The malware embedded in these rogue apps, masquerading as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, hijack SMS message notifications and then make unauthorized purchases.
According to the report, the apps made their way to Google Play Store by submitting a clean version of the app for review and later introducing malicious code through updates.
McAfee Mobile Security detects this threat as Android / Etinu and notifies mobile users if they are present.
The malware present in these apps makes use of dynamic code loading. Encrypted user data from malware is displayed in the assets folder associated with the app using names such as “cache.bin”, “settings.bin”, “data.droid” or seemingly harmless “.png” files.
The report mentions the following: “First, the hidden malicious code in the main APK file opens the” 1.png “file in the” Assets “folder, decrypts it in” loader.dex “and then loads the stored .dex file The file “1.png” “is encrypted with RC4 with the package name as the key. The first payload creates an HTTP POST request to the C2 server. ”
The report adds that the malware is using key management servers and requesting keys from the servers for the AES encrypted second payload “2.png”. The malware also has a self-updating function and reacts to the “URL” value. The content of the URL is used instead of “2.png”.
As mentioned above, the new malware hijacks the notification listener and then steals the incoming SMS like Android Joker malware.
The eight apps that need to be uninstalled if found on your Android device include:
The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove them.