Hidden malware behind apps that look perfectly legitimate

Modified versions of mobile apps are very common in the mobile world. These apps may offer additional features and settings, reduced prices, or be available in a wider range of markets compared to their original app. Their offering can be attractive enough to entice gullible users to install them through unofficial third-party app stores.

The risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were made to the application's code. To be more precise – it is unknown what code was added and whether it has malicious intent.malware

Check Point's mobile research team recently discovered a modified version of the popular Telegram Messenger app for Android. The malicious app was detected and blocked by Harmony Mobile. Although it looks innocent, this modified version is embedded with malicious code linked to the Trojan Triada. First detected in 2016, Trojan Triada is a modular backdoor for Android that provides administrator privileges to download other malware.  

Telegram 9.2.1 – Amended by Triada Trojan

The perfect disguise

The malware disguises itself as Telegram Messenger version 9.2.1. It has the same package name (org.telegram.messenger) and the same icon as the original Telegram app. On startup, the user is presented with the Telegram authentication screen, asked to enter the device's phone number and grant the app phone permissions.

This process is similar to the actual authentication process of the original Telegram Messenger app. The user has no reason to suspect that anything unusual is happening with the device.

 

Figure 1: Malware masquerading as an application Messenger Telegram

In the background

Static analysis of the applications shows that when the application is launched, a malicious code runs in the background, masquerading as an internal application update service.000

00

Figure 2: Malicious code masquerading as an update service

The malware collects information about the device, establishes a communication channel, downloads a configuration file, and waits to receive the payload from the remote server.

Figure 3: The malware downloads the payload        

0

Figure 4: The malware loads the payload

3

Once the payload is decrypted and launched – Triada gains system privileges, which allow it to infiltrate other processes and perform many malicious actions.

Previous research conducted on Triada payloads demonstrated Triada's diverse malicious capabilities. These include enrolling the user in various paid subscriptions, making in-app purchases using the user's SMS and phone number, displaying ads (including invisible ads running in the background), and stealing login credentials and other user information, and device.

How to Protect Your Device from Trojan Malwares

  • Always download your apps from trusted sources, be it official websites or official app stores and repositories.
  • Check who is the author and creator of the app before downloading. You can read comments and reactions from previous users before downloading
  • Be careful with the permissions requested by the installed app and whether they are actually necessary for the actual app to function.

Check Point Harmony Mobile™ had already successfully detected and alerted on the new Triada variant since early November last year – before any other vendor on VirusTotal!

We also assembled an IOC collection of Triada specimens in VT:

https://www.virustotal.com/gui/collection/03ca78b275634b0311acdd552353e0c05936a73b516f80f9f3777ab16f0a8e4d

References:

https://blog.checkpoint.com/research/in-the-wild-mobile-malware-implements-new-features/

https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/

https://security.googleblog.com/2019/06/pha-family-highlights-triada.html

https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).