Infected Zoom Apps for Android Target Work-From-Home Users

For more than two weeks, most of the world’s population has been placed under lockdown and forced to work from the safety of their own homes.

In an attempt to stay connected, many have turned to video-conferencing software to keep businesses open or to attend classes. It was just a matter of time until cyber-criminals started to trick users into installing tainted video-conferencing applications to capitalize on the increased pool of users. 

Malicious Zoom clones for the unaware

Zoom has been in the spotlight lately as one of the booming applications for video conferencing, despite its issues with end-to-end encryption and liberalized data sharing with Facebook. It did not take long for cyber-criminals to re-package it, disseminate it on third-party markets and wait for new victims to install it. The samples documented in this article spread outside of the Google Play Store and exclusively target users who sideload applications on their Droids. 

Analyzed sample: 30a1a22dcf7fa0b62809f510a43829b1
Packagename: us.zoom.videomeetings
Detection: Android.Trojan.Downloader.UJ
App label: Zoom

This piece of malware has components injected in the repackaged Zoom application, as shown in figure 1 below. 

While the user interface is identical with the original application, it comes with extra “functionality” that the user did not sign up for. The malware tries to download its main payload from a command-and-control infrastructure at tcp[:]//googleteamsupport[.]  

The choice of domains is likely not random, as this could indicate what the attackers might target next (the Google TeamSupport application is a business-to-business collaborative platform that is also spiking during the COVID-19 isolation). 

The sample has the same package name as the original Zoom application and have even taken extra measures as to keep even subtle differences as Certificate details as close as possible to the original Zoom app.  

Aggressive adware gangs can’t miss the show

Bitdefender researchers have also uncovered a tainted Zoom APK that specifically targets Chinese users. Once sideloaded, the application asks for phone, location and photos permissions on start

Analyzed sample: fb5243138a920129dd85bb0e1545c2be
Packagename: us.zoom.videomeetings
Detection: Android.Adware.Downloader.BC
App label: Zoom
Targets: China

Whenever the victim taps the app icon, the application either does nothing, or it briefly displays an ad before closing itself.

The piece of code below shows that the main activity is transparent:

As soon as the app is open, a native ad is loaded and displayed on the screen for just a second.

When the application finally starts, the victim is presented with ads as soon as they try to Join a Meeting and they will keep receiving these ads until they press the X button.

The APK we analyzed retrieves adware info from:
https[:]//sf3-ttcdn-tos.pstatp[.]com/obj/ad-pattern/renderer/package.json (the sf3 prefix part is different across various apps with the same SDK)

Hardcoded links:


More Zoom badware

This is another malicious sample that attempts to impersonate the Zoom application and lure victims into installing it.

Analyzed sample: 9930b683d4b31a3398da0fb75c27d056
Packagename: app.z1_android_421120320_app_original_file
Detection: Android.Trojan.HiddenAds.AJR
App label: ZOOM Cloud Meetings

When opened,the application initially hides itself from the menu. It then starts a repeating alarm that will randomly send an intent to an Ad Service. This service subsequently starts an AdActivity that opens an ad. The link can be found in the resources: adsforapp1[.]com

The malicious app proceeds with checking for another hard-coded string in assets, called ‘admin’. If the string is true it then asks for device admin rights. If the value is set to false (such as in our case) it then tries to download another file (the apk entry).

When opened the app will redirect to download the extra component. 

As of the moment of writing, this sample was seen in the wild in the United States.

The sample bundles functionality to ask for device admin permissions in English or Russian, based on the default language of the mobile phone. The malware also has the ability to start itself when the device is powered on.

Bitdefender Mobile Security for Android detects and blocks these applications as Android.Trojan.Downloader.UJ, Android.Adware.Downloader.BC and Android.Trojan.HiddenAds.AJR. In order to minimize risks of getting compromised, Android users are advised to install a security solution and to limit their downloads to vendor-recommended application stores.

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Oana ASOLTANEI. Read the original post at: