Hostile Downloader Masquerading As “QR Scanner” Application
MasterFred was discovered in November 2021 as an undetected new variant of the Android Banking Trojans targeting Poland and Turkey. Cyble Research Labs (CRL) published a detailed technical analysis of MasterFred after its discovery, and we have been closely monitoring the activity of evolving Banking Trojans.
While conducting a routine threat hunting exercise, CRL came across a Twitter post where the security researcher mentioned the sample of MasterFred hosted on opendir malicious website hxxp://repo.had0k3n[.]tech.
The Threat Actor (TA) known as Hadoken Security (a group of malware developers) is behind the development of this MasterFred malware, including Xenomorph, MaqSpy RAT, and Gymdrop dropper.
Based on our detailed investigation, the sample was identified as a new variant of MasterFred, which uses Gymdrop to download Xenomorph Android Banking Trojan.
Various malware families use the Dropper as a Service (DaaS) model to bypass the security mechanisms implemented by the Google Play Store. In this case, the malware uses Gymdrop dropper to download an advanced Android Banking Trojan to infect the victim’s device.
The new MasterFred variant is missing the banking overlay HTML file present in the assets folder, as shown below.
The new variant of Masterfred acts as a hostile downloader instead of performing banking Trojan activities. The TA has added an extra module that checks whether the malicious application is present on the Google Play Store and downloads the Xenomorph malware.
Our analysis indicates that the TA has designed this malicious application to host on the Google Play Store as a hostile downloader to distribute the Xenomorph malware.
Similar behavior has been observed in the past when the TA has published banking Trojans like Hydra, Alien, Octo, and several others on the Google Play Store disguised as Document Manager or Antivirus applications and used droppers to download malware after installation.
The infection mechanism is explained in detail in the Technical Analysis section.
Technical Analysis
APK Metadata Information  Â
- App Name: another QRScan
- Package Name: hdkjvi.looawt.fpfzys
- SHA256 Hash: 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168
  
Figure 3 shows the metadata information of the application. 
The malware pretends to be the QR code scanner application to hide its malicious activity. The TA uses benign application names and logos to publish the malware on the Google Play Store to appear genuine.
After installation, the malware connects to the Onion URL and receives the malicious URL hxxps://anotherqrscannerapp[.]one/get_random_file in response which downloads the Xenomorph Banking Trojan file named “3.apk”.
Before installing the Xenomorph malware on the infected device, MasterFred malware checks whether the application was published on the Play Store or not. If MasterFred is not present in the Play Store, the malware does not connect to the malicious URL received in response and download malware.
The below image showcases the Gymdrop admin panel of the malicious URL received in the response of the Onion URL.
Xenomorph Banking Trojan
APK Metadata Information  
- App Name: Android Security Service
- Package Name: deceva.lgmihi.wtcozl
- SHA256 Hash: ab345951a3e673aec99f80d39fa8f9cdb0d1ac07e0322dae3497c237f7b37277
  
Manifest Description Â
The malicious application mentions 18 permissions, of which the TA exploits 5. The harmful permissions requested by the malware are: 
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Access phone messages |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| SYSTEM_ALERT_WINDOW | Allows an app to create windows |
Source Code Review Â
After installation of the downloaded APK file, the malware prompts the victim to turn on the Accessibility Service. Once the Accessibility Service is granted, the malware starts abusing the service to auto-enable permissions, activate device admin, and collect key logs.
The malware sends the encrypted list of applications installed on the infected device to the Command & Control (C&C) server to identify the targeted application.
Once the targeted application is identified, the malware receives the HTML overlay page from the URL hxxp://x2u2[.]art/es/com.bbva.bbvacontigo[.]html. In this case, the malware receives the overlay payload for “BBVA bank.”
When the victim tries to interact with the installed banking application, the malware displays the downloaded HTML injection page to steal the credentials entered by the victim.
The below image shows the HTML phishing page used to trick the victim into falling for the phishing scheme while attempting to access the genuine application.
ConclusionÂ
According to our research, the TA seems to be developing the malware to publish it on the Google Play Store, indicating it is still in development. In the coming days, we may observe the malware dropping the Xenomorph Banking Trojan hosted on the Play Store.
Our RecommendationsÂ
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® TechniquesÂ
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1517 | Access Notifications |
| Collection | T1533 | Data from Local System |
| Discovery | T1421 | System network connection discovery |
| Command and Control | T1571 | Non-standard port |
| Command and Control | T1573 | Encrypted data |
| Credential Access | T1417 | Input Capture |
Indicators of Compromise (IOCs)Â
| Indicators | Indicator Type | Description |
| 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168 | SHA256 | Hash of the analyzed MasterFred APK file |
| a7a2fbb022e391618f8f62acf07c7d4681f98775 | SHA1 | Hash of the analyzed MasterFred APK file |
| 4b3c99ae792e7389c43102060633b4cc | MD5 | Hash of the analyzed MasterFred APK file |
| hxxps://txxiptfyfj3tr2v6orvkyvzksm5j44ldekbvdd5j74imqumpcmknf4yd.onion.ws | URL | C&C server |
| hxxp://repo.had0k3n[.]tech | URL | Malware distribution site |
| hxxps://anotherqrscannerapp[.]one | URL | Gymdrop URL |
| ab345951a3e673aec99f80d39fa8f9cdb0d1ac07e0322dae3497c237f7b37277 | SHA256 | Hash of the analyzed APK file |
| 167036086435e133fab66ed14c51b7812b314c51 | SHA1 | Hash of the analyzed APK file |
| 42efd88844b49e05ec19dd831354093a | MD5 | Hash of the analyzed APK file |
| hxxp://gogoanalytics[.]click | URL | C&C server |
| hxxp://x2u2[.]art | URL | Injection downloader URL |
