Instant messaging apps are battling it out and trying to become the next popular means of communication that people will use. For example, in Japan, both Line and KakaoTalk - two popular chat apps - both claim to have more than 100 million users in Japan. It shouldn't be a surprise that cybercriminals are using the names of these apps for their own attacks; in this post we'll show how KakaoTalk is being targeted by attackers. (However, let's be clear that KakaoTalk is not being the only brand targeted; other brands and apps are also targets as well.) Users need to understand the threats posed by these malicious apps. First example: Trojanized App One common way to create malicious apps is to take a legitimate version of the app and add malicious code to it. This creates a Trojanized app which, to the user, can appear to be normal. However, it actually contains malicious code. This particular Trojanized version of KakaoTalk is detected as ANDROIDOS_ANALITYFTP.A, and was distributed via email. If one examines the details of the app, one can see the differences between the legitimate app and the modified one:
Table 1: Differences between legitimate and Trojanized versionsIn addition, when we examine the permissions used by the app, it's worth noting that the Trojanized app asks for more permissions than the legitimate app.
Figure 1: Permissions of "ANDROIDOS_ANALITYFTP.A"ANDROIDOS_ANALITYFTP.A seems to be a Trojanized app that can be used by eavesdroppers. This app regularly sends out contact information, text messages, and some phone settings to a command-and-control server from where the attacker can retrieve it. This process of Trojanizing is made easier because most Android apps are written using the Java programming language. Unless steps are taken to obfuscate it, the source code of any Java app is relatively easy to obtain; the attacker can then add or modify the code to introduce malicious behavior into the app. Second example: Fake app Aside from Trojanized apps, fake apps have used KakaoTalk's name as well. About a month ago, KakaoTalk warned users via their official Twitter account of a “KakaoTalk Security Plugin”:
Figure 2: Twitter alert from KakaoTalkWe detect the fake security as ANDROIDOS_FAKEKKAO.A. Many users have fallen victim to this not just because it uses KakaoTalk's brand, but also because it uses “Security” in its name as well. What does this malicious app do when it's installed? It reads the user's contacts and uses the phone's text messaging feature to send messages to all contacts. Because of this, it is quite easy to notice that something has gone wrong with their device. What's most interesting about this fake app, however, was how it was distributed. The attackers used a hacked Google Play developer account to distribute a redirector app:
Figure 3: Redirector appThis redirector app contained ads that led to a variety of apps - including the fake security plugin. By doing it this way, the attacker was attempting to avoid scanners like Google's integrated Bouncer service. Best Practices The best way to protect against these threats is to avoid downloading apps from outside of Google Play - a tip we mentioned earlier when talking about the recent Android security vulnerability. Apps arriving from outside the somewhat curated Google Play store have frequently been a source of security problems for Android devices. Even then, users should check the developer of the app they're downloading, as well as any reviews, to verify that they are downloading legitimate apps. On-device security solutions (like Trend Micro Mobile Security) detect even threats which arrive outside of authorized app stores, providing an additional layer of protection. Developers, meanwhile, need to seriously consider the possibility that their apps can be Trojanized and used for malicious purposes. They need to consider putting in place the necessary defenses: obfuscation (to make analysis and Trojanizing of their apps harder) and code integrity monitoring (to ensure that alerts are raised if/when the app's code is modified and run). In addition, if the app can be built in such a way that sensitive information is handled online - so that stealing information becomes more difficult - it would also help make apps more secure and resistant to these attacks.