How Trojans Manipulate Google Play

9/20/2016
HowTrojansmanipulateGooglePlaySecurelist
How Trojans manipulate Google Play

By Nikita Buchka on August 31, 2016. 8:57 am
RESEARCH
GOOGLE ANDROID
Nikita Buchka
Formalwarewriters,GooglePlayisthepromisedlandofsorts.Oncethere,amaliciousapplicationgains
accesstoawideaudience,gainsthetrustofthataudienceandexperiencesadegreeofleniencyfromthe
securitysystemsbuiltintooperatingsystems.Onmobiledevices,userstypicallycannotinstallapplications
comingfromsourcesotherthantheofficialstore,meaningthisisaseriousbarrierforanappwith
maliciousintent.However,itisfarfromeasyfortheapptogetintoGooglePlay:oneofthemain
conditionsforitistopassarigorouscheckforunwantedbehaviorbydifferentanalysissystems,both
automaticandmanual.
Somemalwarewritershavegivenupontheireffortstopushtheirmaliciouscreationspastsecuritychecks,
andinsteadlearnedhowtousethestoresclientappfortheirunscrupulousgains.Lately,wehaveseen
manyTrojansusetheGooglePlayappduringpromotioncampaignstodownload,installandlaunchapps
onsmartphoneswithouttheownersknowledge,aswellasleavecommentsandrateapps.Theapps
installedbytheTrojandonottypicallycausedirectdamagetotheuser,butthevictimmayhavetopayfor
thecreatedexcessivetraffic.Inaddition,theTrojansmaydownloadandinstallpaidappsasiftheywere
https://securelist.com/blog/research/75894/howtrojansmanipulategoogleplay/
1/10
9/20/2016
freeones,furtheraddingtotheusersbills.
LetuslookintothemethodshowsuchmanipulationswithGooglePlayhappen.
Level 1. N00b
ThefirstmethodistomaketheofficialGooglePlayappstoreundertaketheactionsthecybercriminal
wants.TheideaistousetheTrojantolaunchtheclient,openthepageoftherequiredappinit,then
searchforandusespecialcodetointeractwiththeinterfaceelements(buttons)tocausedownload,
installationandlaunchoftheapplication.Themisusedinterfaceelementsareoutlinedwithredboxesin
thescreenshotsbelow:
Theexactmethodsofinteractionwiththeinterfacevary.Ingeneral,thefollowingtechniquesmaybe
identified:
1.UseoftheAccessibilityservicesoftheoperatingsystem(usedbymodulesin
Trojan.AndroidOS.Ztorg).
2/10
9/20/2016
2.Imitationofuserinput(usedbyTrojanClicker.AndroidOS.Gopl.c).
3.CodeinjectionintotheprocessofGooglePlayclienttomodifyitsoperation(usedby
Trojan.AndroidOS.Iop).
ToseehowsuchTrojansoperate.LetuslookattheexampleofTrojan.AndroidOS.Ztorg.n.Thismalicious
programusesAccessibilityservicesoriginallyintendedtocreateapplicationstohelppeoplewith
disabilities,suchasGUIvoicecontrolapps.TheTrojanreceivesajobfromthecommandandcontrol
server(C&C)whichcontainsalinktotherequiredapplication,opensitinGooglePlay,andthenlaunches
thefollowingcode:
Thiscodeisneededtodetectwhentherequiredinterfaceelementappearsonthescreen,andtoemulate
theclickonit.Thisway,thefollowingbuttonsareclickedinasequence:BUY(thepriceisshowninthe
button),ACCEPTandCONTINUE.Thisissufficienttopurchasetheapp,iftheuserhasacreditcard
withsufficientbalanceconnectedtohis/herGoogleaccount.
Level 2. Pro
Somemalwarewriterstakeroadslesstraveled.Insteadofusingtheeasyandreliablewaydescribed
above,theycreatetheirownclientfortheappstoreusingHTTPSAPI.
3/10
9/20/2016
Thedifficultpartaboutthisapproachisthattheoperationoftheselfmadeclientrequiresinformation(e.g.
usercredentialsandauthenticationtokens)whichisnotavailabletoaregularapp.However,the
cybercriminalsareveryfortunatethatallrequireddataarestoredonthedeviceincleartext,inthe
convenientSQLiteformat.AccesstothedataislimitedbytheAndroidsecuritymodel,howeverappsmay
abuseite.g.byrootingthedeviceandthusgainingunlimitedaccess.
Forexample,someversionsoftheTrojan.AndroidOS.Guerrilla.ahavetheirownclientforGooglePlay,
whichisdistributedwiththehelpoftherooterLeech.Thisclientsuccessfullyfulfilsthetaskofdownloading
andinstallingfreeandpaidapps,andiscapableofratingappsandleavingcommentsintheGoogle
store.
Afterlaunch,Guerrillastartstocollectthefollowingrequiredinformation:
1.ThecredentialstotheusersGooglePlayaccount.
4/10
9/20/2016
ActivitiesinGooglePlayrequirespecialtokensthataregeneratedwhentheuserlogsin.Whenthe
userisalreadyloggedintoGooglePlay,theTrojancanusethelocallycachedtokens.Theycanbe
locatedthroughasimplesearchthroughthedatabaselocatedat
/data/system/users/0/accounts.db:
Withthehelpofthecodebelow,theTrojanchecksiftherearereadytokensontheinfecteddevice,
i.e.iftheuserhasloggedonandcandoactivitiesinGooglePlay:
Ifnosuchtokensareavailable,theTrojanobtainstheusersusernameandhashedpassword,and
authenticatesviaOAuth:
5/10
9/20/2016
6/10
9/20/2016
2.Android_idisthedevicesuniqueID.
3.GoogleServiceFrameworkIDisthedevicesidentifieracrossGoogleservices.
First,theTrojansattemptstoobtainthisIDusingregularmethods.Ifthesefailforwhateverreason,it
executesthefollowingcode:
4.GoogleAdvertisingIDistheuniqueadvertisingIDprovidedbyGooglePlayservices.
7/10
9/20/2016
Guerrillaobtainsitasfollows:
5.Inasimilarway,theTrojanobtainshasheddataaboutthedevicefromthefile
/data/data/com.google.android.gms/shared_prefs/Checkin.xml.
WhentheTrojanhascollectedtheabovedata,itbeginstoreceivetaskstodownloadandinstallapps.
Belowisthestructureofonesuchtask:
TheTrojandownloadstheapplicationbysendingPOSTrequestsusingthelinksbelow:
1.https://android.clients.google.com/fdfe/search:asearchisundertakenfortherequestsentbythe
8/10
9/20/2016
cybercriminals.ThisrequestisneededtosimulatetheusersinteractionwiththeGooglePlayclient.
(Themainscenarioofinstallingappsfromtheofficialclientpresupposesthattheuserfirstdoesthe
searchrequestandonlythenvisitstheappspage).
2.https://android.clients.google.com/fdfe/details:withthisrequest,additionalinformationneededto
downloadtheappiscollected.
3.https://android.clients.google.com/fdfe/purchase:thetokenandpurchasedetailsaredownloaded,
usedinthenextrequest.
4.https://android.clients.google.com/fdfe/delivery:theTrojanreceivestheURLandthecookiefiles
requiredtodownloadtheAndroidapplicationpackage(APK)file.
5.https://android.clients.google.com/fdfe/log:thedownloadisconfirmed(sothedownloadcounteris
incremented.)
6.https://android.clients.google.com/fdfe/addReview:theappisratedandacommentisadded.
Whencreatingtherequests,thecybercriminalsattemptedtosimulatemostaccuratelytheequivalent
requestssentbytheofficialclient.Forexample,thebelowsetofHTTPheadersisusedineachrequest:
Aftertherequestisexecuted,theappmay(optionally)getdownloaded,installed(usingthecommandpm
installrwhichallowsforinstallationofapplicationswithouttheusersconsent)andlaunched.
Conclusion
TheTrojansthatusetheGooglePlayapptodownload,installandlaunchappsfromthestoretoa
smartphonewithoutthedeviceownersconsentaretypicallydistributedbyrootersmaliciousprograms
whichhavealreadygainedthehighestpossibleprivilegesonthedevice.Itisthisparticularfactthatallows
9/10
9/20/2016
themtolaunchsuchattacksontheGooglePlayclientapp.
Thistypeofmaliciousprogramposeaseriousthreat:inQ22016,differentrootersoccupiedmorethana
halfoftheTop20ofmobilemalware.Allthemoreso,rooterscandownloadnotonlymaliciousprograms
thatcompromisetheAndroidecosystemandspendtheusersmoneyonpurchasingunnecessarypaid
apps,butothermalwareaswell.
Related Posts
THE BANKER THAT CAN
ROOTING POKMONS IN
GUGI: FROM AN SMS
STEAL ANYTHING
GOOGLE PLAY STORE
TROJAN TO A MOBILEBANKING TROJAN
10/10

How Trojans Manipulate Google Play - Securelist PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How Trojans Manipulate Google Play - Securelist PDF

Uploaded by

Copyright:

Available Formats

9/20/2016

GUGI: FROM AN SMS

GOOGLE PLAY STORE

TROJAN TO A MOBILEBANKING TROJAN

You might also like