Monday, May 11, 2015

"Armor for Android" - Rogue Marketing but Real Business - Who Cares for Ethics !

Malvertisements and Fake AVs Outline: Since Android is an open-source mobile platform, it is targeted by attackers for malicious purposes. Android applications are served through malicious advertisements. One of the widely used technique is to raise fake anti-virus alerts in the form of advertisements and then providing a fake solution in the form of anti-virus application which is basically nothing but a malicious application designed either to steal information or asking for some ransom or asking for money to activate the license of fake anti-virus. One or the other way, information or money is desired from the end-users by selling "risk or threat" through malicious advertisements. All of this is fake but the end-users who are not knowledgeable fall for this trap and end up either providing money or information.

Interestingly, businesses are also using the nefarious tactics to scare the users to install applications through dubious means. Read this for the reality of "Android for Armor" http://www.androidauthority.com/armor-for-android-342192/. Several outlets call "Armor for Android" application as rogue. Interestingly, "Android for Armor" built its business using information provided by VirusTotal.com as highlighted here by the Naked Security blog post - https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/. Even the virus-total now considered this application as malicioushttps://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/

We have been watching this trend for couple of months and thought to do a brief analysis of this complete process. We still treat this application as fake or rogue based on the methods use to install Android application on the end-users' phones.

Let's take a look at the recent malicious advertisement campaign for installing "Armor for Android", a so-called authentic application which is advertised to provide effective anti-virus services. Amazingly, "Armor for Android" is still rolling in the market despite of such bad business practices and latest campaign is discussed in this post.  The questions that need critical thinking are:
  1. Is there any value in ethical business models in online advertisements?
  2. How can we obtain users' trust if rogue business tactics are used?
Let's take a look into installation (alias to malvertisement) process of "Armor-for-Android" application step-by-step:

Step 1: The landing website generates an error notification as shown below and highlights that users's Galaxy Nexus phone is infected.



 Step 2: After accepting the notification, it is highlighted that underlined system is infected with "Hornyworm.apk".



Step 3: After a time interval of few seconds, a fake message appears which shows that the user's Android phone is in scanning phase and it offers a solution to download an anti-virus application.



Step 4: After a few seconds, an Android application is served as follows:



Step 5: The website also shows how exactly the application needs to be installed.


The complete HTTP network flow is presented below to show various websites that are hopped by the end-user's Android phone.

 02:02:34.141     2.050     734     1383     GET     200     text/html     http://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U  
 02:02:36.216     0.056     749     (1965)     GET     (Cache)     application/x-javascript     http://www.cellphoneupdated.com/fatalvirus/us/106/backfix.min.js  
 02:03:39.010     0.020     805     (82)     GET     (Cache)     text/html     http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html  
 02:03:39.772     0.060     897     (214)     GET     304     text/html     http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html?HistoryLoad  
 02:03:43.045     2.351     947     222     GET     200     text/html     http://track.cellphoneupdated.com/click  
 02:03:45.492     2.083     657     625     GET     200     text/html     http://1nxoz.redirectvoluum.com/redirect?target=http%3A%2F%2Fhop.armorforandroid.net%2Fgo%2Faa.aff%3Faffid%3D10027%26v_campaign%3Dyd447a9ysnrwv44b2m8p97au545hqbpnqrqv%26subid%3DdQ31FAIBI19DCGGI0DIHGN46&ts=1425257252676&hash=zuiF0czwgopTMlbFFybUElFtRrEzh08G4HY3fKQ%2FH%2FQ%3D&rm=DJ  
 02:03:47.618     2.253     749     846     GET     302     Redirect to: http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812     http://hop.armorforandroid.net/go/aa.aff?affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46  
 02:03:49.959     0.148     1028     215     GET     303     Redirect to: /k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812     http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812  
 02:03:50.154     0.113     1090     3072     GET     200     text/html     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812  
 02:03:50.293     0.145     864     1025     GET     200     text/css     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/a.css  
 02:03:50.312     0.046     877     (0)     GET     (Cache)     application/javascript     http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js  
 02:03:50.330     0.232     879     891     GET     200     image/png     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/z.png  
 02:03:50.473     0.144     837     455     GET     200     application/x-javascript     http://antivirus.trafficmanager.net/threatCount?range=7&callback=jsonp1&_=1425257258028  
 02:03:50.498     0.252     799     226     GET     200     application/javascript     http://api.handsetdetection.com/sites/js/32266.js  
 02:03:50.525     0.285     877     167     GET     204     text/plain     http://pixel.sitescout.com/iap/14b1248479c050b7  
 02:03:50.563     0.165     506     824     GET     200     image/png     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/p.png  
 02:03:50.583     0.370     539     35219     GET     200     application/x-font-ttf     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/font.ttf  
 02:03:54.517     0.178     1278     2382     GET     200     text/html     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/i.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812  
 02:03:54.738     0.151     861     1085     GET     200     text/css     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/aa.css  
 02:03:54.757     0.031     873     (0)     GET     (Cache)     application/javascript     http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js  
 02:03:54.924     0.056     787     (1560)     GET     (Cache)     application/x-javascript     http://connect.facebook.net/en_US/fbds.js  
 02:03:54.950     0.240     873     167     GET     204     text/plain     http://pixel.sitescout.com/iap/0770a2fc94ca2cbc  
 02:03:55.018     2.176     2106     334     POST     200     image/gif     https://www.facebook.com/tr/  
 02:03:57.279     2.584     1205     3.2M     GET     200     application/vnd.android.package-archive     http://dlhub1.com/download/full?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812  
 02:04:05.722     0.165     507     14521     GET     200     image/png     http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/x.png  

The application looks like as shown below and it asks for user's credit or debit card information in order to conduct transaction so that fake anti-virus application can be installed after getting a license. Its all basically a fake process.


Assets Information:

parameters.json {
  "bugsense_key": "f75779a2",
  "analytics_key": "01c0994d555ea19e1ef7e0e5b69c9dab",
  "security_key": "ca9u",
  "quick_scan": "true",
  "device_threats": "false"
}

version.json {
  "configuration": "1983",
  "pop": "1",
  "version": "release-search",
  "strat": "2",
  "page": "aa.matt.5svp.0830",
  "split": "c9c82b85.control",
  "ccrule": "fcc98f53",
  "offer": "aa.gi.default",
  "product": "anti-virus",
  "partner": "afacom",
  "country": "xx",
  "language": "en",
  "pool": "9d05eb72",
  "affid": "10027",
  "v_campaign": "yd447a9ysnrwv44b2m8p97au545hqbpnqrqv",
  "subid": "dAF08D9FUE813PVJ0PNAMH6O",
  "shortcut": "aa.aff",
  "ipcc": "us",
  "iprc": "ca",
  "xsid": "FyY0MUJgP0-AitmpO62mVw",
  "ccconfigid": "a29869e5.140812"
}

Read/Write Operations are shown below:

write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read         /data/data/com.android.music/shared_prefs/Music.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read        /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml|
read        /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml|
read        /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml|

Device ID submitted as follow:

POST /api/submit?deviceId=d3rqs2c37m&version=349 HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.4; generic Build/GRJ22)
Host: url.armorforandroid.net
Connection: Keep-Alive
Content-Length: 641
Accept-Encoding: gzip

Data Exfiltration:

POST /innilytics/upload/01c0994d555ea19e1ef7e0e5b69c9dab HTTP/1.1
Content-Type: application/x-gzip
Content-Length: 1558
Host: innilytics.cloudapp.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

...........WYo.7.~....,
..\.~..&h.6
.&@Q..Oy.=.=....{g.R".).......c...o.O|........a\.,......M,.....
A...."pbyH.q.t*`...).J.R.r.........3.;...i./...
}W.M....?.........&.".eP*D.Tp..%<51...$]`.J.4OV)Zp....pL....i:p..m.+....}."/Y..=o......Q@.:G.@.KW@.V.n<
!J..6<*o.g...;].2.\.ESA.....'^R....:..k.#;...4k.c.,ep1#..2Zf".IE..+.7.:..z..t.1..e...3.5.......1...v.k......|..
Z..Y.y..2.2&..eID...Pz.z...L.0...R.......x........./..q.=...AK......l$.)C<-D..K....Z..p.x.1.....R....B.x..\.~..v...a..<x.{.g....v.k.k..o.>u....!....k..a"..m..&..(1.C.l..;....w5...j< yot.....r....5..,..l.n...f2G.C.v.@..r........F..&.B...#...H..
SWU.6c...C.-.g.!.=.9..O...<y.X3...S....O..?.......V[,.u..[s=......h..(;I!....../.1
....5..y.5..&D7m...c?...m'.p.......v=..#......y.isZ.}........iNVl...@.< }.l.\....j./j..K.....Yq.9.\..m.X.o.K7l.T......o.n.}...[w.f<d6.Z.s]o.*....(O..w..L...v.d......Y..~.gH...Q...3.....5...Tq@...9
..x.!..[h.x_.."7.j.f..h...K)...............8...0y\.-..]
..>h.{....?X...P?.9..]....d........N)(..2.o......_.O/.n.SrZ.....h^]...^......V.....q..........c..e...?x>..l6.ztS..L^.?..Uk.....F. ...95...9..-b...L
.d..l.uc....V....|ys...;.@...1..l...*ZOx.4.X...u......mf..N..5..
..].#).Y..G}..........vy......>C>..B..... .4.8..1!.B..(.."...........1.;..+..`....=Q..._A....G.....>E[....#._...P.?.......q.g.f.C.J ...Wq..UP....H...........fy4.........(:......-^....d......AJW.D{...(..........x....x....+.....(...jI........J"....F$..O..~j.z.|......[..Gv.E9z..........P.P l"$3D..z.m.t..d.}....~...._G$..oV..@..[.Z.....9..E...r..x..y~..Un....,.%3`N.R..J..\".%.... 0S."(q.ER......v.....
.


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 04 May 2015 01:36:51 GMT
Content-Length: 0

Virus Total - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/

At the time of this post, the link is still active : hxxp://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U

Beware of these kinds of applications !