021 — March 2022 (download)

The other countries in the TOP 10 where most users encountering Jocker were located were Malaysia (5.71%), the United Arab Emirates (5.50%), Switzerland (5.10%), South Africa (4.12%), Austria (3.96%), Russia (3.53%), and China (2.91%).

MobOk skirts CAPTCHA
Another subscription Trojan identified as Trojan.AndroidOS.MobOk was also first detected in an infected app on Google Play. However, this malware is now mainly spread as the payload of another Trojan called Triada, which is present in preinstalled apps (usually system apps) on certain smartphone models. It’s also built into popular apps, such as the APKPure app store and a widely used modification of WhatsApp Messenger.

Trojan.AndroidOS.MobOk works on a principle similar to the malware described in the previous section. A subscription page is opened in an invisible window and a confirmation code stolen from a text message is stealthily entered there. If the malware is downloaded by Triada, it inherits Triada’s access to text messages, but if MobOk is spread by itself, it will request access to notifications, similarly to Jocker.

MobOk differs from Jocker in its additional capability of bypassing CAPTCHA. The Trojan deciphers the code shown on the image by sending it to a special service.

Sending an image to a recognition service and receiving the recognized code

Sending an image to a recognition service and receiving the recognized code

Geography of MobOk attacks
The country where users encountered MobOk Trojans most frequently from January 2021 to March 2022 was Russia (31.01%). Second place is occupied by India (11.17%), closely followed by Indonesia (11.02%).

Geographical distribution of users attacked by MobOk family, January 2021 — March 2022 (download)

Fourth and fifth place were taken by Ukraine (8.31%) and Algeria (5.28%). The other countries in the TOP 10 where the Trojan was most active were Mexico (2.62%), Brazil (1.98%), Germany (1.63%), Turkey (1.43%), and Malaysia (1.27%).

Vesub — beware of fake apps
A malware called Trojan.AndroidOS.Vesub is spread through unofficial sources and imitates popular games and apps like GameBeyond, Tubemate, Minecraft, GTA5 and Vidmate.

Examples of fake apps

Examples of fake apps

Most of the apps completely lack any legitimate functionality. They begin subscribing straight after they’re launched, while the user sees a loading window. However, there are some examples such as a fake GameBeyond app where the detected malware was accompanied by a random set of working games.

The subscription process used by Vesub is similar to the previous examples: the malware opens an invisible window, requests a subscription, and enters a code received in a text message.

Geography of Vesub attacks
Two out of every five users who encountered Vesub were in Egypt (40.27%). The family was also active in Thailand (25.88%) and Malaysia (15.85%).

Geographical distribution of users attacked by the Vesub family, January 2021 — March 2022 (download)

GriftHorse.l: read the small text
All of the apps described above subscribe users to legitimate third-party services, even if the user doesn’t need them. However, there are other forms of malware which subscribe users to the app authors’ own “service.”

You can end up subscribing to one of these services by simply not reading the user agreement carefully enough. For example, apps which have recently been spread intensively on Google Play offer to tailor personal weight-loss plans for a token fee.


Once launched, the app asks you to fill out a questionnaire.


A page then opens to inform the user that a personal plan is being generated.


Then all you need to do is pay for the service and receive your weight-loss plan, which the scammers promise to send to your email address.


If you scroll down to the bottom of the page, you’ll see that the “service” charges a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis, needing no repeat confirmation from the user.


The fact that the app subscribes users to automatic billing is confirmed in the reviews section on Google Play. Moreover, many users complain they were unable to cancel the subscription directly through the actual app, while others mention they never received a weight-loss plan after paying the subscription fee.


Kaspersky solutions detect these apps as Trojan.AndroidOS.GriftHorse.l. Our researchers also detected websites that deploy a similar subscription scheme (article in Russian). These websites offered access to a wider pool of materials, such as training courses on office suites or online marketplace trading.

Geography of GriftHorse.l attacks
We observed the activity of Trojan GriftHorse.l from 25 January 2022. Kaspersky solutions detected most instances of the Trojan on devices owned by users in Russia (81.37%). The country which came in second for the most users affected was Saudi Arabia (6.07%), with Egypt (1.91%) in third place.

Geographical distribution of users attacked by GriftHorse.l Trojan, 25 January 2022 — 31 March 2022 (download)

GriftHorse.ae: don’t give out your number!
The Trojan detected as Trojan.AndroidOS.GriftHorse.ae may belong to the same family as GriftHorse.l, but it behaves in a completely different way. The malware poses as apps for recovering deleted files, editing photos and videos, blinking the flash for incoming calls, navigation, document scanning, translation, and so on. Yet all these apps can do in practice is request a phone number under the pretense of a login, although clicking “login” will actually subscribe the user. This is the simplest form of subscription — it bills the cell phone account and all it needs to complete the process is the victim’s phone number. It remains unclear what exactly does the GriftHorse.ae Trojan subscribe the user to.

Fake login screen in an app

Fake login screen in an app

Like its relative, GriftHorse.ae is also spread through Google Play. Scammers upload a great number of similar apps to the marketplace in the hope that at least some of them will be available to users for a certain amount of time.

Geography of GriftHorse.ae attacks
Our radars picked up the GriftHorse.ae Trojan for the first time on 10 March 2022. Among the users who fell victim to attacks in less than a month, 43.57% were located in Russia, 22.95% in Saudi Arabia, and 6.14% in Oman.

Geographical distribution of users attacked by GriftHorse.ae Trojan, 10 March 2022 — 31 March 2022 (download)

Forth and fifth place were taken by users in Poland (4.39%) and Belarus (3.22%).

General statistics on Trojan subscribers
From January 2021 to March 2022, the most active of the subscription Trojans covered in this article was MobOk. It was encountered by 74.09% of the Kaspersky mobile solution users who were attacked by the malware mentioned in this piece. Joker Trojans were blocked on 17.16% of user devices, while the least active Trojans were from the families Vesub (3.57%) and GriftHorse (3.53% of users encountered GriftHorse.l and 2.09% encountered GriftHorse.ae). It’s still worth noting that GriftHorse is a new family and it’s only beginning to pick up momentum.

Share of users who encountered Trojans from specific families out of all users attacked by the subscription Trojans described in this article, January 2021— March 2022 (download)

Geography of subscription Trojan attacks
The majority of users who encountered subscription Trojans were located in Russia (27.32%), India (8.43%), Indonesia (8.18%), Ukraine (6.25%), and Saudi Arabia (5.01%).

Geographical distribution of users attacked by subscription Trojans, January 2021 — March 2022 (download)

Conclusion
Subscription Trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers’ own non-existent services.

To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware. You shouldn’t let your guard down when installing apps from Google Play either: read the reviews, read up on the developer, the terms of use and payment. For messaging choose a well-known app with positive reviews.

Even if you trust an app, you should avoid granting it too many permissions. Only allow access to notifications for apps that need it to perform their intended purposes — for example, to transfer notifications to wearable devices. Apps for something like themed wallpapers or photo editing don’t need access to your notifications.

Indicators of compromise (MD5)
Trojan.AndroidOS.Joker

d3d8dbb9a4dffc1e7007b771e09b5b38
ab168c7fbfa2f436d7deb90eb5649273
77a6c1c2f782c699d1e73a940f36a527
34c60a3034635cc19c110a14dcfd2436
8cccfb60aeeb726916f4937c0a702e6a

Trojan.AndroidOS.MobOk

b73d2205a2062a51727e22e25a168cef

Trojan.AndroidOS.Vesub

1b833cc7880d5f1986d53692b8a05e3c
2cfbbc61a71d38fc83c50dc18d569b77
6e07381626d69f4710d7979dff7bff2a
3395101b243993f4969c347e5feb8f65
aebe1da0134b40fdcfc3adea18a50b8a

Trojan.AndroidOS.GriftHorse.l

07d6d7a15b94a6697db66364f1e79a85
11a1446bd6265b66e13f097ecfd195d8

Trojan.AndroidOS.GriftHorse.ae

1b987b970d1274e44a66769c4a453462
1cefe439d7c533cf8ed689dd41ab35c4
1d264d1eff33cff04dd04680db13a7d0
1eb9c7af96fcefb9e6070ee8c1720aa3
1f3baf400abaafd99fd3c0d630ad75ea
3a9829a5a62dda630f6b1e2d3371f9ae
3cece1bcf65ec7befd5eef8aa2fc70cb
3ed41d81c15f6479ec0e0bca69c5c55f
4bd04b372cf9eb00230d761eafb02218
5a6b67fa0d911f4858b0f00dc46c58fd
5a7ab3c12c01e7c9c0a58ef7be536ca9
5b5427b6310480a23e64cebfb757fffe
5d9c9d7725ea4e47fc319384b2f88dad
5ddd4d0321a29a5e8699b703b4165df8
6b336d8e9b459d937046475945d0c976
06d5eea04cfaa637e6b78f2ff22b7e7a
6dba0f2972d412f768f1c332777753f9
6e76a7b223754a27197c73cb815505d6
6ede369b56d7f405849e0e2263fc5d95
6f6391157fe40d78be21a145cb8fdc0a
7ad06772f92688d331e994febe77d56f
7d068d99bab6873750fc81444980d084
7def5fccad7d3f9ef0c6f54140f63cf9
7eccd4b190bac4f9470afa975cdab5e2