Android Fake AV Hosted in Google Code Targets South Koreans

During the last two years we have observed the accelerated discovery of Android malware by the security industry. Malware authors today often create and distribute fake “antimalware” apps that simulate the scan of files on a device. These fake apps report fake threats (and sometimes make the device unusable). The goal is to get victims to pay for the “full version” of the software to eliminate the nonexistent infections.

However, not all “fake AV” threats pursue monetary gain directly by scaring users with fake threats or denying access to the infected devices. Sometimes malware authors use the good reputation of legitimate security software to trick users into installing malware that executes commands sent by a remote control server to perform tasks in the background–such as stealing sensitive information from infected devices and sending SMS messages without the users’ consent.

Recently the McAfee Mobile Research team has received a new type of Android fake AV that targets South Korean users. The malware pretends to be the security software V3 Mobile Plus:

CASTILLO_App_Icon

Icon used by the malware.

When the application executes for the first time, a fake system scan shows fake information such as the current file being scanned–basically a string in the code–the number of files scanned at that moment (13,887 in the following screenshot) and a simulated progress bar:

CASTILLO_Scan_in_progress

Fake system scan.

After a few seconds the fake scan finishes and the following summary is presented to the user: One malware found (already removed) and 19,266 files (always the same number) were analyzed.

CASTILLO_After_Scan_Message

Fake system scan summary.

After the user clicks the button “??,” the app closes itself and the icon that was present when the app was installed disappears from the main menu, making the user believe that the app was uninstalled. In fact, the icon is merely hidden and a service starts in the background. The service will register the infected device with control server by sending encoded sensitive information of the infected device such as the phone number and network operator:

CASTILLO_PhoneNumber_NetworkOP_Captions

Malware registering the infected device.

After that the malware constantly checks for new tasks to be executed remotely. These include sending SMS messages with parameters (number and content) from the remote server; this feature can be abused to send premium-rate messages. In addition to this functionality, the malware will silently intercept all incoming SMS messages to send the sender’s encoded phone number and content to a remote server:

CASTILLO_SMS_Leaked_Captions

SMS leaked.

This Android malware was found in a Google code project, and it’s not the first time we’ve seen that. However, in this particular Google code project (which has already been removed) Android malware was joined by Windows malware:

CASTILLO_Malware_GoogleCode

Android and Windows malware in a Google code project.

McAfee Mobile Security detects the Android threat as Android/FakeAhnAV.A and the Windows threats are detected by McAfee VirusScan/Total Protection as BackDoor-DKA, Generic BackDoor.u, Generic Dropper.i, and Generic BackDoor.abf.

Leave a Reply