Professional Documents
Culture Documents
HowTrojansmanipulateGooglePlaySecurelist
Nikita Buchka
Formalwarewriters,GooglePlayisthepromisedlandofsorts.Oncethere,amaliciousapplicationgains
accesstoawideaudience,gainsthetrustofthataudienceandexperiencesadegreeofleniencyfromthe
securitysystemsbuiltintooperatingsystems.Onmobiledevices,userstypicallycannotinstallapplications
comingfromsourcesotherthantheofficialstore,meaningthisisaseriousbarrierforanappwith
maliciousintent.However,itisfarfromeasyfortheapptogetintoGooglePlay:oneofthemain
conditionsforitistopassarigorouscheckforunwantedbehaviorbydifferentanalysissystems,both
automaticandmanual.
Somemalwarewritershavegivenupontheireffortstopushtheirmaliciouscreationspastsecuritychecks,
andinsteadlearnedhowtousethestoresclientappfortheirunscrupulousgains.Lately,wehaveseen
manyTrojansusetheGooglePlayappduringpromotioncampaignstodownload,installandlaunchapps
onsmartphoneswithouttheownersknowledge,aswellasleavecommentsandrateapps.Theapps
installedbytheTrojandonottypicallycausedirectdamagetotheuser,butthevictimmayhavetopayfor
thecreatedexcessivetraffic.Inaddition,theTrojansmaydownloadandinstallpaidappsasiftheywere
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
1/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
freeones,furtheraddingtotheusersbills.
LetuslookintothemethodshowsuchmanipulationswithGooglePlayhappen.
Level 1. N00b
ThefirstmethodistomaketheofficialGooglePlayappstoreundertaketheactionsthecybercriminal
wants.TheideaistousetheTrojantolaunchtheclient,openthepageoftherequiredappinit,then
searchforandusespecialcodetointeractwiththeinterfaceelements(buttons)tocausedownload,
installationandlaunchoftheapplication.Themisusedinterfaceelementsareoutlinedwithredboxesin
thescreenshotsbelow:
Theexactmethodsofinteractionwiththeinterfacevary.Ingeneral,thefollowingtechniquesmaybe
identified:
1.UseoftheAccessibilityservicesoftheoperatingsystem(usedbymodulesin
Trojan.AndroidOS.Ztorg).
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
2/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
2.Imitationofuserinput(usedbyTrojanClicker.AndroidOS.Gopl.c).
3.CodeinjectionintotheprocessofGooglePlayclienttomodifyitsoperation(usedby
Trojan.AndroidOS.Iop).
ToseehowsuchTrojansoperate.LetuslookattheexampleofTrojan.AndroidOS.Ztorg.n.Thismalicious
programusesAccessibilityservicesoriginallyintendedtocreateapplicationstohelppeoplewith
disabilities,suchasGUIvoicecontrolapps.TheTrojanreceivesajobfromthecommandandcontrol
server(C&C)whichcontainsalinktotherequiredapplication,opensitinGooglePlay,andthenlaunches
thefollowingcode:
Thiscodeisneededtodetectwhentherequiredinterfaceelementappearsonthescreen,andtoemulate
theclickonit.Thisway,thefollowingbuttonsareclickedinasequence:BUY(thepriceisshowninthe
button),ACCEPTandCONTINUE.Thisissufficienttopurchasetheapp,iftheuserhasacreditcard
withsufficientbalanceconnectedtohis/herGoogleaccount.
Level 2. Pro
Somemalwarewriterstakeroadslesstraveled.Insteadofusingtheeasyandreliablewaydescribed
above,theycreatetheirownclientfortheappstoreusingHTTPSAPI.
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
3/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
Thedifficultpartaboutthisapproachisthattheoperationoftheselfmadeclientrequiresinformation(e.g.
usercredentialsandauthenticationtokens)whichisnotavailabletoaregularapp.However,the
cybercriminalsareveryfortunatethatallrequireddataarestoredonthedeviceincleartext,inthe
convenientSQLiteformat.AccesstothedataislimitedbytheAndroidsecuritymodel,howeverappsmay
abuseite.g.byrootingthedeviceandthusgainingunlimitedaccess.
Forexample,someversionsoftheTrojan.AndroidOS.Guerrilla.ahavetheirownclientforGooglePlay,
whichisdistributedwiththehelpoftherooterLeech.Thisclientsuccessfullyfulfilsthetaskofdownloading
andinstallingfreeandpaidapps,andiscapableofratingappsandleavingcommentsintheGoogle
store.
Afterlaunch,Guerrillastartstocollectthefollowingrequiredinformation:
1.ThecredentialstotheusersGooglePlayaccount.
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
4/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
ActivitiesinGooglePlayrequirespecialtokensthataregeneratedwhentheuserlogsin.Whenthe
userisalreadyloggedintoGooglePlay,theTrojancanusethelocallycachedtokens.Theycanbe
locatedthroughasimplesearchthroughthedatabaselocatedat
/data/system/users/0/accounts.db:
Withthehelpofthecodebelow,theTrojanchecksiftherearereadytokensontheinfecteddevice,
i.e.iftheuserhasloggedonandcandoactivitiesinGooglePlay:
Ifnosuchtokensareavailable,theTrojanobtainstheusersusernameandhashedpassword,and
authenticatesviaOAuth:
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
5/10
9/20/2016
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
HowTrojansmanipulateGooglePlaySecurelist
6/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
2.Android_idisthedevicesuniqueID.
3.GoogleServiceFrameworkIDisthedevicesidentifieracrossGoogleservices.
First,theTrojansattemptstoobtainthisIDusingregularmethods.Ifthesefailforwhateverreason,it
executesthefollowingcode:
4.GoogleAdvertisingIDistheuniqueadvertisingIDprovidedbyGooglePlayservices.
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
7/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
Guerrillaobtainsitasfollows:
5.Inasimilarway,theTrojanobtainshasheddataaboutthedevicefromthefile
/data/data/com.google.android.gms/shared_prefs/Checkin.xml.
WhentheTrojanhascollectedtheabovedata,itbeginstoreceivetaskstodownloadandinstallapps.
Belowisthestructureofonesuchtask:
TheTrojandownloadstheapplicationbysendingPOSTrequestsusingthelinksbelow:
1.https://android.clients.google.com/fdfe/search:asearchisundertakenfortherequestsentbythe
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
8/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
cybercriminals.ThisrequestisneededtosimulatetheusersinteractionwiththeGooglePlayclient.
(Themainscenarioofinstallingappsfromtheofficialclientpresupposesthattheuserfirstdoesthe
searchrequestandonlythenvisitstheappspage).
2.https://android.clients.google.com/fdfe/details:withthisrequest,additionalinformationneededto
downloadtheappiscollected.
3.https://android.clients.google.com/fdfe/purchase:thetokenandpurchasedetailsaredownloaded,
usedinthenextrequest.
4.https://android.clients.google.com/fdfe/delivery:theTrojanreceivestheURLandthecookiefiles
requiredtodownloadtheAndroidapplicationpackage(APK)file.
5.https://android.clients.google.com/fdfe/log:thedownloadisconfirmed(sothedownloadcounteris
incremented.)
6.https://android.clients.google.com/fdfe/addReview:theappisratedandacommentisadded.
Whencreatingtherequests,thecybercriminalsattemptedtosimulatemostaccuratelytheequivalent
requestssentbytheofficialclient.Forexample,thebelowsetofHTTPheadersisusedineachrequest:
Aftertherequestisexecuted,theappmay(optionally)getdownloaded,installed(usingthecommandpm
installrwhichallowsforinstallationofapplicationswithouttheusersconsent)andlaunched.
Conclusion
TheTrojansthatusetheGooglePlayapptodownload,installandlaunchappsfromthestoretoa
smartphonewithoutthedeviceownersconsentaretypicallydistributedbyrootersmaliciousprograms
whichhavealreadygainedthehighestpossibleprivilegesonthedevice.Itisthisparticularfactthatallows
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
9/10
9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
themtolaunchsuchattacksontheGooglePlayclientapp.
Thistypeofmaliciousprogramposeaseriousthreat:inQ22016,differentrootersoccupiedmorethana
halfoftheTop20ofmobilemalware.Allthemoreso,rooterscandownloadnotonlymaliciousprograms
thatcompromisetheAndroidecosystemandspendtheusersmoneyonpurchasingunnecessarypaid
apps,butothermalwareaswell.
Related Posts
THE BANKER THAT CAN
ROOTING POKMONS IN
STEAL ANYTHING
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
10/10