SBN

RuMMS malware is back…with enhancements

Recently, the Zscaler ThreatLabZ team came across a nasty piece of malware hosted on a fake MMS website called mmsprivate[.]site. The site lures victims with what seem to be private photos, inviting them to take a closer look. Upon accepting the offer, victims fall prey to a malicious Android Package (APK) that downloads onto their phones. The malware disguises itself as Сooбщениe, which translated to english means Messages, and performs its malicious functionality by exploiting Android AccessibilityService, which assists those with disabilities in using Android devices and apps. It then hides itself in order to spy on its victims. The variant we are analyzing shows some similar traits, with a few modifications, to malware named RuMMS, which was initially reported by FireEye researchers back in 2016. This new version includes various enhancements, so we have dubbed it RuMMS v2.0.   App Details  App name:  Сooбщениe Hash: c1f80e88a0470711cac720a66747665e Package Name: ru.row.glass   Detailed Description  Download and installation  The malware is spreading through the site url:mmsprivate[.]site/feel/, and was most likely shared via SMS or email. As soon as the link is clicked, the spyware lures the victim to click a button that leads to the dropping of the malicious APK. The content hosted on the URL is in Russian. You can view the translation in the screenshot below:    Fig 1: Initial URL leading to the APK download   The APK is from an unknown source and, since Android systems do not allow direct-install, leads the victim via simple clicks to enabling the “Unknown Sources” option to install the malicious app. Each step is shown below starting from left to right.    Fig 2: Install from Unknown Sources   Enabling AccessibilityService Once installation is complete, the app masks itself as a messaging app (see the icon below). Upon first use, the app redirects the victim to enable Android AccessibilityService. Once enabled, the app disappears from the home screen.      Fig 3: Enabling AccessibilityService   If the victim does not enable AccessibilityService, the spyware will continuously appear on the screen (see the second screen in the above snapshot) to encourage the victim to enable the service. Once AccessibilityService is enabled, the spyware goes into action to make the SMS app the default messaging app. It does this by using the functionality of AccessibilityService to automatically choose “Yes” when asked to confirm the app as the default messaging choice, as shown in the below screenshot.  Users will not be able to see this message box because the choice is made for them.    Fig 4: Accessibility Service in action   Communication Our investigation showed that once the initial setup is done, the malware starts sending details to a command-and-control (C&C) server. The C&C details were hardcoded. Requests and responses from the C&C were encoded using Base64. The screenshot below shows the decode values being sent and received:   Fig 5: First request   The above screenshot shows details of a victim’s device being sent to a C&C. The C&C replied with command “40” and the names of apps. We noticed that command “40” was used for disabling the apps.    Fig 6: Initial response   In this instance, the list of apps to be disabled contained well-known antivirus (AV) apps, including:  Trend Micro  Dr. Web AhnLab Avira Sophos McAfee F-Secure The malware makes sure that all of these AVs, if present, remain inoperable. As soon as a victim tries to open one of these apps, the malware abruptly closes it. It behaved similarly with an app from a well-known Russian bank, Sber Bank. The malware did not allow any Sber Bank apps to open.  SMS: Sending and stealing The spyware waits for commands from the C&C server and accordingly exhibits its functionality. As in the case below, we found that command number “11” was used for sending SMS messages to any desired number with the body of the SMS instructed by C&C   Fig 7: Response containing SMS command   Upon further analysis, we also found the spyware to be stealing SMS messages from the victim’s device. This functionality could also be used to steal bank-related one-time-password codes and other relevant information. The screenshot below shows this functionality in action: Fig 8: Stealing SMS messages   Stealing Contacts The malware is also able to steal contacts from the victim’s device. We believe this functionality is used to further spread the malware with a well-known technique called SMS-Phishing (or SMiShing).   Fig 9: The app stealing contacts   Calling  The malware also has calling functionality. In the example below, the number to be called was sent from the C&C server in the encoded manner seen here.  Fig 10: Calling functionality   One of the more interesting things we noticed was the way the malware was being distributed. Every time we visited the link, we were presented with a new malicious app exhibiting the same behavior explained above but with different app name, different package name, and even signed with a different Android certificate. We also found that apps had different C&C servers with the pattern http://.com//index.php. We noticed the below mentioned domain names in association with the C&C servers:    Sr # Domain Name # of apps contacted 1 sisirplus[.]com 172 2 vietusprotus[.]com  50 3 glowbobget[.]com 45 4 hellowopung[.]com 102 5 quostpeopls[.]com 24 6 bannerincbest[.]com 102 7 campuphome[.]com 9 8 wewelowertick[.]com 3 9 bigslogous[.]com 25 10 zavannerweb[.]com 55   Conclusion A new and improved RuMMS is back in full force as RuMMS v2.0 with enhancements and updated features. In the last 10 days of May 2018, the Zscaler ThreatlabZ team uncovered 580+ similar apps making the rounds in the wild. It is always advisable to stay clear of unknown links. Do not trust any suspicious-looking URLs received either in SMS messages or emails, and only download apps from official app stores.  Zscaler customers are protected from such types of attacks at multiple security levels. Below is the sha256 hash list of recent samples found in last week. The complete list of 580+ apps can be found here.   2cc08d98b2bc11047791e722c2f0e7639f4c5772cda0fb5ecabec1b55914a3c2 6ec7fba253b76d3b8090a98c6e87c662af8bcda1694a617cce7db59feb08e6f1 96a8393e583ff1a12df458534790dfd2551861a4fd600f741e36023682d9d9be 1092d809488da433c5d5433a4a1efdc2e32445637e44b6dc77b7fa0e4d536c43 762c5d1b1b95c46aa6727a49ae27e2b19863d406da2091e50ffe13c79211ffac af6773b1dcec3c3a1d05964ed9d245c2271e96835ffbe3fc543912dc602a64f9 cfc50b2e3da760a2369dbb5bf45fc8d3cdc37a2ad020084aafe2acb53d8603d6 707456abf552e13ba4ece378d0a7a672bd8fbc22185a478478c81fc7e5c96ce9 a8352f93f7c23953a6deeace67205216c1d37d7f8f6207147d7b93cf272fca9c 751f1ed896639b62e433fcbce5d87b1baeb7a5a82c3a855d30fa4c4c8dddfd81 a1ff7ca12de6cbf36a67aa10ee95202f0c37b8b953f916e9f1780a10042e36af 4a429aae275be2e06ce751537deae327ba377e2e96fc040611f910957b64fcf5 83728b3d17974df0ac424845668496a2bbf6eaa166e899ef2bf842dae2359bf6 be4ceb20c9ddf2ddba90988a41ee68f43f205860d9a66d5ac8da500f55fb9d21 09aefb181d949be189a580e5415b74f372d61a13edd86930e6aa0046231813fe b5a7683172d38220c4d179c525b9dd8ffaa28b6b5cb9c1b45bac7a72327b7da6 383ddecdcdbe2e43035e34307a026e66f79e0b5556f231684db876b3104f0e10 d6f172b04d2e4d1eb7d5e58b16d9768cfe59c32d987ca9b4534e9cf859cce8f4 f18f523d581acb3136e85cb7b2a056f88e48f2d1dfe21f003ef3f12269e470e1 47e105ef7874e30903d6edadeaa5c2731280663f48c7fb5004cc7668a3ac2a81 d3ca7e61067f527f7cefdddabb0b770ae8ad6d38a89b0f0bccbed995893cea19 1c66a552c0090f81f7b2ce11c8974bbd2aea75afc1092ad5e8d6f8a1ccf416f3 21569d8d302180098231efa76482c5a673f344cba8b4654130fada58aad7e62f f2c1b8bd0777cd69329fe22fec8519d810e41b000b92ee13de5629dcd3e875ad 98ab7f612c7a1dc3fd44fbd045a6cf21d8c9240dbad08f847423df5f22d7b460 758fbbd8a142933f9c5a9866ea7b7c26789da293c93ec3223f5661f62939325c 0b246a1ba24761fb4d6f105d210af9e9c2507b475f13084780a7f9e8145a91a6 eb607863d2e6a56a53893d4c6253896f3e7ab229a75ad29b32762f27bbd398e5 642be174b9ad9d14b4079472d0a641b9c73f6eb3d8a40152025d438619e22ad5 bd800b6cc3ea900aa111c88adcffca2b31f8c47e00928df985d62bf4cc0daf2d 6858491a04ba906f912d0baf86b37e8ef42c63c505e0db3ffffdf5b543e0c829 2518d9deb54ed0fa373b0b22a16da5b7a8f02502470987aeeba34398e083c15c f0dabdc7f4364e810e1870afccfd6af14f844f494cd9026879dc2b3becdba8a7 5e4f663d867ab14c7a2ad6e5f35aa315e34ea0e01c50dbb8d63667c405437e1c 389393e8642e61e8f884ae288be53b71aa9ff5846c5760d013e57c6843e14440 2dfa3d51b031976f8418d8f7d05f8fa803b937cfc6711f9d4ffeca45ca3db0a5 b4dd995909b8f99d2b519d347c27386b0bfa434332eb7b0c7483a10f0d1d864c f260bb6965405aac4a79de75650f184911185c34e27cc43d27c88efca86ab712 bf170d05c2ae2738ae298b851390eca2bed6fb6db729e3150d3809179c02bec7 e191bc75a21a613232cf5cff2f4874106f3cd64f867b5096b193a7fcf9dc74c4 88b1fc39c3e89e790fa7fdba78516ac52b489209e9fb38c39aac416f53fdde90 64647593a8cdfba26a39441cdf49216fbb687652f490cbed230ebc2061aa6b17 027c3f91df5b5f413c4ce117d4e1a4eb33c050a4be96a0385e8a4cc1c445c027 ee996791fcabcc88d1bc082060a9989fdb1b7079c2e66583002443ac43da87ec a97e2e39a29ebd7ace2895621a6cf2f4a53990d55752816957034b916a149a31 c170ee01c009f4d1a960f6dca3edd2d96fd4e31fad29b7bac248314947d09d1d b0d4b92653518def16f6b08739cf47ba463a6a18f6c7c85ace7be9d6f4145084 7cffccf41385f1c82c5383a68d79999a1ff506b403cbb00879351bb247a09371 59746db01df4c33edebf4b4b6cfb44d297cde45f23ec6678ef0f2ca15b40d6e9 b2a940600d50d862f539eead80d636b556d32aabc462156fe8b29d44c3337ab8 8e839d560f08ae14d5ca457ace9735419e8d5e06f8c30febb48d2997145ff1b6 5bbecc8c2eaea918ce06e37fa8fda338861662d682cfa43e26ebca6c1075114d d186eaaf72c80289e755ab20a604e4ff20dc98349dfb56206848a4ec79d9388f cc978d00329bbb2c2bf60055d5762dd7b407f44b8df2a31f0d1e54a0958271d8 d507332483bb124158b2b02bf0f3d7b07977bf7fa1c34df5a1b001979a2e2a66 65d34b945cccd91ce48eb77458768aba34be86be9372f36162e6d42198416775 bce3428913c048d7f8114d07fffacecb7273d65a41e0c7b8bff3f63abb1913b1 a801e38fb832b7f4f9713fb4fbb35f4c5de156c5787718d7fdbe636499e99cf0 048e3bc98ae1d8ac57eb5e55c5b2cbc6661a77992650a10e35a5d0fbbc1227cf cbb5b11f0e934e8e13c1590c5868dce72f1a364ab32e7ba408f2ad9fa8d5145b d1259c1461d71e238ac9984baf96b94c2c145a820ea44d487b6f2fc4e196ef70 09ead1fcde087a14da07d58b8db8bed1b18e08701ee4ee300d2af3dbe1a6bd55 a36e780153fb6c26e28ab5cb4c51ebfeb6dd1e04ec6f4489d9ea67c710015b74 71567ed7c3c0b14a09b5cbd712fcdc777a6bb5d0685c24cccc82e1d1ac3d5d3f 319246f91aff8b444037474ce845cc51785b160a2b650a54cfbe402621598de5 c14c22ddb3d492ef6b40afb3918a97a4b9a8def4dfb6dc944bcdb476e347f1a5 790654bcb118cf14a6ffcb82a73d18620ab1a993f570d6186f3a1571b6d2b2e8 04ae5d0126670a8a1eab95373e39db662c921ee468ea7d842d9f894e3d1270c6 f7cb9474374badcc8881bd5c48ff9d0ac3149de053d93abc9a1cad45c319ad04 bb58e7eb3aa7f212c4d8a4bab1dbd086b8d5621441f50b774d6550b811978897 2202684f0ff5b627baa8473f2068ee3b1d976d7d860f9c188a9178253d356cb3 d130b94a85a8ded1f52469b68977f601617bd536df34c279d37674b03119eb9c 359f8c5ced61249c52655de6ff263c76878c15be12577a920d667f4dcf52e033 b51a6a66778db92878578f3e45cba90fcdb64ca8ece738053b399430bde9e94c 0da9e58ce9b435726f691e869e3efa8f331a8fc2c877c0cee48430837685ec0e f2176c17ee41cb242db184db275d782293e1a71b7d19fd160d56872b17c75096 c9bfea7a58aa8a3b60198832d891622da61d48ace0d97d42aa5616c76382b828 8d7bfebd2a5255b4caeff9b0f4e76c62336cf15bd6a860fc77cdd9f36d01c340 d717066af883382082fe4672fbc38cc87b52046207f7570f523225f64abe4a25 d14542d7d725a7854433d53fc21447931f54d28858f2847c8db6f19de43d2b81 edb2edbed8bedb3ef25e131e5ea6ed415bae66799323761f113a8a86c2b935fa 41df2e51a18c37acf0564f54ccd2e06ea62122c29a1d705cf1e2a4c31338a2f1 6e3b96097a635992b10bc51ff5cd72d0cf5b09aaceeeafd3b3ca84d744706ce0 565c9f86c8c4692a1ca018dd0b0b9cf91c54bdb320172214efa4abac2954e075 2f9137c1c1e31a7e58a6ad469bd7c268e3a5cd5582e6f930944580a8b1ff827a d1df4dbc7333e4ec1948a0ea180227ed9439aabb78e49bd30d41c86ed901bda1 c28ce42efe922a393eedd3b398dd8a6465d08e40c9dddcf170e6eae7d349c196 1945682074a418ca389dbc5e69660c7bc0a236fcf90bb8f90c7aa5e03a029d03 3d344839de28dcbd9101059d2c1dd66aa14e1aceb68f528177f9fe6cd1051419 79ac737775f6e568bfc62b4e1bde90c615e1e9d41604a4f68d889a7352b5a359 51ee98b8e02cf3a81a85fd98c8ff9dded3e1b22abee12b308abd2f3aedfda6d7 b0bd2ce89516c6e83a0cffd10db0bb371e84de902c7e91be342353bcae147e90 94536a9c413b0577f7a81bd6a782e308d40d2f3563f3b6b25f295ae256c074f0 600b931a3106c63dc29324aa40dbc75c17ccac0ddbbf44c4c657682dadf9c3d5 0c38da53878c2cbf18edbbd080d8f4b3f9973c16244a2f80c3c74c415fcb5694 af9d21489a18c551a2eaf4f4b7917539bab44547b38f2f0a7348e2b645fcca8e 85f4189eb0f0b6ce91e4d7f93e1e6bec98c4b27950c2b86a5e8f8e05b0e69aac 9ff6093319e604690b114f853df4c708e214e65407962ac37299490d5202023e 4dfc360fdb55e74f7108daefb7e5becc6790510854bba92e83e1eddc2f16e86b 8089f7ea0c96dc24457d9643097a9632c94f9a26bdf8fc6523a5aad555cc4513 60231f05a17ca19d8a51c5450cebf7bb1a1bc2464cb88a2530bd933c88f1420c 614fcccaf4f988743897200cf0e4330f8878f64ecb395f322b7174f89c08522e a6649912c00dc0f501aeabad050620101ab31ce9088201fe6cf065988b269fe3 d5600a87602f0b268dd04436676229ba146dd01571c19678fb6214826101ce11 998b7c089ac7441697284bc09024acfcc3e0ea835549e2d9d926f24595ee2f42 1661346435dbd53231d06ff769bfe58020bdb124208dc7b67b5fae1f3059342a 3ae5dc40e3d4a575762da2d053f38ac82fb2e90fe3beb5292267f85d07b3044b 01e1d9835d4447987c9758c18a02b3348b7feb5fef6be284081d71760786e217 e41636b8f0972afd36d4f3764775d7f5c861147d770ea9a6ea5d723033ba4ad3 51b97227a6c0866af7a01a7dde873626506f724dad2d555cfba0d5c79b8c9d00 ed2007c3b031391c1ff9117e3f166ebf2b34a4dd3045ca1f4de4251bad88e5a2 e2f6a49245ce98bad73877cc9b5ba71c141c6cd6f16d2147b800744d485d513f 72d1b44ca07b64f608cf5ea4ae28a0b501ad646e071cfea0782186458efe9326  

*** This is a Security Bloggers Network syndicated blog from Research Blog authored by [email protected]. Read the original post at: http://www.zscaler.com/blogs/research/rumms-malware-back-enhancements