Security Researchers Uncover Android Malware

3d illustration of hacked smartphone A
The apps were removed from the store after being discovered.

Security researchers have found a series of Google Play Apps that steal text messages and make purchases using the victim’s financial details. 


The researchers said they investigated the attacker-operated server that controlled the infected devices. Their investigation showed that the server hosted all manner of data from phones, including mobile carrier names, phone numbers, IP addresses, SMS messages, network status, and country of origin. The server also stored data on auto-renewing subscriptions. 


The malware is similar to the Joker family of Android malware. Joker steals SMS messages and signs people up for expensive services. 


“The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission,” the researchers wrote in reference to Etinu. “Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface.”


While the researchers believe that Etinu is a different family from Joker, security companies use “Joker” in the detection names for some of the recently discovered malicious apps. The multi-stage payloads and decryption flow for Etinu are also similar to Joker. 


The virus hides malicious code in the main installation file for the app, which is downloaded from the Play store. The code opens the encrypted file “1.png” and decrypts it with a key that’s the same as the package name. This creates the “loader.dex” file. The new Loader file is executed to create an HTTP POST request to the C2 server for the malware. 


“Interestingly, this malware uses key management servers,” wrote McAfee researchers. “It requests keys from the servers for the AES encrypted second payload, ‘2.png.’ And the server returns the key as the ‘s’ value of JSON. Also, this malware has self-update function. When the server responds ‘URL’ value, the content in the URL is used instead of ‘2.png’. However, servers do not always respond to the request or return the secret key.”


The researchers informed Google of the apps, which have since been removed from the Play Store. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Bitcoin, riptide, and Ethereum cryptocurrency

Turkey Bans Cryptocurrency Payments

Next Post
Stafford / United Kingdom - November 15 2020: seen on the screen of smartphone, placed on dollar bills.

Nextdoor Launches Anti-Racism Alert Warning Users of Potentially Offensive Posts

Related Posts