Key Takeaways
- A China-based Threat Actor (TA) is conducting an Android Spyware campaign targeting Android users in South Korea.
- The malware is distributed through deceptive phishing websites that pose as adult sites but actually deliver the malicious APK file.
- Once the malware has infected the victim’s machine, it can steal a wide range of sensitive information, including contacts, SMS messages, call logs, images, audio files, screen recordings, and screenshots.
- The malware can also interfere with incoming calls by blocking, silencing, or redirecting them based on a predefined list of blocked numbers.
- There are indications of connections between the TA behind the malware and China, potentially linked to the Communist Party of China.
- Additionally, the spyware contains unfinished keylogging code, suggesting it is still in development and may reappear with additional features in the coming days.
Overview
Cyble Research and Intelligence Labs (CRIL) identified a new Android Spyware campaign using VirusTotal intelligence. The campaign has been conducted by a China-linked Threat Actor specifically targeting Android users in South Korea since the beginning of July 2023.
This Android Spyware can steal sensitive information, including contacts, SMS messages, call logs, images, audio files, and even capture screenshots. This malware takes advantage of accessibility services to prevent uninstallation. Furthermore, it includes unused code that could be implemented for the keylogging feature. The presence of this unfinished feature indicates that the malware is still in development and may resurface in the future with enhanced functionalities.
We have discovered more than ten malicious applications that were distributed through the download link at hxxps://tempsstr[.]top. All of these malicious APK files establish communication with a common Command and Control (C&C) server located at hxxps://jkweb255[.]top/.
Interestingly, the download link and the C&C server share the same IP address, 103.94.235[.]26. According to the Whois record, both the download link and the C&C server are registered under the organization name of “John Wu” in Hong Kong, China.
Furthermore, within the malware code, there is a Chinese string “中国共产党万岁,” which translates to “long live the Communist Party of China”, suggesting a connection between the TA and China, either being highly influenced by the Communist Party of China or a supporter of the Party.
The malware also incorporates several Chinese language strings for logging purposes, further indicating that the TA has Chinese origins.
Previously, APT41 has been known to focus its cyber activities on South Korea and is suspected to have affiliations with the Communist Party of China. In July, Lookout drew attention to APT41’s use of Android surveillance tools for targeting Android users. However, based on our analysis, we were unable to establish a direct connection between this TA based in China and APT41 or any other APT group.
Initial Infection
During our investigation of the APK file, we also discovered three phishing websites that appear to be adult sites but are, in fact, distributing the malicious APK file.
The phishing sites distributing malware are:
- hxxp://shankssy[.]dothome.co.kr
- hxxp://tephen.dothome[.]co.kr
- hxxp://reddick1[.]dothome.co.kr
The UI for all the mentioned websites is identical, with added buttons for the App Store and the Play Store. However, this phishing site employs a deceptive tactic. When users click on the “App Store” button, they are redirected to the URL hxxps://efsxv[.]lmfpgl[.]com/w01vx. This URL loads a counterfeit App Store page, as depicted in the Figure 4, featuring a single “free installation” button that links to the URL hxxps://fyjrqbho[.]com/storage/apk/2023/12220829abtc.apk?e=1693747486&token=yOPFMdCdBgDA9CsYtEm_9qwn6PqUoFJ3rCmnDOxF:acbci6t4A0YZM8f9GaANfssauIA=. Although this particular URL is presently inactive, the link strongly suggests its potential for downloading an APK file.
Upon clicking the “Play Store” button, the site initiates the direct download of a malicious APK file from the URL hxxps://tempsstr[.]top/app_15.apk.
During our investigation, we couldn’t pinpoint the precise method through which these phishing sites are reaching their victims. However, we have suspicions that the TA may be employing smishing (SMS phishing) or spam emails as a means to distribute malware.
The detailed analysis of this APK file has been conducted in the below section.
Technical Analysis
APK Metadata Information
- App Name: Enjoy Cam
- Package Name: com.example.middlerankapp
- SHA256 Hash: 882fa441b584dd0fcadc7337ec5916d7afde129af9072cb67627c94c66ee4420
Abusing Permissions
After installation, the malware’s first action is encouraging the victim to activate the Accessibility Service. Once this service is enabled, the malware requests the victim to grant permissions, allowing it to access sensitive data. It then seeks permission to capture the screen, as shown below.
C&C Communication
Once the spyware successfully obtains all the necessary permissions, it initiates the process of sending sensitive data to the C&C server located at hxxps://jkweb255[.]top/api/.
The spyware transmits this stolen data to distinct API endpoints depending on the type of information, as illustrated in the figure below.
Initially, the spyware registers the device by employing the device number as the equipment identifier and simultaneously sends location details to the C&C server hxxps://jkweb255[.]top/api/equipment/add.
Exposed Victim’s Details
During our examination of the C&C server, we observed some of the exposed stolen data records on the server, revealing that approximately 23 infected devices had been added, excluding our test device, at the time of composing this blog post.
The table below contains the count of exfiltrated information records:
| Information type | API endpoint | Record count |
| Device | /equipment/add | 24 |
| Contacts | /telephone/add | 2677 |
| SMSs | /message/add | 2149 |
| Photos | /photo/add | 556 |
| Audio Recordings | /audio/add | 5 |
| Screenshot | /snapshot/add | 3 |
| Call logs | /records/add | 3244 |
Monitoring Social Media Applications
The spyware utilizes the Accessibility Service to actively monitor the applications currently in use by the victim. When the victim interacts with specific messaging or social media applications listed below, the spyware sends the application’s package name and other data via a WebSocket connection.
When we interacted with one of the targeted apps on our test device, the spyware did not display any further activity. It appears that the spyware failed to establish a WebSocket connection at this point.
However, we suspect that the malware may be collecting the package names of social media applications, possibly to capture the victim’s conversations through features like screen recording or screenshots. Alternatively, it’s possible that this particular module is incomplete or not fully functional.
The list of targeted messaging and social media apps:
- tencent.mm
- naver.line.android
- instagram.android
- telegram.messenger
- tinder
- twitter.android
- facebook.katana
- kakao.talk
C&C server Commands
The spyware can receive commands through a WebSocket connection, enabling it to carry out various operations such as gathering contacts, SMS messages, photos, call logs, and initiating other activities. The figure below illustrates the commands executed by the spyware.
Upon receiving the command “msg_start” from the C&C server via a WebSocket connection, along with additional parameters, the spyware carries out malicious actions depending on the command’s content.
These actions include initiating and stopping audio recordings, capturing images using the target device’s camera, taking screenshots, and starting or stopping screen recording.
Figures 12 and 13 illustrate how the malware handles the initiation or termination of screen recording and the start or stop of audio recording in response to commands from the server. Following these actions, the spyware transmits the captured screen data to the C&C server.
Abusing CallScreeningService
In the Android manifest, a malicious application has registered a service named “MyCallScreeningService” that extends the Android CallScreeningService.
Developers use this service to allow or disallow incoming calls before they are displayed to the user. In this context, the spyware has implemented this service with harmful intentions.
The spyware monitors the incoming calls and extracts the caller’s phone number. It then sends this caller’s phone number to the C&C server at hxxps://jkweb255[.]top/api/blocking/view to determine if the number is listed in a database. The server responds with information about whether the number is present in its records.
If the caller’s number is found on the server’s list, the spyware takes action based on the version of the Android operating system running on the device. It may choose to disallow the call, silence it, or reject it. If the caller’s number is not present on the server’s list, the spyware allows the call to proceed as usual.
This behavior indicates that the spyware is designed to interfere with incoming calls based on a predefined list of blocked numbers obtained from the remote server.
After examining the data exposed on the C&C server, we observed that TA had included over 28,000 mobile phone numbers in the database. Many of these phone numbers are linked to banks and lending institutions in South Korea.
The records in the figure below display the usernames corresponding to these mobile numbers associated with South Korean banks and loan agencies.
Redirecting Calls
Additionally, the spyware has incorporated a feature that allows it to redirect the victim’s incoming calls to a designated mobile number controlled by the TA. When the victim receives a call, the spyware can transmit the caller’s number to a C&C server hxxps://jkweb255[.]top/api/calltransfer/view. Subsequently, the spyware receives instructions on which number to redirect the call to.
Notably, the Spyware contains a hardcoded mobile number, “18179468360,” within its code, although it is not currently utilized for call redirection.
Based on the exposed data concerning blocked numbers, it becomes evident that the TA can redirect incoming calls selectively, focusing primarily on those originating from financial institutions. The functionality of call redirection and call screening suggests that the TA may be planning to engage in financial fraud using stolen data.
Blocking Incoming SMSs
Each time the compromised device receives an incoming SMS, the spyware transmits the sender’s phone number to the C&C server for verification. It checks whether the sender’s number is listed in the message block database maintained by the TA.
If the number is found in the TA’s database, the spyware sends the details of the text message to the server. If the number is not present in the database, the spyware adds it to the content resolver and presents the message to the victim for viewing.
Much like its call redirection functionality, this selective interception of incoming messages enables the malware to target and potentially extract sensitive information from text messages, such as OTPs or financial details. The figure below illustrates this activity.
Potential Keylogging Activity
The malware has incorporated a class named “widgetService,” which extends the Accessibility service. Within this class, there is code designed for keylogging, accomplished by exploiting the Accessibility Service. Importantly, it’s worth noting that the malware does not actively invoke this class at this time.
While the code for this module is incomplete, its presence suggests that the malware may intend to introduce new functionalities in the future.
Conclusion
The identification of a sophisticated Android Spyware campaign targeting South Korean Android users reveals the persistent threat posed by malicious actors in the digital landscape. Orchestrated by a China-based TA, this campaign employs a deceptive strategy, luring unsuspecting users with adult-themed websites to distribute malicious APK files.
The spyware itself is a highly invasive threat, capable of surreptitiously exfiltrating a wide range of sensitive data, including contacts, SMS messages, call logs, images, and more. It also exhibits sophisticated functionalities, such as screen capturing and monitoring selected messaging and social media applications. The presence of unfinished features, like keylogging, suggests that the malware is continually evolving, posing an ongoing threat to mobile device users.
Moreover, while the data exposed on the C&C server reveals a limited number of victims thus far, the presence of the uncovered phishing sites and the existence of incomplete modules lead us to anticipate that the TA may broaden its targeting efforts in the near future.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Persistence | T1624.001 | Event-Triggered Execution: Broadcast Receivers |
| Defense Evasion | T1629.001 | Impair Defenses: Prevent Application Removal |
| Discovery | T1430 | Location Tracking |
| Collection | T1429 | Audio Capture |
| Collection | T1616 | Call Control |
| Collection | T1636.003 | Protected User Data: Contact List |
| Collection | T1636.002 | Protected User Data: Call Log |
| Collection | T1636.004 | Protected User Data: SMS Messages |
| Collection | T1513 | Screen Capture |
| Collection | T1533 | Data from Local System |
| Command and Control | T1437.001 | Application Layer Protocol: Web Protocols |
| Exfiltration | T1646 | Exfiltration Over C2 Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 882fa441b584dd0fcadc7337ec5916d7afde129af9072cb67627c94c66ee4420 7ff9e6178687849354a79e561c81f3c1cc179d28
f71d472500afee66acfe5f15e050b632 | SHA256
SHA1 MD5 | Hash of analyzed APK |
| hxxps://jkweb255[.]top/ | URL | C&C server |
| hxxp://shankssy[.]dothome.co.kr
hxxp://tephen.dothome[.]co.kr hxxp://reddick1[.]dothome.co.kr
| URL | Phishing sites |
| hxxps://tempsstr[.]top/app_15.apk
hxxps://efsxv[.]lmfpgl[.]com/w01vx hxxps://fyjrqbho[.]com/storage/apk/2023/12220829abtc.apk?e=1693747486&token=yOPFMdCdBgDA9CsYtEm_9qwn6PqUoFJ3rCmnDOxF:acbci6t4A0YZM8f9GaANfssauIA= | URL | Malware distribution URLs |
| d060d3e706840e80bd88f502dbb0db82212f6dbda4d70cf65d4e0c77779a5f84
db5158db58e3413edd5187c55a9e12f163f9676b 2d39c748ab2869b01b40ff147b9504f0 | SHA256
SHA1 MD5 | Spyware hash |
| ec38f683b0e0006b5bf1a63f1b2cdd1ce9b1484bf114a516c4aafb12fe15910e 727da95371e5dbfc6a6883b74c72b63040763aeb f884f25b1ccfd4992fa74fc3f97190be | SHA256
SHA1 MD5 | Spyware hash |
| 1f8ed346ee7a103d1c2027ba6a7460ed472fa5256ef756051aa48408449621e8
6e8e7fc7a270f519056c2ca292bed540670279f2 79dc15f6001441f11efa7a61e32a00ad | SHA256
SHA1 MD5 | Spyware hash |
| 22b50f713f72426dd97e2c58cb9bb7369be6a34f2fb2c5d9e8ef2e49c3bb8bcc
00cd589f4679c4647d685e84a5613b73a0ae8ed2 6f1c40fe318a585572119fcadea3de69 | URL
| Spyware hash |
| 9445f4b69418fc4ed1abff5754c0c3836200c8babe69658a438eed38843980ba
07d01ed7a7ee3d5a9daebb90efda5c4c855f1c6c 59733f1a08cbad79553d0d0ddce0d214 | SHA256
SHA1 MD5 | Spyware hash |
| ac439c63b09f79e9a211a38ac980e11f3f5e2f2b932e75d8cb5b1de8e55edbf9
bf3982bd853dc79a8bbe87811703a58d8395b9bc 3963bb4bacd29be72a59aace31c7ea06 | SHA256
SHA1 MD5 | Spyware hash |
| b2e5bc5bf0cbfe8aaeaa4d5f4db2da1af427eb459e579f4a2868fc52447994de
095865f38c4214ec4c158a920ef0c96e58da6793 6bfaa3c09bb811d39f24e956c06ef4d9 | SHA256
SHA1 MD5 | Spyware hash |
| daca422556054ed1536359b4ca9b81218782b0282f7b8612e61667b041f9aa1a
12a619e88b22b5f60d830c370773b42ef450847e 129b3abab1ee1db5ddca9fc0545ee268 | SHA256
SHA1 MD5 | Spyware hash |
| 7862349a167029fb09f9a7407c3af47b7ebdcbe6730b91c8124d5ad6fa20fc04
74d445eee6944b955118eb2e883de9b27cdf6435 0f4a506566139a43df0331b5c1a3febe | SHA256
SHA1 MD5 | Spyware hash |
| 6957a06b7c9d646961fb095e81387a2e68b5ab5b719ad59dc52db98fadd2eab2
28e1bafd53adcf5eb150055e4290ad1ada089d8e 45ba9554b4c706c61890482435a9b4a4 | SHA256
SHA1 MD5 | Spyware hash |
| b511fedd7d1859b3a357633189801781bc279f4f5c8c70f7ef8d7a3198378068
d58a8962e7e1451e0c5fa3ab2a0b01847710f897 | SHA256
SHA1 MD5 | Spyware hash |
| 90a420bc976962047f6b2f86375fc65c703ab7ec7529e5f06fbd5554e32a0784 00f138997b98e17f26b1ae514e2d0f1a19071303 9ad68ad3156397030035a15e6d7fee5f | SHA256
SHA1 MD5 | Spyware hash |
| c5636061ddf74cc96405c5640438ffc30354dce3bba20eae6379e8a0bb78922a 1d942d562b2ee6fec1e52c50709ba4f5b326592b c8f448f794903c5c5742971bf38dbe8b | SHA256
SHA1 MD5 | Spyware hash |
| 4160a78deab601798b926956e1d8003949b0d6e1238be1b62395d22480bbd1ad 21e85dccfd101252737ec83daeedb4e948fdaaee a2838f5e2732d38cd6682527dc0d707a | SHA256
SHA1 MD5 | Spyware hash |
