SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Self-installing porn apps rampage the Android ecosystem (June 17, 2016)



Description


Dell SonicWall Threats Research team observed a high volume of Porn related Android applications (apks) that download other porn apps after infecting a device to propagate further. Over 4000 apps of similar functionality were observed in the last 2 weeks as of writing this blog. These apps bombard the victim's device with advertisements that solicit installation of other porn related apps and do so using different installation techniques.

Some porn apps that were installed sent SMS messages to premium rate numbers while some snooped over the existing SMS messages present on the device. Apart from SMS, other sensitive device related information was sent to a number of domains that have been deemed malicious by a number of sources like Virustotal and Scumware.

Code Inspection

We reported in the past about a malware that loads malicious code from a library file from the resource section, most of the porn apps from this campaign we investigated exhibit similar behavior. The DEX file, that usually has the core code for an app, contains minimal lines of code for apps in this campaign. In most of the apps a library file is loaded during runtime, this library file contained most of the code. This technique is employed to escape automated analysis by sandboxes and other security solutions. Below image shows a library file being loaded using System.loadLibrary and the corresponding library file from the resources present in one of the porn app:


App installation

During our analysis we saw a number of ways in which the primary porn app downloads and installs secondary porn apps. We have listed a few methods below:

  • Some apps are downloaded in the background and the install prompt appears once the download is finished. User intervention is needed to complete the installation thereby alerting the user about its existence:


  • Some primary apps request for Device administrator privileges during installation. With this privilege the app can install other secondary porn apps silently in the background without user intervention. Soon enough we saw that the phone was filled with a number of porn apps as shown below:


  • In some cases we saw an app icon on the screen which when clicked leads to the installation of the same:


  • Some apps just opened the browser and downloaded other secondary porn apps:


  • One of the permissions requested by most of the porn apps is to show overlay over other apps. We saw such overlays advertising porn apps during our analysis. Upon clicking these advertisements an app got downloaded and installed:



Databases

During our analysis of the apps post installation, we scrutinized a number of databases present in the installed app folders. A few tables contained useful information like URL's for app downloads and package names as listed below:



App notifications

In Android when a notification is missed we see a small icon on the notification bar informing the user about it (as shown in the first image below). Based on the app icon the user can understand which app's notification was missed. These porn apps pull another clever trick, they show notifications on the notification bar with icons from popular apps like Gmail, Phone calls and Messages; but when the notification bar is expanded we see solicitations for other porn apps inviting the user to install them:


Network Activity

  • Upon installation most of the apps start downloading secondary porn related apps on the system from different domains, most of these domains have been marked as malicious on Virustotal and Scumware:

  • Some of the apps sent sensitive information about the device back to malicious domains, one of the apps we analyzed sent data about all the installed apps on the device:

SMS

  • Some apps tried sending SMS to premium rate numbers, we saw a notification stating the same:


  • One of the apps accessed and saved a SMS message on the infected device in a file. It saved a single message along with the phone number of the contact that sent the message:


Post Uninstallation

After uninstalling each of the porn apps from "Downloaded" section in Apps section of Device Settings it may seem like the phone is finally clean from infection, but we soon saw an advertisement that gets overlayed on the screen and a porn related app being downloaded in the background. Upon checking the "All" section we saw a suspicious looking process named Vold which previously requested for Administrator privileges. Few specific permissions to note for this process are to draw over other apps and to run at startup:


On investigating the network captures we saw information being relayed back with the package name android.system.vold.v47. The only way to completely stop this process is to disable it first from settings and manually delete it from /system/bin/ and /system/xbin/ folders.



Only after removing this particular process did we stop seeing any suspicious advertisements and automated downloads on the device.

Additional observations

  • Rooted devices have su binary which is used by processes to switch the account to root. In many cases we observed that after getting Device Admin privileges some apps removed the su binary from the system. Thereby the processes on the device can no longer switch to root user. We feel this is done to make it difficult to remove the Vold process that we discussed earlier and to improve its persistence

  • We saw a number of SMS payment related files in the installed folders of the app, some examples are wounipaysms,tppaySMS and zhangpay


Overall this campaign aims at infecting a victim's device and bombarding it with porn laced apps via advertisements, these apps by themselves try to siphon money by sending SMS messages to premium rate numbers. Apart from that the attackers try to fish sensitive device related information that might be used in future to expand the Ad network. This Ad network might expand to other non-porn apps as well once established.

Android has seen its share of malicious applications, admittedly there have been applications that do far worse to the device than installing porn apps on it. But having a ton of porn apps on a device may tarnish a person's reputation at work or home, moreover there can be some legal implications of having pornographic material on a personal/corporate device based on an individual's position in the society. Thereby even though this might not seem as a big threat compared to the buffet of malicious entities on the Android landscape, we should not turn a blind eye to such incidents.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:
  • GAV: AndroidOS.Pornstall.HJ ( Trojan )
  • GAV: AndroidOS.Pornstall.HJ_2 ( Trojan )
  • GAV: AndroidOS.Pornstall.JR ( Trojan )
  • GAV: AndroidOS.Pornstall.MG ( Trojan )
  • GAV: AndroidOS.Pornstall.TT ( Trojan )
  • GAV: AndroidOS.Pornstall.HJG ( Trojan )
  • GAV: AndroidOS.Pornstall.HJG_2 ( Trojan )

Below are details about a small subset of samples we analyzed, they have been differentiated into groups based on their icons:

Icon MD5 Package Name
2cc466a9ad9e40ee817ae68de4e72a38 org.jamb.james.jasmine.jawbone
5b2dd35a6002707eee330757a92a2f44 org.jamb.james.jasmine.jawbone
ba6dbd2e52dd581a4200ebefcecbd1dd cn.zipper.zygote.kernel
1fc585a6676ecfcffebd389c11ae0303 com.motor.mouse.multiple
51c21523d3340aaf6b115efde7743f07 com.habitat.hairdresser.cn
416aed5afc9f520b69bb1f4cde8ce4bd RmdqA.mUVEZ.dbByk
69f14a6f96776b0e5709b9e66d735736 rIIt.LCjy.wbRq
e290a336ef6a003c0c724a6e8a7e9a06 gtXnMW.DuQvwhO.rwIkYm
fe55bce4a1ccce3b1f06271af7730703 fhQmaP.MZxhV.NMLM
85d80d54f2066914cefe2932957e915c ICQOrU.npJw.wkZLwBm
5c5d5d8e2b09fb2741ed7578101d81f2 EVXNY.LEZB.cwdNnE
b4437e9891d37aed5d757a5305683b11 kBNc.FZgyuo.wsCS
5c9463669d33a023622c37fbf4c37917 cyiYIvC.EgMOxXR.RWSsE
8d4109cb80d04d3608159151f2d46633 Ckhs.wXkD.FQasG
62ae3a97959cd83be1836bee9a8730e7 ktyow.xBKNPU.pIqf
4780e09e43d0c05ac0ca531970a297d7 wOMbqq.HCSPKwN.tbojO
4803a636b560c90ce9e4f3d629482d12 zdnbrs.nGul.YkBjS
cbcb82d9c0f08a3fffb9e2bdbee42068 QKpLf.XFaWXX.kFkaz
992139f3d6ff50486addfccb68d7bbd6 utoyRR.jeda.vLJfJvE
a453fc8fcfb5c9a318201992debb7c28 vvgW.pKhnS.kMBzy
a3303a638936a7dbe125c382834425f8 com.tacky.tailor.taker
c0cba922ed57ac0f0598bfc0b0766b44 org.homage.homer.homestay
0d0feae0c88130dee0ad86b5257e0ce6 com.tacky.tailor.taker
671d5bf81c0b73fe2a33b97b3452f29d org.homage.homer.homestay
425a3d84b3b22a8d89e0f22a4504dca7 org.homage.homer.homestay


Below are a few domains that were contacted by porn apps during our analysis and are marked as malicious when writing this blog:

Domain Names
1npay.cn
apk.longxigame.com
app.tbjyz.com
appcdn.yiwen213.com
c.jinqiaocft.com
fun.tv
mi.gdt.qq.com
s.jinqiaocft.com
sb.niukk.com
tcml.neihanbiao.com
viideoapk.weichuanji.com
zibao.jinqiaocft.com





Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.5 | S2MSW03