— Trustlook Research Team
Malware packages are designed to download and execute files without user’s consent. In order to reduce the amount of data necessary for the download, the developer keeps the item a minimal size. Most developed malware have constrained operating systems and can only download specific files. The research package, discovered and detected by Trustlook, can be identified as having the following characteristics:
- MD5: 5229453ADF4EA45C3D8AED4CBE38563E
- SHA256: 809e5a2def3540e2fe204f39fc32600b2672b3de41d829432edc6f5a46f0ccd0
- Size: 57943 bytes
- App name: Flash Player Update
- Package name: com.googleservice.play.critical
The package icon is:
Compared to the normal app, this app can accept various remote instructions from the attacker to download malicious apps or components.
In VirusTotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.
The app appears to be written in a way to trick users into believe it is a legitimate app. After installation, the app removes its icon to hide itself from the user.
The app communicates with a remote server and sends out some personal information:
The following code snippets demonstrate the above behaviors:
Furthermore, the malware creates a SQL database to maintain the received tasks from from the C&C server. These methods include:
- getNext // get next task
- getTaskByPackage // get task by package id
- updateTryCount // update count
- insert // insert task
- remove // remove task
The malware checks for if the phone is rooted by searching for “su” file and downloads/installs apk accordingly.
If an HTML file is received, the malware will show the web page instead of install the file:
As seen in the HOST string in the captured traffic shown earlier, the malware most likely targets the Russian smartphone users. The following code snippets also demonstrate the malware checks for the country code:
The IP of the C&C server “loaddik.ru” is located in Ukraine and was registered on 2016-05-10: