During our routine threat hunting exercise, Cyble Research Labs came across an Android malware sample which raised red flags since it was linked to a phishing campaign primarily targeting customers of telecommunication services in Japan.
In an increasingly interconnected world, Telecommunications is the primary enabler to connect with each other. From email and messaging to phone and video calls, we rely on the Telecom industry heavily. This is also reflected in our businesses, workplaces, and infrastructure which are all reliant on modern telecommunication servers.
This ubiquity, combined with our reliance on them, makes telecoms a major target for cybercriminals. One of the main techniques is to target subscribers of Telecom networks and by extension their mobile devices.
An example of one such technique is infecting mobile devices with malware to exploit payment services and collecting personal information. We have covered one such incident in this analysis.
According to our research, the Threat Actor(s) (TA) behind this campaign has hosted multiple domains and spreads a fake version of the official Telecommunication network’s Android application. Upon analyzing the sample, we determined that the malware conducts phishing activities to steal credentials and session cookies. It then proceeds to uploads this information to the TA’s email through Simple Mail Transfer Protocol (SMTP).
Post analysis, our team has studied the attacker’s activities and the stolen data residing in the TA’s Infrastructure, which is covered in the below analysis.
Technical Analysis
APK Metadata Information
App Name: NTT*****
Package Name: com.******.cookie
SHA256 Hash: *******8e7733db22645fee95482dccf5260dcd******0de77d2120c3845
Figure 1 shows the metadata information of the application.
Figure 2 shows the malware has the icon and name of a major Japanese Telecom company.
Upon simulating the application, it requests that the users turn off their Wi-Fi and log in with their network PIN, as shown in Figure 3.
Manifest Description
The fake app requests two permissions, of which the attackers could abuse one to get information about network connections on the device.
The dangerous permission is mentioned below.
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections. |
Upon reviewing the application’s manifest, the malicious app’s launcher activity was identified, as shown in Figure 4.
Malware Behavior
As mentioned earlier, the fake app initially requests the users to connect to the cellular network by disabling Wi-Fi as soon as it is launched.
Upon connecting to the cellular network, the malware displays the Telecommunication’s payment service official webpage through WebView and asks the user to log in with their Network PIN, as shown in Figure 3.
A Network PIN is a four-digit number that is assigned to the customer when the subscription is finalized.
If the subscriber wants to verify their identity or change various settings, they will require this PIN.
The code used to display the official website using WebView is shown below.
As highlighted in Figure 5, the malware hides these strings as encrypted in the code to restrict reverse engineering and detection by security software. The decryption code used by the malware is given below.
The official payment service webpage page URL (post decryption): hxxps://payment2.smt.*****.ne[.]jp/smph/history/gadap031.srv
Post login, the malware collects the victim’s credentials, including Network PIN. Along with that, it also steals the session cookies of the user’s telecom payment service account.
The malware invokes a JavaScript (JS) code to the logged-in webpage loaded inside the WebView. It then proceeds to steal the credentials from the webpage content. The JS code used for credential-stealing is shown below.
Additionally, the fake malicious app collects the logged-in session cookies using Cookie Manager API and initiates sending the information through the mail, as shown below.
The malicious app collects and sends the information as email content to TAs email account with the help of SMTP protocol. We also identified two email IDs from this code. The code used to send the email to the TA is shown below.
Our research team decrypted all the strings in the malware’s code. Â
Based on our findings, we studied the attacker’s endpoint, where the TA stores the customer’s stolen credentials/cookies.
Figure 10 shows the endpoint where the TA has stored the credentials.
Upon analyzing the entire data in the TA’s account, we found 2900+ credentials/cookies both from Android and Apple users. This stolen data is divided between devices as below:
- 2141 Apple mobile device victims.
- 797 Android victims.
Additionally, we found a Gmail account associated with the TA. This account is added as a recovery email in TA’s email. The details are shown in the figure below.
Conclusion
The Threat Actors behind malicious applications are constantly adapting and using various sophisticated techniques to avoid detection. Such malicious applications masquerade as legitimate applications to trick users into installing them.
Users should only install applications from the official App portals such as the Google Play Store and the official Apple App Store to secure themselves from such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   
- Download and install software only from official app stores like Google Play Store & Apple App Store
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- If you find this malicious application on your device, uninstall, or delete it immediately.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your devices, operating systems, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204.002 | User Execution: Malicious File |
| Defense Evasion | T1444 | Masquerade as Legitimate Application |
| Credential Access | T1539 | Steal Web Session Cookie |
| Collection | T1507 | Network Information Discovery |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Impact | T1565 | Manipulation |
If you are interested in a detailed list of IOCs, please reach out at contact@cyble.com.
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
Comments are closed.