Friday, August 25, 2017

More hiding Trojans on Google Play

Last few weeks Google Play Store has been fighting with dozens of fake apps impersonating - mostly video players or downloaders - such as Tube Mate, Vid Mate, Snap Tube or their different name variations. In the beginning of the August, in a short video, I informed users about this threat by demonstrating this app and show how to uninstall it.



Today, I reported more of these apps on Google Play again, eleven particularly. These apps have similar functionality as the one I mentioned in the video above.




Functionality

After install one of these apps from Play Store, app with different name and icon will be installed on the device such as File Storage, Data Manage, Support Assist, Network Filter, Device Analysis, not the one users intended to download. Install demonstration in the following video:



Once launched it will request the user to activate device administrator rights and hide itself from user's view. In the background application can perform clicks and display, out of app, full screen advertisement in particular intervals.

Figure 1. First versions with unencrypted URL

Figure 2. Latest version with encryption of contacted URL

Figure 3. Clicking functionality obtained from contacted server

Figure 4. After couple of minutes, investigated app created dozens of request to porn webs

How to get rid of it

Victim can't uninstall these apps without deactivating administrator rights first. This could be done by going to Settings -> Security -> Device administrators and deactivating device administrator for specific apps. When this is done, user can uninstall these apps from Settings -> Application/Application manager.



IOC

[updated on September 7, 2017]


Package Name
Hash
com.fdcpzdgc.app
698EDE119E7B7A2263FE8BF3EC7BD0147B80AB3D
com.fnisbhkn.app
D89F00D48B1277964AE50F4817105C2551D72553
com.fzitnbub.app
D93429C81D76EF8D91A39A8D39C4EFB6A0B7A618
com.guiefjlo.app
2E6382DA3C45B3697D4D1A29146793D6598C3C5F
com.kmmdsatm.app
A1B65FDD95ECC880DDAD9CD604C8D5022053F1E7
com.masjg.okalgan
BBF8A0AD27C35C0DA42765932EBC88BEEFBF8988
com.masjg.okalgan2
5623263BE0FB9B5642118D9BD9B79D5EE47AD648
com.masjg.okalgan5
EB020403A55B02CE3C56183C0A66900446FEA40E
com.masjg.okalgan6
C75336327A4E12BFC14A080C437829D02BB7BD2C
com.masjg.okalgan7
359FEACECBA9C4CFF5A940FB359DAFD1B54CC465
com.masjg.okalgan8
9D8C454EB2B378459A8C994F8B191DF94A5F2E89
com.knfjncjv.app
334DBF58855A843D6E7ACABAFB953371E9044413
com.nahezylr.app
1D16781C5DF57CBE271A73D0919648AE36AE8D83
com.npydfgnj.app
4C8241EF4ECAF297ED6A7EA03F2314CB5DB2052E
com.ypdxhvbo.app
37EBD56F3E434428373E5FAEF66A892B5C927D78
com.okalgman.glmgnak
09206FE3C5D496B867F3DFC3BF45272386666B1C
com.okalgman.glmgnak3
4642CAB7A8D7664C967D02CD201820A2732583FB
com.okalgman.glmgnak4
93AA21E8D46DEDEC87CC0C311F2DFBE61A9AAC29
com.okalgman.glmgnak5
4D6C442567DDC862019376F9E5C0B4B780B565EF

2 comments:

  1. Can i ask something ...can i track the person bullying me and sending nude po that wasnt me.

    ReplyDelete
  2. Tubemate users to download any kind of video from YouTube as this app provide best features to it users. It is widely loved by millions of users around the world.

    ReplyDelete