Normal view

There are new articles available, click to refresh the page.
Before yesterdayMcAfee Blogs

BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain

12 April 2021 at 16:13
How to check for viruses

Recently, the McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google Play, ironically posing as app security scanners.

These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services. Recent versions of BRATA were also seen serving phishing webpages targeting users of financial entities, not only in Brazil but also in Spain and the USA.

In this blog post we will provide an overview of this threat, how does this malware operates and its main upgrades compared with earlier versions. If you want to learn more about the technical details of this threat and the differences between all variants you can check the BRATA whitepaper here.

The origins of BRATA

First seen in the wild at the end of 2018 and named “Brazilian Remote Access Tool Android ” (BRATA) by Kaspersky, this “RAT” initially targeted users in Brazil and then rapidly evolved into a banking trojan. It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user’s actions without their consent.

Because BRATA is distributed mainly on Google Play, it allows bad actors to lure victims into installing these malicious apps pretending that there is a security issue on the victim’s device and asking to install a malicious app to fix the problem. Given this common ruse, it is recommended to avoid clicking on links from untrusted sources that pretend to be a security software which scans and updates your system—e even if that link leads to an app in Google Play. McAfee offers protection against this threat via McAfee Mobile Security, which detects this malware as Android/Brata.

How BRATA Android malware has evolved and targets new victims

The main upgrades and changes that we have identified in the latest versions of BRATA recently found in Google Play include:

  • Geographical expansion: Initially targeting Brazil, we found that recent variants started to also target users in Spain and the USA.
  • Banking trojan functionality: In addition to being able to have full control of the infected device by abusing accessibility services, BRATA is now serving phishing URLs based on the presence of certain financial and banking apps defined by the remote command and control server.
  • Self-defense techniques: New BRATA variants added new protection layers like string obfuscation, encryption of configuration files, use of commercial packers, and the move of its core functionality to a remote server so it can be easily updated without changing the main application. Some BRATA variants also check first if the device is worth being attacked before downloading and executing their main payload, making it more evasive to automated analysis systems.

BRATA in Google Play

During 2020, the threat actors behind BRATA have managed to publish several apps in Google Play, most of them reaching between one thousand to five thousand installs. However, also a few variants have reached 10,000 installs including the latest one, DefenseScreen, reported to Google by McAfee in October and later removed from Google Play.

Figure 1. DefenseScreen app in Google Play.

From all BRATA apps that were in Google Play in 2020, five of them caught our attention as they have notable improvements compared with previous ones. We refer to them by the name of the developer accounts:

Figure 2. Timeline of identified apps in Google Play from May to October 2020

Social engineering tricks

BRATA poses as a security app scanner that pretends to scan all the installed apps, while in the background it checks if any of the target apps provided by a remote server are installed in the user’s device. If that is the case, it will urge the user to install a fake update of a specific app selected depending on the device language. In the case of English-language apps, BRATA suggests the update of Chrome while also constantly showing a notification at the top of the screen asking the user to activate accessibility services:

Figure 3. Fake app scanning functionality

Once the user clicks on “UPDATE NOW!”, BRATA proceeds to open the main Accessibility tab in Android settings and asks the user to manually find the malicious service and grant permissions to use accessibility services. When the user attempts to do this dangerous action, Android warns of the potential risks of granting access to accessibility services to a specific app, including that the app can observe your actions, retrieve content from Windows, and perform gestures like tap, swipe, and pinch.

As soon as the user clicks on OK the persistent notification goes away, the main icon of the app is hidden and a full black screen with the word “Updating” appears, which could be used to hide automated actions that now can be performed with the abuse of accessibility services:

Figure 4. BRATA asking access to accessibility services and showing a black screen to potentially hide automated actions

At this point, the app is completely hidden from the user, running in the background in constant communication with a command and control server run by the threat actors. The only user interface that we saw when we analyzed BRATA after the access to accessibility services was granted was the following screen, created by the malware to steal the device PIN and use it to unlock it when the phone is unattended. The screen asks the user to confirm the PIN, validating it with the real one because when an incorrect PIN is entered, an error message is shown and the screen will not disappear until the correct PIN is entered:

Figure 5. BRATA attempting to steal device PIN and confirming if the correct one is provided

BRATA capabilities

Once the malicious app is executed and accessibility permissions have been granted, BRATA can perform almost any action in the compromised device. Here’s the list of commands that we found in all the payloads that we have analyzed so far:

  • Steal lock screen (PIN/Password/Pattern)
  • Screen Capture: Records the device’s screen and sends screenshots to the remote server
  • Execute Action: Interact with user’s interface by abusing accessibility services
  • Unlock Device: Use stolen PIN/Password/Pattern to unlock the device
  • Start/Schedule activity lunch: Opens a specific activity provided by the remote server
  • Start/Stop Keylogger: Captures user’s input on editable fields and leaks that to a remote server
  • UI text injection: Injects a string provided by the remote server in an editable field
  • Hide/Unhide Incoming Calls: Sets the ring volume to 0 and creates a full black screen to hide an incoming call
  • Clipboard manipulation: Injects a string provided by the remote server in the clipboard

In addition to the commands above, BRATA also performs automated actions by abusing accessibility services to hide itself from the user or automatically grant privileges to itself:

  • Hides the media projection warning message that explicitly warns the user that the app will start capturing everything displayed on the screen.
  • Grants itself any permissions by clicking on the “Allow” button when the permission dialog appears in the screen.
  • Disables Google Play Store and therefore Google Play Protect.
  • Uninstalls itself in case that the Settings interface of itself with the buttons “Uninstall” and “Force Stop” appears in the screen.

Geographical expansion and Banking Trojan Functionality

Earlier BRATA versions like OutProtect and PrivacyTitan were designed to target Brazilian users only by limiting its execution to devices set to the Portuguese language in Brazil. However, in June we noticed that threat actors behind BRATA started to add support to other languages like Spanish and English. Depending on the language configured in the device, the malware suggested that one of the following three apps needed an urgent update: WhatsApp (Spanish), a non-existent PDF Reader (Portuguese) and Chrome (English):

Figure 6. Apps falsely asked to be updated depending on the device language

In addition to the localization of the user-interface strings, we also noticed that threat actors have updated the list of targeted financial apps to add some from Spain and USA. In September, the target list had around 52 apps but only 32 had phishing URLs. Also, from the 20 US banking apps present in the last target list only 5 had phishing URLs. Here’s an example of phishing websites that will be displayed to the user if specific US banking apps are present in the compromised device:

Figure 7. Examples of phishing websites pretending to be from US banks

Multiple Obfuscation Layers and Stages

Throughout 2020, BRATA constantly evolved, adding different obfuscation layers to impede its analysis and detection. One of the first major changes was moving its core functionality to a remote server so it can be easily updated without changing the original malicious application. The same server is used as a first point of contact to register the infected device, provide an updated list of targeted financial apps, and then deliver the IP address and port of the server that will be used by the attackers to execute commands remotely on the compromised device:

 

Figure 8. BRATA high level network communication

Additional protection layers include string obfuscation, country and language check, encryption of certain key strings in assets folder, and, in latest variants, the use of a commercial packer that further prevents the static and dynamic analysis of the malicious apps. The illustration below provides a summary of the different protection layers and execution stages present in the latest BRATA variants:

Figure 9. BRATA protection layers and execution stages

Prevention and defense

In order get infected with BRATA ,users must install the malicious application from Google Play so below are some recommendations to avoid being tricked by this or any other Android threats that use social engineering to convince users to install malware that looks legitimate:

  • Don’t trust an Android application just because it’s available in the official store. In this case, victims are mainly lured to install an app that promises a more secure device by offering a fake update. Keep in mind that in Android updates are installed automatically via Google Play so users shouldn’t require the installation of a third-party app to have the device up to date.
  • McAfee Mobile Security will alert users if they are attempting to install or execute a malware even if it’s downloaded from Google Play. We recommend users to have a reliable and updated antivirus installed on their mobile devices to detect this and other malicious applications.
  • Do not click on suspicious links received from text messages or social media, particularly from unknown sources. Always double check by other means if a contact that sends a link without context was really sent by that person, because it could lead to the download of a malicious application.
  • Before installing an app, check the developer information, requested permissions, the number of installations, and the content of the reviews. Sometimes applications could have very good rating but most of the reviews could be fake, such as we uncovered in Android/LeifAccess. Be aware that ranking manipulation happens and that reviews are not always trustworthy.

The activation of accessibility services is very sensitive in Android and key to the successful execution of this banking trojan because, once the access to those services is granted, BRATA can perform all the malicious activities and take control of the device. For this reason, Android users must be very careful when granting this access to any app.

Accessibility services are so powerful that in hands of a malicious app they could be used to fully compromise your device data, your online banking and finances, and your digital life overall.

BRATA Android malware continues to evolve—another good reason for protecting mobile devices

When BRATA was initially discovered in 2019 and named “Brazilian Android RAT” by Kaspersky, it was said that, theoretically, the malware can be used to target other users if the cybercriminals behind this threat wanted to do it. Based on the newest variants found in 2020, the theory has become reality, showing that this threat is currently very active, constantly adding new targets, new languages and new protection layers to make its detection and analysis more difficult.

In terms of functionality, BRATA is just another example of how powerful the (ab)use of accessibility services is and how, with just a little bit of social engineering and persistence, cybercriminals can trick users into granting this access to a malicious app and basically getting total control of the infected device. By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.

Judging by our findings, the number of apps found in Google Play in 2020 and the increasing number of targeted financial apps, it looks like BRATA will continue to evolve, adding new functionality, new targets, and new obfuscation techniques to target as many users as possible, while also attempting to reduce the risk of being detected and removed from the Play store.

McAfee Mobile Security detects this threat as Android/Brata. To protect yourselves from this and similar threats, employ security software on your mobile devices and think twice before granting access to accessibility services to suspicious apps, even if they are downloaded from trusted sources like Google Play.

Appendix

Techniques, Tactics and Procedures (TTPS)

Figure 10. MITRE ATT&CK Mobile for BRATA

<h3>Indicators of compromise

Apps:

SHA256 Package Name Installs
4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be com.outprotect.android 1,000+
d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b com.privacytitan.android 1,000+
f9dc40a7dd2a875344721834e7d80bf7dbfa1bf08f29b7209deb0decad77e992 com.greatvault.mobile 10,000+
e00240f62ec68488ef9dfde705258b025c613a41760138b5d9bdb2fb59db4d5e com.pw.secureshield 5,000+
2846c9dda06a052049d89b1586cff21f44d1d28f153a2ff4726051ac27ca3ba7 com.defensescreen.application 10,000+

 

URLs:

  • bialub[.]com
  • brorne[.]com
  • jachof[.]com

 

Technical Analysis of BRATA Apps

This paper will analyze five different “Brazilian Remote Access Tool Android” (BRATA) apps found in Google Play during 2020.

View Now

The post BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain appeared first on McAfee Blog.

Android/LeifAccess.A is the Silent Fake Reviewer Trojan

4 March 2020 at 05:01

The McAfee Mobile Research team has identified an Android malware family dubbed Android/LeifAccess.A that has been active since May 2019. This trojan was discovered globally with localized versions but  has a much higher prevalence in the USA and Brazil. As part of the payload, this trojan can abuse OAuth leveraging accessibility services to automatically create accounts in the name of a victim’s legitimate email in multiple third-party apps. Using the same approach, it can create fake reviews on the Google Play store to manipulate app rankings, perform ad-fraud (clicker functionality), update itself and execute arbitrary remote code, among other functionalities.

Meanwhile, many targeted apps affected for fake reviews are on Google Play.

This malware has not been identified in the official Android store so some of the potential distribution methods that we identified are related to social media, gaming platforms, malvertising and the direct download of the APK files from the Command and Control (C&C) Server.

Social Engineering to get Accessibility Services

Once installed, Android/LeifAccess.A does not show any icon or shortcut. It runs in the background and may ask victims to activate accessibility services to perform most of its malicious activities by displaying a toast notification, simulating a system warning as shown below:

Accessibility services were designed to assist users with disabilities, or while they were otherwise unable to fully interact with the device. However, as we have observed in banking trojans and other mobile threats, the accessibility services could also be abused by malware authors to perform malicious activities without user interaction. In recent versions of Android, Google limited the number of apps with accessibility services permission on Google Play and moved some functionality to other newly created APIs to minimize the abuse, but cyber criminals are still trying to exploit it, convincing users to activate this critical permission.

If accessibility permissions are granted, the trojan can fully perform its malicious activities; if it is not granted, it will still perform part of the possible commands such as ad-fraud, install short-cuts and update itself, opening the door to new payloads.

Fake Reviews

Based on the static analysis of the de-obfuscated second stage dex file (fields.css) it is possible to conclude that Android/LeifAccess can post fake reviews on Google Play by abusing the accessibility services:

Figure 3. De-obfuscated list of strings used as full qualified resource name of the view id access to perform fake reviews abusing accessibility services

Android/LeifAccess will try to download and install the target app because a user account only can write reviews of apps that have previously been installed. It will try to download through Google Play but there is also an implementation to download apps from an alternative market store (APKPure), as well as direct links.

Real World Example

As a real-world example of this malicious behavior it is possible to find reviews on Google Play that match with the parameters received from the C&C and stored in the de-obfuscated SharedPreferences XML files. For instance, the app ‘Super Clean-Phone Booster, Junk Cleaner & CPU Cooler’ is ranked with 4.5 stars average and more than 7k reviews, many of which are fake as they feature duplicated phrases copied from the Trojan’s command parameters.

 

Some of the fake comments contain multiple likes that could be associated to other commands performed by this malware which is able to find this text content and gives them a like:

Figure 6. Command “rate_words” that are used to vote for fraudulent reviews

Commands and Parameters Decryption

Android/LeifAccess.A stores a Hashtable map, in a SharedPreferences XML format, where the key is the function name and the value is the parameter used by the commands. To avoid detection, the real function names (plain text) and parameters are obfuscated, encrypted, salted and/or one-way hashed (md5 or sha-1).

  • Values are stored as obfuscated strings using data compression with zip.deflater and base64.enconde as defense evasion techniques. Some strings are obfuscated more than one time with the same algorithm.
  • Each key is calculated using an md5 digest checksum of the byte array produced by a custom base64 of the string resulting from a custom operation over ‘function names’ and ‘package name’ of the sample. There are hundreds of different variants of this family, each one with a different package name, so malware authors take advantage of this uniqueness in the string of the package name to use it as a salt for hashing the key values.

In figure 5 the xml <String> element contains the reviews sent by the C&C while the attribute “name” represents the hash table key. In this example the key “FF69BA5F448E26DDBE8DAE70F55738F6” is associated to the command “rate_p_words”:

MD5 is a one-way function so it is not possible to decrypt the string but, based on the static analysis, it is possible to recalculate the hash for all the decoded strings found on the second stage DEX file and then associate it with the hash-table.

Recalculation of this particular hash was possible by invoking the hash function with rate_p_words and com.services.ibgpe.hflbsqqjrmlfej as arguments.

In the same hash table other parameters are stored, such as the self-update server URL using the same encryption/obfuscation technique:

Figure 7. Obfuscated HashMap

This key F09EA69449BA00AA9A240518E501B745 and the embedded value can be interpreted as follows:

Figure 8. HashMap as plain text

Other commands are detailed in the table of commands in the appendix which includes shortcut creation and frequency of updates.

Furthermore, received commands may also be stored locally in an SQLite DB that logs part of the action performed by the malware.

Abuse of Accessibility

Deactivating Google Play Protect:

LeifAccess tries to navigate through the target app using AccessibilityNodeInfo by view-id resource name. For example, for Google Play Protect, the package is embedded on the Google Play app with package name ‘com.android.vending’ and it will try to access the view id ‘play_protect_settings:’ as defined on string g. The full qualified resource id is “com.android.vending:id/play_protect_settings” as shown in the deobfuscated code below. Then it will locate the ‘android:id/switch_widget’ to try to deactivate the scan device option.

Figure 9. List of view-id resources strings abused by LeifAccess

Fake Account Creation Abusing Single Sign On:

Another monetization technique used by this family is the creation of accounts in the name of real user identities and accounts registered on the infected device. This is achieved by abusing the accessibility services to perform an account creation and login with the Google Sign-In OAuth 2.0 that many legitimate services integrate in their apps.

Android/LeifAccess can download and install the target app to later set up an account without user interaction.

The deobfuscated code below shows how Android/LeifAccess uses AccesibilityEvent to navigate into a dating app to create an account using the Google login option.

Figure 10. AccessibilityEvent used to create fake accounts

Below are some examples of other application package names that are targeted by this malware to perform fake account creation, mostly related to categories such as shopping, dating and social.

  • zalora.android
  • tiket.gits
  • b2w.submarino
  • zzkko
  • phrendly
  • newchic.client
  • com.netshoes.app
  • makemytrip
  • like
  • lazada.android
  • joom
  • jabong.android
  • startv.hotstar
  • banggood.client
  • alibaba.intl.android.apps.poseidon
  • alibaba.aliexpresshd
  • airyrooms.android

Other Malicious Payloads

Ad Fraud:

Clicker functionality is also implemented so advertisement traffic is requested by the infected device without showing a single ad in the interface.

Specific user-agent headers are sent from C&C to perform ad-fraud.

Figure 11. Specific User-Agent

The ID for the ad network is updated via the C&C Server:

Figure 12. ID used to monetize the ads

Normally, the apps that run ads integrate one or more ad network SDKs (usually distributed as JAR libraries) into it to properly request the ad content gathering location, device type or even some user data. However, this malware does not integrate any SDK packages into the source code to access the ads. Android/LeifAccess can load ads using the proper ad-network format via direct links for Ad Clicks or Ad Impressions (IMPR) that the C&C server pre-builds and sends to it in JSON format. This means that the infected device will be able to request a URL with the full parameters required to simulate a legitimate click coming from a user clicking a banner in the context of a legitimate application, evading the SDK integration which also contributes to keep a relatively small file size.

The adware JSON structure includes:

 

Furthermore, this malware can show real ads in full screen out of the context of any app after unlocking the device if it receives the proper commands, or based on a certain frequency defined by the C&C. Also, it can show an overlay icon redirecting to ads as a floating overlay.

Arbitrary shortcuts can be created in the home screen based on the parameters received:

 

Fake Notifications

To gain accessibility services or to request the deactivation of an OS security option that has not been granted yet, the malware is able to launch toast messages to try to convince victims to perform certain actions.

Below is a list of fake notifications, including title and content, in JSON format used by the malware inside the “dialog” attribute which is executed as a toast notification in the intervals of the parameter “notifi_inter” (28800000 milliseconds, which equals 8 hours).

Figure 13. List of dialogs used as fake notifications

The ‘deactivate’ and ‘activate’ string is internationalized to match with the OS language:

 

Unpacking and Execution

To avoid detection, or as a ‘defense evasion’ technique, the original installed application is just a wrapper that, once executed, can decrypt a JAR from the asset file from path ‘assets/fields.css’ which is dynamically loaded using reflection into the main application. System API calls strings are also obfuscated using a custom base64 implementation.

Figure 14. Overview of the malware unpacking

Reversing the decrypted jar file requires deobfuscation of the strings used by Android/LeifAccess.A which are all custom encoded:

Figure 15. Deobfuscated strings using function et.a

Command and Control Server:

The command and control servers are also used for malware distribution and payload updates. The domain names contain words that can make people think they belong to a legitimate advertisement network or a Content Delivery Network (CDN):

hxxp://api.adsnativeXXX.com

hxxp://cdn.leadcdnbXXX.com/

Distribution and Telemetry

Distribution

The samples are available in the C&C hosted as direct APK links but also may be distributed in social media or as a malvertising campaign that tries to convince users to install a critical security update. This variant label is SystemSecurityUpdates and the package name starts with ‘com.services.xxxx’, pretending to be a system update.

Variants of Android/LeifAccess.A were found hosted and distributed through the Discord game chat platform. Some malicious APK variants were available in the following URL scheme:

  • hxxps://cdn.discordapp.com/attachments/XXXXXXXXX/XXXXXX

Infection requires the user to download and install the malicious APK; this means that a social engineering component is used for initial access. Scaring people about potential threats using ads, or luring gamers that want to add a  “hidden feature” makes them more willing to follow the instructions of untrusted installation flows described by attackers on posts or videos, even if they must dismiss security notifications or deactivate security measures to allow aggressive permissions or activate accessibility services.

Conclusion

The ability to install apps and then post fake reviews on Google Play in the name of a victim, create fake accounts on third party services plus the self-update mechanism, in conjunction with multiple obfuscation and encryption techniques used as self-defense, makes this piece of malware unique and allowed it to stay under the radar for victims without AV protection.

The main functions of this Trojan can be described as:

  • Download Apps from Google Play or APK Pure
  • Deactivate Google Play Protect
  • Create Fake Accounts with OAuth abusing accessibility
  • Post fake reviews on Google Play
  • Create short cuts on the main screen
  • Display Ads in the background and in full screen
  • Self-Update

Android/LeifAccess implements multiple techniques for self-defense to encrypt and obfuscate the malicious behavior and to try to avoid AV detection.

Due to the high volume of unique samples we can infer that a considerable amount of resources are destined to infrastructure and automation for sample generation in a server-side polymorphic way.

New variants are constantly deployed to keep this mobile botnet of fake reviewers alive.

This kind of malware not only damages users, it also affects App Market credibility and adversaries/ad-networks that paid for banners that nobody views.

It also suggests that a market exists for the fraudulent improvement of app reputation, and services such as this must be performed with a monetization objective very similar to what happens on social media where services exist to buy followers or likes.

These publications violate the guidelines of the Google Play Store mainly because reviews and rankings are key to helping users to select appropriate and safe apps – fake ones can ruin users’ trust.

However, this ranking manipulation is a challenge to identify and remove as these kinds of fake review are not produced by fake accounts and most anti-spam methods are designed to find content created by untrusted or unverified accounts rather than legitimate users. This same technique could be used for social media or any other platform distribution of arbitrary messages.

If you think you could be affected by this family then you can view or edit the reviews that you have written on your Google account at https://aboutme.google.com/.

Newer implementations of this malware are also identified and detected by McAfee Mobile Security as Android/LeifAccess.A and Android/LeifAccess.B.

Technical Data and IOCs

Table of Commands

Mitre ATT&CK Matrix

IoCs

6032c1a8b54f3daf9697a49fdd398d3ebe35f3fec3d945d6d8e9588043332969

com.services.ibgpe.hflbsqqjrmlfej

032184204b50f0634ad360a2090ea9904c012cb839b5a0364a53bf261ce8414e

com.services.kxyiqc.zzwkzckzfiojjzpw

0a95e9cce637a6eb71e4c663e207146fe9cde0573265d4d93433e1242189a35c

com.services.jifat.qaxtitmumdd

533a395ed16143bbe6f258f3146ea0ea3c56f71e889ace81039800803d0b1e18

com.services.xvpyv.tteawsribdsvi

6755f708d75a6b8b034eae9bcb6176679d23f2dc6eb00b8656d00f8ee0ec26c1

com.services.myzmuexri.nrphcanr

 

URLS

adsnative123[.]com

Myapkcdn[.]in

adsv123[.]com

 

References

https://android-developers.googleblog.com/2018/12/in-reviews-we-trust-making-google-play.html

The post Android/LeifAccess.A is the Silent Fake Reviewer Trojan appeared first on McAfee Blog.

❌
❌