During our Open-Source Intelligence (OSINT) research, we came across a malicious app being spread mostly through file hosting websites with a malicious ad redirection. The malware is downloaded when the user interacts with the website hosting the adware. When the user visits the legitimate page, they are redirected to an ad page that downloads an APK file with a .PDF extension. Our research team has performed a deep analysis of the downloaded APK file and found that the application is a FakeAdsBlock variant of adware.
Figure 1: Screenshot of the example website
FakeAdsBlock is an adware installer pretending to be a genuine ad blocker for Android devices. Ad blockers are designed to provide protection against aggressive advertisements. However, fake ad blockers behave like adware by bombarding their victims with ads. Adware applications are usually distributed via third-party app stores, where they are available as ad-blocking apps. However, in this scenario, the victim is tricked into installing the application onto the device using an Android feature called sideloading, which is a feature available in Android OS to allow users to install applications from sources other than the official Google Play Store.
Upon installing the app, a second payload exhibiting the adware behavior is downloaded from the Command & Control (C&C) server. In this blog post, we have covered the detailed analysis of this fake ad blocker campaign.
Based on an investigation by the Cyble Research Labs, we observed that these adware files have the same package name – com.intensive.sound. The metadata information of the adware application is given below.
APK Metadata Information:
- File Name: NSO_GROUP_PEGASUS_For_XSS.pdf
- App Name: (No Name)
- Package Name: com.intensive.sound
- SHA256 Hash: f87b117fddef9e117870de5e76aeb532a2fb923aaaf83ff17c85e54008c2b371
Figure 2: Other Application details
The application requests 19 permissions, of which 8 are dangerous. The dangerous permissions requested by the application are:
- android.permission.REQUEST_INSTALL_PACKAGES: This allows an application to install apps from other sources.
- android.permission.SYSTEM_ALERT_WINDOW: This allows an app to display system-level alerts.
- android.permission.WRITE_CALENDAR: Adds or modifies calendar events.
- android.permission.WRITE_EXTERNAL_STORAGE: Add or modifies external storage.
- android.permission.ACCESS_COARSE_LOCATION: Fetches coarse (network-based) location.
- android.permission.ACCESS_FINE_LOCATION: Fetches fine (using GPS) location.
- android.permission.READ_CALENDAR: Reads calendar events.
- android.permission.READ_EXTERNAL_STORAGE: Reads external storage.
Upon installing the application, we observed that it is using a new technique to evade detection. The application has no icon or name and is not visible on the device home screen, as shown in the figure below.
Figure 3: App Stays Hidden from the User’s Visibility
The adware application has registered listeners for device boot-up events and uses the listeners to ensure the app’s persistence. This enables the application to be triggered upon device boot up, without the need for user interaction. The figure below showcases the code used to register the listener for device boot up.
Figure 4: Code to register listener for device boot-up
Upon launching the adware, it displays a message with a progress bar and requests the user to wait. Meanwhile, in the background, the application performs activities such as downloading other malicious payloads.
Figure 5: Message Displayed While Downloading Additional Payload
We have also found that the application communicates with the C&C server, and an APK file was received as a JSON response, as shown in figure 6. The application copies the JSON data to a file called main.bin.
The figure below shows that the secondary APK is downloaded as part of the JSON data.
Figure 6: Secondary payload APK in JSON response
The code for retrieving the secondary payload is shown in the figure below.
Figure 7: Code to download secondary payload from C&C server
C&C server URL: hxxps://eftingepar[.]biz/x86?v=0.0&l=9.8&p=Y29tLmludGVuc2l2ZS5zb3VuZA%3D%3D
The C&C server URL is stored in a config file named 7038069216309798258.dat present in the APK’s assets folder. The URL and other configuration details are encoded in Base64. The decoded data is shown below.
The application loads the secondary payload APK to extend the capabilities of the primary APK. The details of the secondary APK are given below:
File information Second Payload APK:
- File Name: main.bin
- App Name: (No name)
- Package Name: com.apld.av
- Hash: 055e39a914e796cdcc4bd4b12591ae40aa339dce80092c88a041d55a643cbf44
The secondary payload shows a fake ad blocking page as shown in the figure below.
Figure 8: Fake Ad blocking page
The second payload adopts the permissions from the parent app and requests the user to enable the VPN feature. Using the VPN feature, the app monitors any traffic moving in and out of the device. The below figure shows that the app requests the user for VPN feature access.
Figure 9: App requests to enable VPN service
Based on the traffic details, the app displays ads to the victim. The application uses the SYSTEM_ALERT_WINDOW permission to show ads over other apps. The ads are created using transparent view elements. The below figure shows the declaration of view elements with a transparent theme.
Figure 10: View elements declared with a transparent theme for showing ads
When the user clicks on the displayed ads, it downloads other arbitrary apps. Then, using the REQUEST_INSTALL_PACKAGES permission, the app can install apps from sources other than the Google Play Store without user interaction. Once the app has permission to install applications from other sources, it can also install malware, which can pose a threat to the user’s device. The figure below showcases the code for installing arbitrary apps.
Figure 11: Code to install arbitrary applications
According to our research, adware and fake apps pose a significant threat to mobile devices. This variant can leverage the requested permissions to infect the user’s device with malware. Through our investigation, we were also able to determine that the same variant is being spread through other sources as well.
We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall it immediately.
- Use the shared IoCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defence Evasion||T1406||Obfuscated Files or Information|
|Discovery||T1421 T1422 T1426 T1424||System Network Connections Discovery System Network Configuration Discovery System Information Discovery Process Discovery|
|Collection||T1507 T1430||Network Information Discovery Location Tracking|
|Command and Control||T1571||Non-Standard Port|
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IoCs):
|f87b117fddef9e117870de5e76aeb532a2fb923aaaf83ff17c85e54008c2b371||SHA256||Hash of the sample|
|055e39a914e796cdcc4bd4b12591ae40aa339dce80092c88a041d55a643cbf44||SHA256||Secondary payload APK|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.