Malicious Android App - Virus

McAfee security researchers reveal that a recently spotted Android banking Trojan targeting South Korean users via SMS phishing messages (smishing) was linked to an infection campaign from two years ago.

The mobile phishing messages attempt to lure users into executing malware by claiming to link to a leaked private picture or posing as a Chrome update. Once the user clicks on the shortened link in the message, the banking Trojan dubbed MoqHao is installed.

Once a device has been compromised, the malware can send phishing SMS messages to the user’s contacts; can leak sensitive information, including received SMS messages; can install Android apps provided by the command and control (C&C) server; can execute remote commands and return results, and can gather sensitive information via a local Google phishing website, McAfee discovered.

During installation, the malware requests various permissions to perform its nefarious operations, such as call phone numbers, access contacts, and read text messages. Next, the threat requests admin privileges to achieve persistence and displays the request window continuously, even if the user dismisses it.

MoqHao then dynamically registers a broadcast receiver for system events such as new package install, screen state, SMS messages, and more, which allows it to spy on the user activities and send device status information to the C&C. The malware also connects to the first-stage remote server and dynamically receives the IP for the second-stage server from the user profile page of Chinese search engine Baidu.

After connecting to this server, the malware sends a message containing device information such as UUID, IMEI, Android version, device product name, build ID string, root status, SIM status, phone number, and registered accounts. Other details are periodically sent to the server, including network operator and type (LTE, GPRS), MAC address, battery level, Wi-Fi signal level, device admin rights, the screen on/off, ringer mode, and whether the current package is ignoring battery optimization or not.

The Trojan checks infected devices for major Korean bank apps and downloads relevant fake or Trojanized versions of these programs if it finds them. Next, it alerts the victim that an update is available for the targeted app. Once the victim approves the update, the malicious app replaces the legitimate one.

During analysis, however, the malware’s requests to download the malicious apps resulted in an error. According to McAfee, the functionality might not be implemented or not in use, given that infected users haven’t reported attempted installation of additional APK files.

The security researchers first observed Android/MoqHao in January, but that seemed like a test version. Updated malware variants were observed in February and March, but the first non-test iteration emerged only in May.

The banking Trojan, the researchers say, appears connected to a May 2015 attack targeting users in South Korea via a phishing message in the default web browser. Although that message was similar to those spreading Android/MoqHao, and the two malware variants share some behavior and functionality, the threats have entirely different code bases.

“The similarities between the 2015 and 2017 phishing campaigns suggest that the same cybercriminals have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component and the dynamically loaded payload,” McAfee says.