Rise of Banking Trojan Dropper in Google Play

The Zscaler ThreatLabz team recently discovered the Xenomorph banking Trojan embedded in a Google Play Store Lifestyle app. The app is called “Todo: Day manager” and has over 1,000 downloads. This is the latest in a disturbing series of malware lurking in the Google Play Store: in the past 3 months, ThreatLabz has reported over 50 apps resulting in over 500,000 downloads, incorporating malware families such as Joker, Harly, Coper and Adfraud.

Fig no 1.Malware Install from Play Store

Xenomorph is a Trojan that steals credentials from banking apps on users’ devices. It is also capable of intercepting SMS messages and user notifications, allowing it to steal one-time passwords and multi-factor authentication requests.

Our analysis revealed that Xenomorph banking malware is removed from GitHub as a fake Google service application upon app installation. It starts by asking users to enable access permission. Once provided, it adds itself as a Device Admin and prevents users from disabling Device Admin, making it uninstallable from the phone. Xenomorph creates an overlay on legitimate banking apps to trick users into entering their credentials.

A similar infection cycle was observed three months ago with the Coper banking Trojan. This Trojan was also embedded in Google Play store apps and pulled its malware payload from the Github repository.

Technical details

Below is the Xenomorph infection cycle once a user downloads an app and opens it.

Fig no 2. Flow of infection

When the app is first opened, it contacts a Firebase server to get the scene/banking malware payload URL. It then downloads the malicious Xenomorph Banking Trojan samples from Github. This banking malware then reaches the decoded command and control (C2) servers either through the content of the Telegram page or from a static code routine to request further commands, extending the infection.

The malware downloader parent app (Google Play Store) gets its configuration from Firebase for its database.

Fig no 3. Malware activates downloader.

Fig no 4. The downloader is not activated.

As shown in the screenshot above, the malware will only download other banking payloads if the “Enabled” setting is set to true.

The following screenshot shows how the Firebase Database malware uses Github links to download Xenomorph payloads:

Fig no 5. Malware writes dropper urls to local firebase database

The screenshots in Figures 6 and 7 below show C2 recovery from a Telegram page. Here, the banking payload has the Telegram page link encoded with RC4 encryption. Upon execution, the banking payload will reach the Telegram page and download the content hosted on that page.

Fig no 6. Use Telegram link response to create C2 in addition to the static encrypted C2 present in the app

Fig no 7. Preview of Telegram channel where string between emoji hearts is used to create C2

According to the following screenshot, the payload will decrypt the C2 server address from the downloaded content:

Fig no 8. Decode C2 of Telegram

ThreatLabz also observed RC4-encoded C2 domains stored in the code. The following screenshot shows the C2 request in which the payload sends all installed applications to C2 in order to receive further instructions. In one case, it will present the fake login page of a targeted banking app if the legitimate app is installed on the infected device.

Fig no 9. Malicious software downloading all package information to receive commands

ThreatLabz has also observed another application, named “経費キーパー” (Expense Keeper), exhibiting similar behavior. When executing this application, it is observed that the “Enabled parameter” is set to false, similar to the execution previously shown in Figure 4. Because of this, it was not possible to retrieve the URL Dropper for bank payload. ThreatLabz is working with Google’s security team for the same.

Fig no 10. Suspicious installer exhibiting the same behavior

IoC

com.todo.daymanager

d81f9c03c412b11df357f0878c9c5cad9319c7eea11b5c46d0c624995bc09563

com.setprice.expenses

58d634230951ee7699a4b4740e12be8e93a28bd183f61447832bd1d5d98160d8

Xenomorph Banking Trojan

package name

MD5

njuknf.cpvmqe.degjia

b8b8706807a97c40940109a93058c3d0

ylyove.pkmcsy.upvpta

98ea3fe61fde0c053dfac61977a11488

ylykau.jhfxjd.hlhhwl

df57895cfc79ee8812aac5756ab4bcc8

lkvrny.bbslie.mrgsdy

73511ef7bb9d59b3d91dbeef5f93eec0

gkapsv.nlitfn.fzteaf

f0b001dbe36f45cedcb15e3f9fc02fd7

binono.bgcwvl.iupqtk

8437e226e55ba6dea9a168bee5787b0d

cfbyzn.zhxxjj.sziece

8f66412e945ca9a75797d5f5eba9765c

gfgnfe.rcsjkm.abwxdj

6a117cafa32a680dc94f455745291f0f

usyjui.monkab.acacpn

cb9500f910bd655df444f7d43d0298f9

gnvbgm.ipblyp.bpnyrg

d95c03247a58d3fabb476a7f3241f3a1

xsgrsn.nicojr.uaqxws

cd63afae858fdf75f34aae05e36b8a34

xhlkae.ligagt.dmihjy

c5d510251a34f52427d133a6f9248cbf

qlvsvm.oqsncp.otgbxc

781bbaee614697beecfcbe9a2f9dd820

rxreyj.obxmlg.rjluib

49c4801abb6c92d17c8021c2f656c644

brpdxm.orolnd.jsxhrp

1829589d95bdd2c30f0bef154decd426

wwzaqw.eejyqr.czrldy

e834676cdbd63ce4eb613499605dc365

ogbfbt.rhrnua.kccuoh

9e498ba660bdcb279149e6a5986c2793

lnckvn.vlmjxx.uwcpub

4b2e849543b0ecaec1885170a5ef5243

vjqfyn.ygmzrs.trlvch

7e4f1deb5b21d47a7c41ef1a5f43a2f2

blglyu.rjqwgg.vveize

7f574986dc8a03e6a4cba60d1ac4f7d1

C2

hxxps[://]github[.]com/blsmcamp/updt
gogoanalytics[.]Click on
gogoanalytics[.]digital

Conclusion

At Zscaler, we proactively detect and monitor these applications to secure our customers. These banking phishing installers mostly rely on deceptive users to install malicious applications. Users are advised to keep an eye on the app being installed. A Play Store app is not meant to sideload or ask users to install from unknown sources. We believe that hostile phishing downloaders will further increase in prevalence in the future. User vigilance is of the utmost importance in defeating these phishing campaigns.

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed written by Himanshu Sharma. Read the original post at: https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0

Comments are closed.