Interestingly, businesses are also using the nefarious tactics to scare the users to install applications through dubious means. Read this for the reality of "Android for Armor" http://www.androidauthority.com/armor-for-android-342192/. Several outlets call "Armor for Android" application as rogue. Interestingly, "Android for Armor" built its business using information provided by VirusTotal.com as highlighted here by the Naked Security blog post - https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/. Even the virus-total now considered this application as malicious - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
We have been watching this trend for couple of months and thought to do a brief analysis of this complete process. We still treat this application as fake or rogue based on the methods use to install Android application on the end-users' phones.
Let's take a look at the recent malicious advertisement campaign for installing "Armor for Android", a so-called authentic application which is advertised to provide effective anti-virus services. Amazingly, "Armor for Android" is still rolling in the market despite of such bad business practices and latest campaign is discussed in this post. The questions that need critical thinking are:
- Is there any value in ethical business models in online advertisements?
- How can we obtain users' trust if rogue business tactics are used?
Step 1: The landing website generates an error notification as shown below and highlights that users's Galaxy Nexus phone is infected.
Step 2: After accepting the notification, it is highlighted that underlined system is infected with "Hornyworm.apk".
Step 3: After a time interval of few seconds, a fake message appears which shows that the user's Android phone is in scanning phase and it offers a solution to download an anti-virus application.
Step 4: After a few seconds, an Android application is served as follows:
Step 5: The website also shows how exactly the application needs to be installed.
The complete HTTP network flow is presented below to show various websites that are hopped by the end-user's Android phone.
02:02:34.141 2.050 734 1383 GET 200 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
02:02:36.216 0.056 749 (1965) GET (Cache) application/x-javascript http://www.cellphoneupdated.com/fatalvirus/us/106/backfix.min.js
02:03:39.010 0.020 805 (82) GET (Cache) text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html
02:03:39.772 0.060 897 (214) GET 304 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html?HistoryLoad
02:03:43.045 2.351 947 222 GET 200 text/html http://track.cellphoneupdated.com/click
02:03:45.492 2.083 657 625 GET 200 text/html http://1nxoz.redirectvoluum.com/redirect?target=http%3A%2F%2Fhop.armorforandroid.net%2Fgo%2Faa.aff%3Faffid%3D10027%26v_campaign%3Dyd447a9ysnrwv44b2m8p97au545hqbpnqrqv%26subid%3DdQ31FAIBI19DCGGI0DIHGN46&ts=1425257252676&hash=zuiF0czwgopTMlbFFybUElFtRrEzh08G4HY3fKQ%2FH%2FQ%3D&rm=DJ
02:03:47.618 2.253 749 846 GET 302 Redirect to: http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://hop.armorforandroid.net/go/aa.aff?affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46
02:03:49.959 0.148 1028 215 GET 303 Redirect to: /k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.154 0.113 1090 3072 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.293 0.145 864 1025 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/a.css
02:03:50.312 0.046 877 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:50.330 0.232 879 891 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/z.png
02:03:50.473 0.144 837 455 GET 200 application/x-javascript http://antivirus.trafficmanager.net/threatCount?range=7&callback=jsonp1&_=1425257258028
02:03:50.498 0.252 799 226 GET 200 application/javascript http://api.handsetdetection.com/sites/js/32266.js
02:03:50.525 0.285 877 167 GET 204 text/plain http://pixel.sitescout.com/iap/14b1248479c050b7
02:03:50.563 0.165 506 824 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/p.png
02:03:50.583 0.370 539 35219 GET 200 application/x-font-ttf http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/font.ttf
02:03:54.517 0.178 1278 2382 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/i.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:54.738 0.151 861 1085 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/aa.css
02:03:54.757 0.031 873 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:54.924 0.056 787 (1560) GET (Cache) application/x-javascript http://connect.facebook.net/en_US/fbds.js
02:03:54.950 0.240 873 167 GET 204 text/plain http://pixel.sitescout.com/iap/0770a2fc94ca2cbc
02:03:55.018 2.176 2106 334 POST 200 image/gif https://www.facebook.com/tr/
02:03:57.279 2.584 1205 3.2M GET 200 application/vnd.android.package-archive http://dlhub1.com/download/full?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:04:05.722 0.165 507 14521 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/x.png The application looks like as shown below and it asks for user's credit or debit card information in order to conduct transaction so that fake anti-virus application can be installed after getting a license. Its all basically a fake process.
Assets Information:
parameters.json {
"bugsense_key": "f75779a2",
"analytics_key": "01c0994d555ea19e1ef7e0e5b69c9dab",
"security_key": "ca9u",
"quick_scan": "true",
"device_threats": "false"
}
version.json {
"configuration": "1983",
"pop": "1",
"version": "release-search",
"strat": "2",
"page": "aa.matt.5svp.0830",
"split": "c9c82b85.control",
"ccrule": "fcc98f53",
"offer": "aa.gi.default",
"product": "anti-virus",
"partner": "afacom",
"country": "xx",
"language": "en",
"pool": "9d05eb72",
"affid": "10027",
"v_campaign": "yd447a9ysnrwv44b2m8p97au545hqbpnqrqv",
"subid": "dAF08D9FUE813PVJ0PNAMH6O",
"shortcut": "aa.aff",
"ipcc": "us",
"iprc": "ca",
"xsid": "FyY0MUJgP0-AitmpO62mVw",
"ccconfigid": "a29869e5.140812"
}
Read/Write Operations are shown below:
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.music/shared_prefs/Music.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml|
read /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml|
read /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml|
Device ID submitted as follow:
POST /api/submit?deviceId=d3rqs2c37m&version=349 HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.4; generic Build/GRJ22)
Host: url.armorforandroid.net
Connection: Keep-Alive
Content-Length: 641
Accept-Encoding: gzip
Data Exfiltration:
POST /innilytics/upload/01c0994d555ea19e1ef7e0e5b69c9dab HTTP/1.1
Content-Type: application/x-gzip
Content-Length: 1558
Host: innilytics.cloudapp.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
...........WYo.7.~....,
..\.~..&h.6
.&@Q..Oy.=.=....{g.R".).......c...o.O|........a\.,......M,.....
A...."pbyH.q.t*`...).J.R.r.........3.;...i./...
}W.M....?.........&.".eP*D.Tp..%<51...$]`.J.4OV)Zp....pL....i:p..m.+....}."/Y..=o......Q@.:G.@.KW@.V.n<
!J..6<*o.g...;].2.\.ESA.....'^R....:..k.#;...4k.c.,ep1#..2Zf".IE..+.7.:..z..t.1..e...3.5.......1...v.k......|..
Z..Y.y..2.2&..eID...Pz.z...L.0...R.......x........./..q.=...AK......l$.)C<-D..K....Z..p.x.1.....R....B.x..\.~..v...a..<x.{.g....v.k.k..o.>u....!....k..a"..m..&..(1.C.l..;....w5...j< yot.....r....5..,..l.n...f2G.C.v.@..r........F..&.B...#...H..
SWU.6c...C.-.g.!.=.9..O...<y.X3...S....O..?.......V[,.u..[s=......h..(;I!....../.1
....5..y.5..&D7m...c?...m'.p.......v=..#......y.isZ.}........iNVl...@.< }.l.\....j./j..K.....Yq.9.\..m.X.o.K7l.T......o.n.}...[w.f<d6.Z.s]o.*....(O..w..L...v.d......Y..~.gH...Q...3.....5...Tq@...9
..x.!..[h.x_.."7.j.f..h...K)...............8...0y\.-..]
..>h.{....?X...P?.9..]....d........N)(..2.o......_.O/.n.SrZ.....h^]...^......V.....q..........c..e...?x>..l6.ztS..L^.?..Uk.....F. ...95...9..-b...L
.d..l.uc....V....|ys...;.@...1..l...*ZOx.4.X...u......mf..N..5..
..].#).Y..G}..........vy......>C>..B..... .4.8..1!.B..(.."...........1.;..+..`....=Q..._A....G.....>E[....#._...P.?.......q.g.f.C.J ...Wq..UP....H...........fy4.........(:......-^....d......AJW.D{...(..........x....x....+.....(...jI........J"....F$..O..~j.z.|......[..Gv.E9z..........P.P l"$3D..z.m.t..d.}....~...._G$..oV..@..[.Z.....9..E...r..x..y~..Un....,.%3`N.R..J..\".%.... 0S."(q.ER......v......
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 04 May 2015 01:36:51 GMT
Content-Length: 0
Virus Total - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
At the time of this post, the link is still active : hxxp://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
Beware of these kinds of applications !
