Fakecalls Android Malware Abuses Legitimate Signing Key

Read Time:4 Minute, 45 Second

Authored by Dexter Shin

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key.

Android malware using a legitimate signing key

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps.

Figure 1. Malware and legitimate app on Google Play

Distribution method and latest status

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site.

Figure 2. A phishing page disguised as a Korean banking site

We also found that they updated the domain information of this web page a few days before our investigation.

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices.

Figure 3. Fakecalls Command and control(C2) admin pages

How does it work

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below.

Figure 4. Tencent’s Legu Packer libraries

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension.

Figure 5. Questionable code in the decrypted DEX file

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser.

Figure 6. APK file disguised as an HTML file

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here.

Figure 7. Dropper asks you to install the main payload

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information.

Figure 8. Permissions required by the main malicious application

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server.

Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose.

Command name
Purpose

note
sms message upload

incoming_transfer
caller number upload

del_phone_record
delete call log

zhuanyi
set call forwarding with parameter

clear_note
delete sms message

assign_zhuanyi
set call forwarding

file
file upload

lanjie
block sms message from specified numbers

allfiles
find all possible files and upload them

email_send
send email

record_telephone
call recording on

inout
re-mapping on C2 server

blacklist
register as blacklist

listener_num
no function

no_listener_num
disable monitoring a specific number

rebuild
reset and reconnect with C2

deleteFile
delete file

num_address_list
contacts upload

addContact
add contacts

all_address_list
call record upload

deleteContact
delete contacts

note_intercept
intercept sms message from specified numbers

intercept_all_phone
intercept sms message from all

clear_date
delete all file

clear_phone_contact
delete all contacts

clear_phone_record
delete all call log

per_note
quick sms message upload

soft_name
app name upload

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate singing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores.

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key.

Indicators of Compromise

SHA256
Name
Type

7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
신한신청서
Dropper

9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda
신한신청서
Dropper

21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc
신한신청서
Dropper

9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579
신한신청서
Dropper

60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2
보안인증서
Banker

756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6
보안인증서
Banker

6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6
보안인증서
Banker

52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b
보안인증서
Banker

125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12
보안인증서
Banker

a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3
보안인증서
Banker

c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f
보안인증서
Banker

dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92
보안인증서
Banker

e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24
보안인증서
Banker

Domains:

http[://]o20-app.dark-app.net
http[://]o20.orange-app.today
http[://]orange20.orange-app.today

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

CISA’s 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration

Casino Players Using Hidden Cameras for Cheating

Friday Squid Blogging: Squid on Pizza

Scams Based on Fake Google Emails

Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks