Shulou(Shulou.com)05/31 Report--

This article analyzes "how to analyze Google Play malware". The content is detailed and easy to understand. Friends who are interested in "how to analyze Google Play malware" can follow the editor's idea to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's learn more about "how to analyze Google Play malware" with the editor.

Several malicious applications (detected as AndroidOS_BadBooster.HRX by Trend Micro) have recently been discovered on Google Play that can access remote malicious advertising configuration servers, conduct advertising fraud, and download up to 3000 malware variants or malicious payloads. These malicious applications, which improve device performance by cleaning, organizing and deleting files, have been downloaded more than 470000 times. The attack has been active since 2017, and Google Play has removed malicious apps from the store.

According to the analysis, 3000 malware variants or malicious payloads are downloaded to the device and disguised as system programs that do not display icons on the device launcher or program list. Attackers can use the affected device to make false comments in favor of malicious applications and commit advertising fraud by clicking on pop-up ads.

Technical analysis

A program called Speed Clean in the attack has the ability to improve the performance of mobile devices. When in use, the application pops up ads, which appears to be harmless to mobile applications.

Speed Clean can also start a transparent activity background to hide malicious content.

After that, a malicious service named "com.adsmoving.MainService" under the Java package "com.adsmoving" will establish a connection to the remote ad configuration server to register new malicious installation users. After registration, Speed Clean will start to push malicious ads to users, and the content of malicious ads and Trojans will be displayed under the "recommendation page" of the application.

Figure 6 shows malware traffic.

After "alps-14065.apk" is installed, no application icons appear on the list of programs that launch the program or device. It adds an application called "com.phone.sharedstorage", which can be found in "downloaded applications".

Like ANDROIDS TOASTAMIGO, one of the Android malware families detected in 2017, Speed Clean apps can download malware variants or payloads to perform different advertising frauds. Some typical malicious advertising frauds used in this attack are as follows:

1. Simulated users click on the advertisement. Malicious applications are integrated into legitimate mobile advertising platforms, such as Google AdMob and Facebook.

2. Install the application from the mobile advertising platform into the virtual environment to prevent it from being discovered by users.

3. Induce users to enable access rights and disable the security protection function of Google Play Protect. Make sure that the malicious load can download and install more malicious applications without being discovered by users.

4. Use the affected equipment to post false comments.

Use the accessibility function to log in to malware using Google and Facebook accounts.

Obtain information from malware variants and malicious payloads associated with this attack activity as follows:

It was also noted that the countries or regions most seriously affected were Japan, Taiwan, the United States, India and Thailand.

The geographic parameter value of the country code can be modified to any country code, or even a random non-existent country code, and the remote advertising configuration server always returns malicious content, but this activity excludes Chinese users.

This is the end of the analysis of Google Play malware. I hope the above content can improve everyone. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.