1. Home > Virus prevention >

Google Play malware analysis

Multiple malicious applications (detected by Trend Micro as AndroidOS_BadBooster.HRX) were recently discovered on Google Play. They are able to access remote malicious ad configuration servers, perform ad fraud and download up to 3000 malware variants or Malicious payload. These malicious applications improve device performance by cleaning, organizing and deleting files, and have been downloaded more than 470,000 times. The attack has been active since 2017, and Google Play has removed the malicious application from the store.
According to the analysis, 3000 malware variants or malicious payloads will be downloaded to the device, pretending to be a device startup program or a system program without an icon on the program list. Attackers can use the affected devices to post false comments that are beneficial to malicious applications, and click on pop-up advertisements to commit ad fraud.


Technical analysis
The program named Speed ​​Clean in the attack has improved mobile The function of equipment performance. The application will pop up advertisements when used, which seems harmless to the mobile application.

Speed ​​Clean can also launch a transparent active background to hide malicious content.

After this, a malicious service named "com.adsmoving.MainService" under the Java package "com.adsmoving" will establish a connection with the remote ad configuration server , Register a new malicious installer. After registration, Speed ​​Clean will start to push malicious advertisements to users. Malicious advertisements and Trojan horse programs will be displayed under the "recommended page" of the application.



Figure 6 is malicious Software flow.
After installing "alps-14065.apk", no application icon will be displayed on the startup program or the program list of the device. It will add an application called "com.phone.sharedstorage", which can be found in "Downloaded Applications".

Same as ANDROIDS TOASTAMIGO, one of the Android malware families detected in 2017, the Speed ​​Clean application can download malware variants or payloads for execution Different advertising fraud. Some typical malicious advertisement frauds used in this attack are as follows:
1. Simulate users clicking on advertisements. Malicious applications are integrated in legitimate mobile advertising platforms, such as Google AdMob and Facebook.

2. Install the application from the mobile advertising platform into the virtual environment to prevent users from discovering it.

3. Persuade users to enable access rights and disable the security protection function of Google Play Protect. Ensure that malicious payloads can download and install more malicious applications without being discovered by users.

4. Use the affected device to post false comments.

5. Use accessibility to log in malware with Google and Facebook accounts.

Get information from the malware variants and the malicious payload associated with this attack as follows:

It is also noted that the most severely infected countries or regions are Japan, Taiwan, the United States, India and Thailand.

The geographic parameter value of the country/region code can be modified to any country/region code, even a random non-existent country/region code, remote advertising The configuration server always returns malicious content, but the activity excluded Chinese users.

Summary
Attackers are trying to deceive users through more real malicious applications, so users should be careful before downloading any applications. . The legitimacy of the application can be verified by user reviews in the store. However, malicious applications can download payloads and post fake comments. Although there are many positive reviews, there will be many different users who leave the same positive reviews.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20296.html

Contact Us

Online consultation:click here to give a message