Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 25, 2023
Severity High Analysis Summary CVE-2023-42753 Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by an integer underflow due […]September 25, 2023Severity Medium Analysis Summary AsyncRAT is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it […]September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 25, 2023Severity High Analysis Summary CVE-2023-42753 Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by an integer underflow due […]September 25, 2023Severity Medium Analysis Summary AsyncRAT is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it […]September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol
February 24, 2020Rewterz Threat Alert – WinPot Malware Turns ATM into a Slot Machine
February 25, 2020
Severity
High
Analysis Summary
Clickers, (malware that mimics the user and performs ‘clicks’ on ads), are a rising threat in the mobile industry. 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users were found infected with malware. A similar campaign began its path in Google Play. Haken malware was found in 8 malicious applications, that had over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.
The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.
The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up. With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.
The ‘Joker’ malware family, originally discovered in September 2019, is a spyware and premium dialer (subscribes the user to premium services) for Android that was found on Google Play.
In the past few months, Joker keeps reappearing in the Google Play store, We have recently discovered four additional samples of Joker on Google Play, downloaded 130,000+ times. Most of these malicious apps are camera utilities and children’s games. Some of them buy premium subscriptions without notifying the user.
Impact
- Device takeover
- Financial Loss
- Data theft
Indicators of Compromise
Domain Name
bearclod[.]com
MD5
- 665e96dda8ec53721592db445dc1dcd8
- bc5b8f08cde9b115a24087f1bcf85348
- aa97e49495b495f11b9c252f0988b82c
- 82ba8021eb1c29eff00aa93d2fed8f43
- c26f0235e9ca0ba9a1fd98c6f1a6ede7
- 7b1d1b9c97bfd2bef121c0ee2ea7e6b5
- 14ce5267be2f687ea2554d5bcafdd919
- 89747658f9bdb518865a8e7e47da0d83
- 27ba0e1fd04e30e15ebe9bfd3675339e
- 6a11ebe7708d8ac15ca16dd35a9077e6
- 96514423a4d08e2d9aaeb5f04461baff
- b2d15a9bc0df89e3111f59b4bdfdfa86
- 3c9369f0a27dc8d087c0f6f87af9d987
- 435ef0f9b52c8aa3e8cf724c3029feca
- 13834832ea096b06a701339d8730c9aa
- 44c0b6761fe0ef294df53d265457e5ce
- 7a33896dd45ea52ab3f7808ef6e06656
- f69faaa08be460fface36be62b84b5c1
- 121d8a08b09fe5755d3df6cf5d6af884
- ac86bff3edf47313df1cc62e792db97f
- 3bc5c2818094750ed8de185df0c404e8
- 45667128c5593d987d2d1020a005194f
- a8a6dc6f8f6350f070fb3d19f5b766f3
- 02939b68596873ad1835d1062ee8836a
- 829a30e7d2f461ce9092ea3d7a0e5742
- 7e5677a2d49ccc6a2ae78778a2120790
- a7367cfc54140761b02c1d21eb769935
- 879516a982ce996f26f9bec7136e8c27
- 992110f2295f07270c5d77c85491b978
- 8d7550971c1292e8a3a43bbe293f412c
- 54628bb8ed75cfd30eea92b20db1fc8a
- 82df5e392c62bead251f43916d7a833d
- 75c48a372281fbe2a09f9f6c72fca8d0
- 100108d372c1b8bc8d3264d3599eaa7e
- 8249cd76d780ae08e7256a6f8b9cb605
- d2f467545b34547b07ba48ef3274e37c
- 4575e1d8a5ec7deb59975ab07fde15e8
- d626ceea2ad696dc3cc3e81b249bed2e
- 6f8f9fbd1e74ecc756587332a8c5a33b
- b68a10302fae99311d114d6029c2f5b9
- 66be6ab4f4fe7c120383265a9d87dba5
- 042fe6422bd68fabff3189b855a74600
- 12f54a33a3d078a4d3a0a45bd41bba21
- e6ebcbc45b3cace046316f913001e547
- f3f1f347cf9f7049072db1d5135db905
- 7bc2e35624001d1316d3859711349f2c
SHA-256
- a4295a2120fc6b75b6a86a55e8c6b380f0dfede3b9824fe5323e139d3bee6f5c
- 3217b65698c7c0df08aea5c9e6d56e4634b1cf10ff48352b45719a596ff53cde
- e09396e0b17a026c9f87cc0481218d386fe7209f858bf448506f59689154d2f7
- 6c0712bc308ccd7b2c70a03a5899e700eb757a01dcf3fa986354071dd27bd0ef
- efa4dcdb3daca6b560c4523ff4010b9bea26fefb9cc8745312073c0dc503fd2f
- 3cc2feb6f8e0eba6d1b0807e1147456e13c109138f1bc346477dee2f0479cc7d
- e71c1dd9984fecf7bc9ba6d70e83dcb42405048bf51e981b896d110eea3fa441
- a646aade6787965b3fc71dd3e73b9a15ec65eedcadc8f14cba188425f4079040
- 5352c8ee2851bd9d741dce065f37c1eaedfe0c8bc042ff6fda7f0e5388767e06
- 95aeeae8a422e917bc555a8a7a71f35648649d95bdf9c7b46669e8f1059b6cfa
- 30bf493c79824a255f9b56db74a04e711a59257802f215187faffae9c6c2f8dc
- 17289264e413d46f873295f22b689d7d44e1d3d11b51f39dab34ddccf50fdda2
- 2bb0f074514eabd055052d4d8e758f7861823586c99ebef14594b1c60db4c7d7
- 4a74210e9e716092161037fb154c321e29ed454572bf1523a15903ec6eaaf640
- 0ce29f5b76b3efca487f81c55f5bb949a4193d1bc6d5cc9d10ebe8552d8230d0
- 091bacf055050efe52295e4fb79f27a7929ebfd516d7ae999e13f68ecbb8a255
- 8c49c79479e642fe424c977566f151828650b4d06d6903fbfa381d957e48ce9f
- 388b9c2c694a24fd686a615be046e33b94134c362b1432eadb5a50f42a758d8e
- 44102fc646501f1785dcadd591092a81365b86de5c83949c75c380ab8111e4e8
- 752d32fe5992b7d925d5d87b9066129b052eb8ea360a912c4738c32e6bdae527
- f4da643b2b9a310fdc1cc7a3cbaee83e106a0d654119fddc608a4b587c5552a3
- c816e434a425122522d2be72c750a8c7b3b131e30ed81999331173693ecc95e5
- 53bb04ce6a8d5ae716b30da894760b35f5ce99aab6bcd75081f0e4ac3cd68c49
- 62d192ff53a851855ac349ee9e6b71c1dee8fb6ed00502ff3bf00b3d367f9f38
- d3dbff98cc8613aa8403bce35b02640d54744f3606d2f7fe5a461d19cc53ecab
- 84e3341a4d3c603e7cf3e5b91780a942b997779c1468af820b79a57753a3d5a3
- 381620b5fc7c3a2d73e0135c6b4ebd91e117882f804a4794f3a583b3b0c19bc5
- 0b186e5044d640a206379c10a272e8d9b07e0bf0a478e6fc0a017c57e8f4e658
- d34582afde8da306f12b6da21aa4572d2febce656b4dc12a2d662284fc8623b9
- 230f66be98f30155934379022cc8656e25917c4fd5c08a36903539ce1bd36f4c
- 0136e998df49df642c2df7a5ba0da9987e341b6554fa578e935fa15bdf31199f
- c5ffc91bf3a37fc81feddf15abbca20a2a6e09413bba88092e5f62f301bdc686
- 7f8f37be97121bc998999eb947b429d46aeba86abce1ac9d4e4ae0c805a5a8e7
- e811f04491b9a7859602f8fad9165d1df7127696cc03418ffb5c8ca0914c64da
- 9c713db272ee6cc507863ed73d8017d07bea5f1414d231cf0c9788e6ca4ff769
- 8d5f1b8d25ba0c297d8c76f40b48032659cb21c1e02e13e98202bc0bdfea0e6a
- 29353df1956feb64ba42583f734b84996c4b5a507d1192ef415a930b5c6fed02
- fa93a5998390bc23949ba86e044e72f8ae20829dd220289b375bfaa76f86bd9a
- 63a93a1bdb58365363e4c709f811f45cef8dde176cc36a5c2eae7d82c940917c
- a26ce61f3137307ab3456d6312d823bec7a3924d830d8764778803ad48843467
- cb8864a684fa4d6886d7f0d22297ca898211aaf8e1c60bab83a1ced69d7e0894
- 320e5c51d4ed75adda1caef64287c885f7eb6ef7aa81f88315f86d6074a34b54
- 6d029ddd73111fca8bf8caa88ad81c91d3e75968eb70916d25905f6a8d686d2a
- bce72d9a3c61965522688d6b5f28884f1210dc3ccc22439982257391e6fc36a8
- a47049094051135631aea2c9954a6bc7e605ff455cd7ef1e0999042b068a841f
- 08f53bbb959132d4769c4cb7ea6023bae557dd841786643ae3d297e280c2ae08
Source IP
- 3[.]123[.]204[.]12
- 13[.]250[.]34[.]16
Remediation
- Block the threat indicators at their respective controls.
- Do not download unnecessary apps even from Google play store.
- Do not store financial information like credit card details on Android phones.