Innovative Malware Survived 6 Months on Google Play

Authors: Tianfang Guo, Jinjian Zhai

Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.


Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:

  • Retrieving call log/contacts/SMS/location
  • Uploading/downloading/removing arbitrary files
  • Sending SMS to subscribe fee-based services
  • Turning your phone to a spy camera

What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.

The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.

Using the notification service for command & control is quite a new way for a RAT, for those advantages:

  • No need for server side – Baidu’s server will take care of everything, from command console to push service.
  • Hard to be detected – Network traffic has no difference from normal push notifications

The developer console of Baidu cloud, which allows pushing a notification to any registered devices without writing a single line of code.
Screen Shot 2015-04-07 at 4.29.47 PM

The control procedure is as follows:
Untitled drawing

The RAT handling the commands sent via notification:
Screen Shot 2015-04-07 at 4.21.16 PM

Also we found the developer has leaked his Baidu Secret Key, bad practice!
Screen Shot 2015-04-07 at 4.21.58 PM

Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
Screen Shot 2015-04-07 at 4.24.04 PM

A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.

Special Thanks to Steven Chen for providing us the sample.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s