XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. Trend Micro detects these as ANDROIDOS_XLOADER.HRX.
Save to Folio
We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX.
These malware pose as legitimate Facebook or Chrome applications. They are distributed from polluted DNS domains that send a notification to an unknowing victim’s device. The malicious apps can steal personally identifiable and financial data and install additional apps. XLoader can also hijack the infected device (i.e., send SMSs) and sports self-protection/persistence mechanisms through device administrator privileges.
As with our earlier reports in late March, the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router’s DNS settings. A fake alert will notify and urge the user to access the malicious domain and download XLoader.
XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges. Once granted permission, it hides its icon from the launcher application list then starts a service that it keeps running in the background. The background service uses the reflection technique (a feature that allows the inspection and modification of Java-based programs’ internal properties) to invoke the method com.Loader.start in the payload.
Monitoring Broadcast Events
XLoader registers many broadcast receivers in the payload dynamically (to monitor broadcast events sent between system and applications). Registering broadcast receivers enable XLoader to trigger its malicious routines. Here is a list of broadcast actions:
Creating a Web Server to Phish
XLoader creates a provisional web server to receive the broadcast events. It can also create a simple HTTP server on the infected device to deceive victims. It shows a web phishing page whenever the affected device receives a broadcast event (i.e., if a new package is installed or if the device’s screen is on) to steal personal data, such as those keyed in for banking apps. The phishing page is translated in Korean, Japanese, Chinese, and English, which are hardcoded in the payload. It will appear differently to users depending on the language set on the device.
XLoader as Spyware and Banking Trojan
XLoader can also collect information related to usage of apps installed in the device. Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls. XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device.
XLoader can also start other attacker-specified packages. A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions. By monitoring the package installation broadcast event, XLoader can start their packages. This enables it to launch malicious apps without the user’s awareness and explicit consent.
We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies. XLoader also prevents victims from accessing the device’s settings or using a known antivirus (AV) app in the country.
XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control (C&C) server, as shown below:
Figure 7. Screenshot showing XLoader’s malicious modules
Here’s a list of the modules and their functions:
- sendSms — send SMS/MMS to a specified address
- setWifi — enable or disable Wi-Fi connection
- gcont — collect all the device’s contacts
- lock — currently just an input lock status in the settings (pref) file, but may be used as a screenlocking ransomware
- bc — collect all contacts from the Android device and SIM card
- setForward — currently not implemented, but can be used to hijack the infected device
- getForward — currently not implemented, but can be used to hijack the infected device
- hasPkg — check the device whether a specified app is installed or not
- setRingerMode — set the device’s ringer mode
- setRecEnable — set the device’s ringer mode as silent
- reqState — get a detailed phone connection status, which includes activated network and Wi-Fi (with or without password)
- showHome — force the device’s back to the home screen
- getnpki: get files/content from the folder named NPKI (contains certificates related to financial transactions)
- http — access a specified network using HttpURLConnection
- onRecordAction — simulate a number-dialed tone
- call — call a specified number
- get_apps — get all the apps installed on the device
- show_fs_float_window — show a full-screen window for phishing
Of note is XLoader’s abuse of the WebSocket protocol (supported in many browsers and web applications) via ws(WebSockets) or wss(WebSockets over SSL/TLS) to communicate with its C&C servers. The URLs — abused as part of XLoader’s C&C — are hidden in three webpages, and the C&C server that XLoader connects to differ per region.
The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time. XLoader abuses the MessagePack (a data interchange format) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission.
XLoader will not download malicious apps if the Android device uses a mobile data connection. Nevertheless, users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router’s security gaps. Employ stronger credentials, for instance, to make them less susceptible to unauthorized access. Regularly update and patch the router’s software and firmware to prevent exploits, and enable its built-in firewall.
For system administrators and information security professionals, configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats. Everyday users can do the same by checking the router’s DNS settings if they’ve been modified. Even threats like DNS cache poisoning employ social engineering, so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware.
We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature. No instances of these apps were found in Google Play.
Trend Micro Solutions
Trend Micro™ Mobile Security blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and access to fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
Hashes detected as ANDROIDOS_XLOADER.HRX (SHA-256):
|0F49416B6BCB6E755D 999255FABB4C77C5EA 7DEDEB7E6CDB0925C 4F23C1FB00E||fddf.tre.hjgdsgkh||Chrome|
|958135E163E0518F24F BD1AF6EF18C30E30C1 A4DFB383FF47D111930 55D4CDCE||fghdf.rtghj.hjkh||Chrome|
|C65318AA58C9091B938 948B62C4B5D6E472376 97D8D2F96863F99EF17 7B6818D||ghd.et.hds||Chrome|
|62312475CF0EC1ED66F A29938C30D029BA2F02 BCD6B6ED5AC6C0E5DB E3626BF6||gfhd.rewq.cvxbdf||Chrome|
|17D1415176121AFF8C0020 C3A094B3D72F9802F5145 C80EBCA47DCFE10CC21F6||gfdg.qwe.gsdg|
|1849E8DFD9D1C03DBE6C 1464F9B05492012A6C14A0 A5B63FEB938F1C8B70309B||jfgh.rtw.ghm|
|AC0C7F59859B5DC3ACBC3 BACA6A6B0FD6ECD05375 D06995D7E28D3F6CB36322A||gwer.dfdf.cxv|
|B623DA28673A1934BD61DE A94A88C37E5FBE9999ED3 D6BA311176D65F64C4A4D||ertt.fgh.nfg|
|4232B36C2B306A47B6C67D 5D949349024F57CDBC4516 3A2CA7B7DEE304229C2B||gfdg.qwe.gsdg|
|B8FB1857881F20E8E3223E 390E13E6DD97D47CABB81 870D51421C04631D63FC1||ertt.fgh.nfg|
|AA183FDA57FDE0137AB931 F3729215956E6F9EE158D90 ED82151948F70DB841B||dfg67.as44f.cvx87df|
|B125EA78FB390950893D14 6A51F513440314BE7648207 B59E5D0A1752740F273||jfgh.rtw.ghm|
|6690FBA689E5AE957E0D01 565BA8F849E0F6AA214F2F 93535D1A7C9C75030BD3||ertt.fgh.nfg|
|E690C05F2AB668A661CD21 9E324291819D5F5646775C2 A17F3B3A03E79332A04||tryrt.sdf.bfd|
|4E32493E6C87B0E2EF3E6A E32F5C32D75AE36C92524A 185EABC88FEA3C7938C8||fddf.tre.hjgdsgkh|
|82D7A496091BD8B0435359 BAFC9E7C923CF09BE58D3 ECC9C477E29E541811582||trghj.asdf.cvxebdf|
|E1FB10B714420F23F1BB09B 6C4C55B674B6EFD93685EE 7D1D4574C7FA8B39A94||trghj.asdf.cvxebdf|
|CC2617D7D904986B83BAF7 843DB6969151363000678E8 DA599EDBF6CF23CB827||jfgh.rtw.ghm|
|3698DF22E8A4656FC53BD2 BDE2DA74DD9DA90083481 29347D5D3E6F976FABA6C||trghj.asdf.cvxebdf|
|065E266016A15BB639C31D 49511DBCD0ADC83261D03 C6652DFBFCAB611B9DB53||trghj.asdf.cvxebdf|
|6F20F227F79DEBFDAE322 33B59F4DC15C7FAF05036B 21E8CD46B24EBC52F0BF8||gfdg.qwe.gsdg|
|A4031768A9F1AEB227389E DD99140303420F3A45F0C1 36D3863C703C685CDEF1||tryrt.sdf.bfd|
|7E49B7C6ED359B4E910E8D 4D2C9436D99CDDEB7F9AF 2E2F1082D0CA45D469566||jfgh.rtw.ghm|