• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol
February 24, 2020
Rewterz Threat Alert – WinPot Malware Turns ATM into a Slot Machine
February 25, 2020

Rewterz Threat Alert – Haken and Joker Malware found in Apps on Google Play

February 24, 2020

Severity

High

Analysis Summary

Clickers, (malware that mimics the user and performs ‘clicks’ on ads), are a rising threat in the mobile industry. 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users were found infected with malware. A similar campaign began its path in Google Play. Haken malware was found in 8 malicious applications, that had over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.

goog-figure-1.png
goog-figure-2.png

The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.

The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up. With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.

The ‘Joker’ malware family, originally discovered in September 2019, is a spyware and premium dialer (subscribes the user to premium services) for Android that was found on Google Play.
In the past few months, Joker keeps reappearing in the Google Play store, We have recently discovered four additional samples of Joker on Google Play, downloaded 130,000+ times. Most of these malicious apps are camera utilities and children’s games. Some of them buy premium subscriptions without notifying the user. 

goog-figure-11.png
goog-figure-12.png
goog-figure-13.png

Impact

  • Device takeover
  • Financial Loss
  • Data theft

Indicators of Compromise

Domain Name

bearclod[.]com

MD5

  • 665e96dda8ec53721592db445dc1dcd8
  • bc5b8f08cde9b115a24087f1bcf85348
  • aa97e49495b495f11b9c252f0988b82c
  • 82ba8021eb1c29eff00aa93d2fed8f43
  • c26f0235e9ca0ba9a1fd98c6f1a6ede7
  • 7b1d1b9c97bfd2bef121c0ee2ea7e6b5
  • 14ce5267be2f687ea2554d5bcafdd919
  • 89747658f9bdb518865a8e7e47da0d83
  • 27ba0e1fd04e30e15ebe9bfd3675339e
  • 6a11ebe7708d8ac15ca16dd35a9077e6
  • 96514423a4d08e2d9aaeb5f04461baff
  • b2d15a9bc0df89e3111f59b4bdfdfa86
  • 3c9369f0a27dc8d087c0f6f87af9d987
  • 435ef0f9b52c8aa3e8cf724c3029feca
  • 13834832ea096b06a701339d8730c9aa
  • 44c0b6761fe0ef294df53d265457e5ce
  • 7a33896dd45ea52ab3f7808ef6e06656
  • f69faaa08be460fface36be62b84b5c1
  • 121d8a08b09fe5755d3df6cf5d6af884
  • ac86bff3edf47313df1cc62e792db97f
  • 3bc5c2818094750ed8de185df0c404e8
  • 45667128c5593d987d2d1020a005194f
  • a8a6dc6f8f6350f070fb3d19f5b766f3
  • 02939b68596873ad1835d1062ee8836a
  • 829a30e7d2f461ce9092ea3d7a0e5742
  • 7e5677a2d49ccc6a2ae78778a2120790
  • a7367cfc54140761b02c1d21eb769935
  • 879516a982ce996f26f9bec7136e8c27
  • 992110f2295f07270c5d77c85491b978
  • 8d7550971c1292e8a3a43bbe293f412c
  • 54628bb8ed75cfd30eea92b20db1fc8a
  • 82df5e392c62bead251f43916d7a833d
  • 75c48a372281fbe2a09f9f6c72fca8d0
  • 100108d372c1b8bc8d3264d3599eaa7e
  • 8249cd76d780ae08e7256a6f8b9cb605
  • d2f467545b34547b07ba48ef3274e37c
  • 4575e1d8a5ec7deb59975ab07fde15e8
  • d626ceea2ad696dc3cc3e81b249bed2e
  • 6f8f9fbd1e74ecc756587332a8c5a33b
  • b68a10302fae99311d114d6029c2f5b9
  • 66be6ab4f4fe7c120383265a9d87dba5
  • 042fe6422bd68fabff3189b855a74600
  • 12f54a33a3d078a4d3a0a45bd41bba21
  • e6ebcbc45b3cace046316f913001e547
  • f3f1f347cf9f7049072db1d5135db905
  • 7bc2e35624001d1316d3859711349f2c

SHA-256

  • a4295a2120fc6b75b6a86a55e8c6b380f0dfede3b9824fe5323e139d3bee6f5c
  • 3217b65698c7c0df08aea5c9e6d56e4634b1cf10ff48352b45719a596ff53cde
  • e09396e0b17a026c9f87cc0481218d386fe7209f858bf448506f59689154d2f7
  • 6c0712bc308ccd7b2c70a03a5899e700eb757a01dcf3fa986354071dd27bd0ef
  • efa4dcdb3daca6b560c4523ff4010b9bea26fefb9cc8745312073c0dc503fd2f
  • 3cc2feb6f8e0eba6d1b0807e1147456e13c109138f1bc346477dee2f0479cc7d
  • e71c1dd9984fecf7bc9ba6d70e83dcb42405048bf51e981b896d110eea3fa441
  • a646aade6787965b3fc71dd3e73b9a15ec65eedcadc8f14cba188425f4079040
  • 5352c8ee2851bd9d741dce065f37c1eaedfe0c8bc042ff6fda7f0e5388767e06
  • 95aeeae8a422e917bc555a8a7a71f35648649d95bdf9c7b46669e8f1059b6cfa
  • 30bf493c79824a255f9b56db74a04e711a59257802f215187faffae9c6c2f8dc
  • 17289264e413d46f873295f22b689d7d44e1d3d11b51f39dab34ddccf50fdda2
  • 2bb0f074514eabd055052d4d8e758f7861823586c99ebef14594b1c60db4c7d7
  • 4a74210e9e716092161037fb154c321e29ed454572bf1523a15903ec6eaaf640
  • 0ce29f5b76b3efca487f81c55f5bb949a4193d1bc6d5cc9d10ebe8552d8230d0
  • 091bacf055050efe52295e4fb79f27a7929ebfd516d7ae999e13f68ecbb8a255
  • 8c49c79479e642fe424c977566f151828650b4d06d6903fbfa381d957e48ce9f
  • 388b9c2c694a24fd686a615be046e33b94134c362b1432eadb5a50f42a758d8e
  • 44102fc646501f1785dcadd591092a81365b86de5c83949c75c380ab8111e4e8
  • 752d32fe5992b7d925d5d87b9066129b052eb8ea360a912c4738c32e6bdae527
  • f4da643b2b9a310fdc1cc7a3cbaee83e106a0d654119fddc608a4b587c5552a3
  • c816e434a425122522d2be72c750a8c7b3b131e30ed81999331173693ecc95e5
  • 53bb04ce6a8d5ae716b30da894760b35f5ce99aab6bcd75081f0e4ac3cd68c49
  • 62d192ff53a851855ac349ee9e6b71c1dee8fb6ed00502ff3bf00b3d367f9f38
  • d3dbff98cc8613aa8403bce35b02640d54744f3606d2f7fe5a461d19cc53ecab
  • 84e3341a4d3c603e7cf3e5b91780a942b997779c1468af820b79a57753a3d5a3
  • 381620b5fc7c3a2d73e0135c6b4ebd91e117882f804a4794f3a583b3b0c19bc5
  • 0b186e5044d640a206379c10a272e8d9b07e0bf0a478e6fc0a017c57e8f4e658
  • d34582afde8da306f12b6da21aa4572d2febce656b4dc12a2d662284fc8623b9
  • 230f66be98f30155934379022cc8656e25917c4fd5c08a36903539ce1bd36f4c
  • 0136e998df49df642c2df7a5ba0da9987e341b6554fa578e935fa15bdf31199f
  • c5ffc91bf3a37fc81feddf15abbca20a2a6e09413bba88092e5f62f301bdc686
  • 7f8f37be97121bc998999eb947b429d46aeba86abce1ac9d4e4ae0c805a5a8e7
  • e811f04491b9a7859602f8fad9165d1df7127696cc03418ffb5c8ca0914c64da
  • 9c713db272ee6cc507863ed73d8017d07bea5f1414d231cf0c9788e6ca4ff769
  • 8d5f1b8d25ba0c297d8c76f40b48032659cb21c1e02e13e98202bc0bdfea0e6a
  • 29353df1956feb64ba42583f734b84996c4b5a507d1192ef415a930b5c6fed02
  • fa93a5998390bc23949ba86e044e72f8ae20829dd220289b375bfaa76f86bd9a
  • 63a93a1bdb58365363e4c709f811f45cef8dde176cc36a5c2eae7d82c940917c
  • a26ce61f3137307ab3456d6312d823bec7a3924d830d8764778803ad48843467
  • cb8864a684fa4d6886d7f0d22297ca898211aaf8e1c60bab83a1ced69d7e0894
  • 320e5c51d4ed75adda1caef64287c885f7eb6ef7aa81f88315f86d6074a34b54
  • 6d029ddd73111fca8bf8caa88ad81c91d3e75968eb70916d25905f6a8d686d2a
  • bce72d9a3c61965522688d6b5f28884f1210dc3ccc22439982257391e6fc36a8
  • a47049094051135631aea2c9954a6bc7e605ff455cd7ef1e0999042b068a841f
  • 08f53bbb959132d4769c4cb7ea6023bae557dd841786643ae3d297e280c2ae08

Source IP

  • 3[.]123[.]204[.]12
  • 13[.]250[.]34[.]16

Remediation

  • Block the threat indicators at their respective controls. 
  • Do not download unnecessary apps even from Google play store. 
  • Do not store financial information like credit card details on Android phones.

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.