Security researchers have found a series of Google Play Apps that steal text messages and make purchases using the victim’s financial details.
The researchers said they investigated the attacker-operated server that controlled the infected devices. Their investigation showed that the server hosted all manner of data from phones, including mobile carrier names, phone numbers, IP addresses, SMS messages, network status, and country of origin. The server also stored data on auto-renewing subscriptions.
The malware is similar to the Joker family of Android malware. Joker steals SMS messages and signs people up for expensive services.
While the researchers believe that Etinu is a different family from Joker, security companies use “Joker” in the detection names for some of the recently discovered malicious apps. The multi-stage payloads and decryption flow for Etinu are also similar to Joker.
The virus hides malicious code in the main installation file for the app, which is downloaded from the Play store. The code opens the encrypted file “1.png” and decrypts it with a key that’s the same as the package name. This creates the “loader.dex” file. The new Loader file is executed to create an HTTP POST request to the C2 server for the malware.
“Interestingly, this malware uses key management servers,” wrote McAfee researchers. “It requests keys from the servers for the AES encrypted second payload, ‘2.png.’ And the server returns the key as the ‘s’ value of JSON. Also, this malware has self-update function. When the server responds ‘URL’ value, the content in the URL is used instead of ‘2.png’. However, servers do not always respond to the request or return the secret key.”
The researchers informed Google of the apps, which have since been removed from the Play Store.