An advertising dropper in Google Play

2019-08-27T13:30:21
ID SECURELIST:5CDFA4B2F373B8F9BC67975A866F2CEA
Type securelist
Reporter Igor Golovin
Modified 2019-08-27T13:30:21

Description

Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over the past month have indicated the presence of unwanted features.

|

After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers' partnership with an unscrupulous advertiser.

Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.

Technical details about Necro.n

When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.

Next, the configuration file with the name "comparison" is decrypted.

Once we decrypt it, we obtain the following configuration with the addresses of the attackers' servers.

{
  "hs": {
    "server": "https://abc.abcdserver[.]com:8888",
    "default": "https://bcd.abcdserver[.]com:9240",
    "dataevent": "http://cba.abcdserver[.]com:8888",
    "PluginServer": "https://bcd.abcdserver[.]com:9240"
  },
….
}

Dropper downloads an additional module from these URLs:

And then it executes its code:

The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.

IOCs

MD5

  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b
  • 96db624fa2532d14dd43c7ad3124c385
  • d07846903cb78babac78f0dd789d262e
  • a02811248a0d316a1f99d07e60aa808e
  • 74709014aa553b92fe079cf8941d64f6
  • f8b8fd44952ca199d292570ff6da5e8f
  • 9eff49dc969eea829e984bad34b7225c
  • 5bf2d280557e426e90c086fb89dc401f
  • e7705517e9e469921652ad33f87d7c22
  • dbb53ee8229cf4e8ae569a443bcd59d3
  • 3d37fbbffc45b7ca11e20ed06cc2f0f6
  • ec11fb61eababc7586e1874c92f7629e
  • b5c7b67e9650bf819b70d2c0a5ca7c63
  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b

C&C

  • https://abc.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240
  • http://cba.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240