Rewterz Threat Advisory – Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol
February 24, 2020Rewterz Threat Alert – WinPot Malware Turns ATM into a Slot Machine
February 25, 2020Rewterz Threat Advisory – Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol
February 24, 2020Rewterz Threat Alert – WinPot Malware Turns ATM into a Slot Machine
February 25, 2020Severity
High
Analysis Summary
Clickers, (malware that mimics the user and performs ‘clicks’ on ads), are a rising threat in the mobile industry. 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users were found infected with malware. A similar campaign began its path in Google Play. Haken malware was found in 8 malicious applications, that had over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.
The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.
The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up. With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.
The ‘Joker’ malware family, originally discovered in September 2019, is a spyware and premium dialer (subscribes the user to premium services) for Android that was found on Google Play.
In the past few months, Joker keeps reappearing in the Google Play store, We have recently discovered four additional samples of Joker on Google Play, downloaded 130,000+ times. Most of these malicious apps are camera utilities and children’s games. Some of them buy premium subscriptions without notifying the user.
Impact
- Device takeover
- Financial Loss
- Data theft
Indicators of Compromise
Domain Name
bearclod[.]com
MD5
- 665e96dda8ec53721592db445dc1dcd8
- bc5b8f08cde9b115a24087f1bcf85348
- aa97e49495b495f11b9c252f0988b82c
- 82ba8021eb1c29eff00aa93d2fed8f43
- c26f0235e9ca0ba9a1fd98c6f1a6ede7
- 7b1d1b9c97bfd2bef121c0ee2ea7e6b5
- 14ce5267be2f687ea2554d5bcafdd919
- 89747658f9bdb518865a8e7e47da0d83
- 27ba0e1fd04e30e15ebe9bfd3675339e
- 6a11ebe7708d8ac15ca16dd35a9077e6
- 96514423a4d08e2d9aaeb5f04461baff
- b2d15a9bc0df89e3111f59b4bdfdfa86
- 3c9369f0a27dc8d087c0f6f87af9d987
- 435ef0f9b52c8aa3e8cf724c3029feca
- 13834832ea096b06a701339d8730c9aa
- 44c0b6761fe0ef294df53d265457e5ce
- 7a33896dd45ea52ab3f7808ef6e06656
- f69faaa08be460fface36be62b84b5c1
- 121d8a08b09fe5755d3df6cf5d6af884
- ac86bff3edf47313df1cc62e792db97f
- 3bc5c2818094750ed8de185df0c404e8
- 45667128c5593d987d2d1020a005194f
- a8a6dc6f8f6350f070fb3d19f5b766f3
- 02939b68596873ad1835d1062ee8836a
- 829a30e7d2f461ce9092ea3d7a0e5742
- 7e5677a2d49ccc6a2ae78778a2120790
- a7367cfc54140761b02c1d21eb769935
- 879516a982ce996f26f9bec7136e8c27
- 992110f2295f07270c5d77c85491b978
- 8d7550971c1292e8a3a43bbe293f412c
- 54628bb8ed75cfd30eea92b20db1fc8a
- 82df5e392c62bead251f43916d7a833d
- 75c48a372281fbe2a09f9f6c72fca8d0
- 100108d372c1b8bc8d3264d3599eaa7e
- 8249cd76d780ae08e7256a6f8b9cb605
- d2f467545b34547b07ba48ef3274e37c
- 4575e1d8a5ec7deb59975ab07fde15e8
- d626ceea2ad696dc3cc3e81b249bed2e
- 6f8f9fbd1e74ecc756587332a8c5a33b
- b68a10302fae99311d114d6029c2f5b9
- 66be6ab4f4fe7c120383265a9d87dba5
- 042fe6422bd68fabff3189b855a74600
- 12f54a33a3d078a4d3a0a45bd41bba21
- e6ebcbc45b3cace046316f913001e547
- f3f1f347cf9f7049072db1d5135db905
- 7bc2e35624001d1316d3859711349f2c
SHA-256
- a4295a2120fc6b75b6a86a55e8c6b380f0dfede3b9824fe5323e139d3bee6f5c
- 3217b65698c7c0df08aea5c9e6d56e4634b1cf10ff48352b45719a596ff53cde
- e09396e0b17a026c9f87cc0481218d386fe7209f858bf448506f59689154d2f7
- 6c0712bc308ccd7b2c70a03a5899e700eb757a01dcf3fa986354071dd27bd0ef
- efa4dcdb3daca6b560c4523ff4010b9bea26fefb9cc8745312073c0dc503fd2f
- 3cc2feb6f8e0eba6d1b0807e1147456e13c109138f1bc346477dee2f0479cc7d
- e71c1dd9984fecf7bc9ba6d70e83dcb42405048bf51e981b896d110eea3fa441
- a646aade6787965b3fc71dd3e73b9a15ec65eedcadc8f14cba188425f4079040
- 5352c8ee2851bd9d741dce065f37c1eaedfe0c8bc042ff6fda7f0e5388767e06
- 95aeeae8a422e917bc555a8a7a71f35648649d95bdf9c7b46669e8f1059b6cfa
- 30bf493c79824a255f9b56db74a04e711a59257802f215187faffae9c6c2f8dc
- 17289264e413d46f873295f22b689d7d44e1d3d11b51f39dab34ddccf50fdda2
- 2bb0f074514eabd055052d4d8e758f7861823586c99ebef14594b1c60db4c7d7
- 4a74210e9e716092161037fb154c321e29ed454572bf1523a15903ec6eaaf640
- 0ce29f5b76b3efca487f81c55f5bb949a4193d1bc6d5cc9d10ebe8552d8230d0
- 091bacf055050efe52295e4fb79f27a7929ebfd516d7ae999e13f68ecbb8a255
- 8c49c79479e642fe424c977566f151828650b4d06d6903fbfa381d957e48ce9f
- 388b9c2c694a24fd686a615be046e33b94134c362b1432eadb5a50f42a758d8e
- 44102fc646501f1785dcadd591092a81365b86de5c83949c75c380ab8111e4e8
- 752d32fe5992b7d925d5d87b9066129b052eb8ea360a912c4738c32e6bdae527
- f4da643b2b9a310fdc1cc7a3cbaee83e106a0d654119fddc608a4b587c5552a3
- c816e434a425122522d2be72c750a8c7b3b131e30ed81999331173693ecc95e5
- 53bb04ce6a8d5ae716b30da894760b35f5ce99aab6bcd75081f0e4ac3cd68c49
- 62d192ff53a851855ac349ee9e6b71c1dee8fb6ed00502ff3bf00b3d367f9f38
- d3dbff98cc8613aa8403bce35b02640d54744f3606d2f7fe5a461d19cc53ecab
- 84e3341a4d3c603e7cf3e5b91780a942b997779c1468af820b79a57753a3d5a3
- 381620b5fc7c3a2d73e0135c6b4ebd91e117882f804a4794f3a583b3b0c19bc5
- 0b186e5044d640a206379c10a272e8d9b07e0bf0a478e6fc0a017c57e8f4e658
- d34582afde8da306f12b6da21aa4572d2febce656b4dc12a2d662284fc8623b9
- 230f66be98f30155934379022cc8656e25917c4fd5c08a36903539ce1bd36f4c
- 0136e998df49df642c2df7a5ba0da9987e341b6554fa578e935fa15bdf31199f
- c5ffc91bf3a37fc81feddf15abbca20a2a6e09413bba88092e5f62f301bdc686
- 7f8f37be97121bc998999eb947b429d46aeba86abce1ac9d4e4ae0c805a5a8e7
- e811f04491b9a7859602f8fad9165d1df7127696cc03418ffb5c8ca0914c64da
- 9c713db272ee6cc507863ed73d8017d07bea5f1414d231cf0c9788e6ca4ff769
- 8d5f1b8d25ba0c297d8c76f40b48032659cb21c1e02e13e98202bc0bdfea0e6a
- 29353df1956feb64ba42583f734b84996c4b5a507d1192ef415a930b5c6fed02
- fa93a5998390bc23949ba86e044e72f8ae20829dd220289b375bfaa76f86bd9a
- 63a93a1bdb58365363e4c709f811f45cef8dde176cc36a5c2eae7d82c940917c
- a26ce61f3137307ab3456d6312d823bec7a3924d830d8764778803ad48843467
- cb8864a684fa4d6886d7f0d22297ca898211aaf8e1c60bab83a1ced69d7e0894
- 320e5c51d4ed75adda1caef64287c885f7eb6ef7aa81f88315f86d6074a34b54
- 6d029ddd73111fca8bf8caa88ad81c91d3e75968eb70916d25905f6a8d686d2a
- bce72d9a3c61965522688d6b5f28884f1210dc3ccc22439982257391e6fc36a8
- a47049094051135631aea2c9954a6bc7e605ff455cd7ef1e0999042b068a841f
- 08f53bbb959132d4769c4cb7ea6023bae557dd841786643ae3d297e280c2ae08
Source IP
- 3[.]123[.]204[.]12
- 13[.]250[.]34[.]16
Remediation
- Block the threat indicators at their respective controls.
- Do not download unnecessary apps even from Google play store.
- Do not store financial information like credit card details on Android phones.