Figure 1. Flappy Birr Dog download pageInformation stealing MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server. Once the malicious application is launched, the malware will first check the device's network availability. It then reads and parses an XML configure file from its C&C server.
Figure 2. Example of configure file being taken from a C&C serverThe malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Examples of all the information it steals can be seen in Figure 3.
Figure 3. Example of stolen informationIt sends the gathered information to its C&C server, thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM.
Figure 4. Parse command from the C&CDepending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below.
Figure 5. Steal SMS conversations
Figure 6. Steal contact list
Figure 7. Steal call logsThe malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively.
Figure 8. Steal files from target folds
Figure 9. Upload filesPhishing capabilities In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It's capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details.
Figure 10. Phishing behaviorIf the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials.
Figure 11. Fake Facebook login pop-upUser distribution Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.
Figure 12. Top countries with the most number of affected usersOther countries affected include Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania, United Republic of Hungary, etc. As can be surmised, these applications were widely distributed around the globe. Trend Micro Solutions This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices. The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks. In addition, users can install a comprehensive cybersecurity solution to defend their mobile devices against mobile malware. Trend Micro Mobile Security detects such attacks, while Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend Micro™ Mobile Security for Android™ (available on Google Play) blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability. Indicators of Compromise
|SHA256||Package Name||Label||Download Count|
|12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3||ma[.]coderoute[.]hzpermispro||HZPermis Pro Arabe||50 to 100|
|4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838||com[.]mobistartapp[.]windows7launcher||Win7Launcher||1,000 to 5,000|
|38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24||com[.]mobistartapp[.]win7imulator||Win7imulator||100,000 to 500,000|
|0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617||com[.]mobistartapp[.]flashlight||FlashLight||50 to 100|
|a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945||com[.]tassaly[.]flappybirrdog||Flappy Birr Dog||10|