Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases.
As per the report, the apps made their way to the Google Play Store by submitting a clean version of the app for review and then later on introduced malicious code via updates.
McAfee Mobile Security detects this threat as Android/Etinu and alerts mobile users if they are present.
The malware present in these apps take advantage of the dynamic code loading. Encrypted payloads of malware appear in the assets folder associated with the app, using names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files.
The report mentions, “Firstly, the hidden malicious code in the main .apk opens “1.png” file in the assets folder, decrypts it to “loader.dex,” and then loads the dropped .dex. The “1.png” is encrypted using RC4 with the package name as the key. The first payload creates an HTTP POST request to the C2 server.”
The report further adds that the malware uses key management servers and request keys from the servers for the AES encrypted second payload, “2.png”. The malware also has a self-update function and responds to the “URL” value, the content in the URL is used instead of “2.png”.
As mentioned above the new malware hijacks the Notification Listener and then steals the incoming SMSes same as Android Joker malware.
The eight apps that need to be uninstalled if found on your Android device include:
The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove it.