News

Published on December 20th, 2019 📆 | 2477 Views ⚑

0

New ‘Fraud Arms Race’ Underway


iSpeech.org

A new report has warned of more than 100 Android apps hiding malicious malware.

Getty

It’s a seriously compelling offer—of that there can be no doubt. The Best Fortune Explorer app on Google’s Play Store promises a test that will “help you to find out the answer” to a number of critical life questions. “Do you want to know when your true love will come? Do you want to know if you will be given a promotion and an increase in salary in the future?” Of course you do, who wouldn’t. Better still, the app is free—all of this wisdom is available without charge. Unfortunately, for the near 200,000 Android users that have taken the plunge, a new report claims the only thing that’s certain in their future is malware and a plague of fraudulent ads.

The app is just one of many disclosed by the research team at White Ops Threat Intelligence on December 19. The “100+ malicious apps, with more than 4.6 million downloads” all threaten the same fraudulent outcome, each using a common code module that the research team has named “Soraka.” Worse, though, this strain of adware actively hides, making itself harder to detect and delete. “Those hiding behaviors are significant,” White Ops’ John Laycock told me. “The fraudsters are getting smarter—they know this is now an arms race, they’re trying to slow down analysis with these tactics. We’re seeing these types of behaviours more and more.”

Many of the disclosed apps are relatively recent additions. Leveraging these latest, more sophisticated tools and techniques. Despite report after report, the prevalence of Play Store adware seems to show no signs of abating—there have now been hundreds of apps removed and millions of downloads impacted. And while such malware is usually just a nuisance, we have seen subscription and call fraud masquerading in the same way, and—as ever—the real warning is that any malware on your device is very much a bad thing to be avoided. Adware can—and does—lead to worse outcomes.

Right at the heart of this issue is free, often nonsensical apps. As I’ve written many times, free is free for a reason. If you’re not paying for an app in an obvious way, then you’re paying for it in some other way. The ability to sneak countless ad displaying machines onto your device makes millions for the fraudsters—there is often common code, developers, operators sitting behind numerous bad apps. The concept is simple, develop something flippant and catchy, offer it for nothing, wait.

The store reviews often give the issue away, this despite the efforts of many operators to obfuscate by promoting their apps with fake reviews to pump their popularity. But the fortune telling app has not gone to such lengths. “The main problem,” one reviewer warns, “is that you will get non stop ads—it’s like a virus.” Another complains that “this app doesn't work,” I’m assuming that’s a technical issue and not a complaint that it failed to accurately predict the future—but you never know.

The developers of this particular malicious code module have focused on avoiding detection from antivirus software and security researchers. The apps will only display ads if the install follows a promotional push, in essence a user responding to a click, an invite to install. The app seeks to avoid detection from organic installs—meaning automated systems that find and install the app and then check it for any unwanted threats. This is part of a framework that can flex the numbers of ads delivered over time windows, all based on the behaviours and status of the infected device.

The fraudsters had “several methods to maintain what we call persistence,” Laycock explained. “The other was obfuscation—we’ve seen that before, but it was interesting to us that they were using characters from the Udmurt language.” A Cyrillic character was used within the code execution “to make analysis more difficult.” Udmurt is a local dialect from the Volga region of Russia. Whether this was selected at random for its obscurity or because there are Russian origins to the code has not been disclosed.

Other apps disclosed by White Ops and found to be hiding the same malicious code are listed below. They include a bedtime reminder, a “cute” love test, a lie detector and even a days counter. They’re all free and, according to White Ops, they should all be removed immediately. As to why Android seems to be plagued by such issues—Laycock puts it down to scale, the use of open source code and side loading from third party stores. More simply, “it’s like the Willie Sutton quote,” he told me. “‘Why do you rob banks? Because that’s where the money is’.”

Both the developer behind the Best Fortune Explorer app and Google were asked for comments before this story was published. Nothing has been received as yet. Google was also given the full list of apps, many of which remain on the Play Store, available for download—including, at the time of publishing, the Best Fortune Explorer itself.

As always in such reports, the advice remains to take care on what you allow onto your phone. When it’s free, trivial and from an unknown developer, it’s best avoided. And if you do download such apps, be mindful of the permissions you are granting. Once you allow a malicious app access to your data, phone, camera and microphone, contacts, then you are inviting much more serious trouble than adware.

The App Packages that White Ops says contain the Soraka module or derivatives are below. It is worth quickly checking your installed apps against the list.

  1. com.cute.love.test.android
  2. com.daily.wonderfull.moment
  3. com.dailycostmaster.android
  4. com.dangerous.writing.note
  5. com.data.securite.data
  6. com.days.daysmatter365.android
  7. com.days.remind.calendar
  8. com.detector.noise.tool
  9. com.dodge.emoji.game
  10. com.dog.bark.picture.puzzle
  11. com.drink.water.remind.you
  12. com.ezzz.fan.sleep.noise
  13. com.fake.call.girlfriend.prank2019
  14. com.fakecaller.android
  15. com.fake.caller.plus
  16. com.false.location
  17. com.fancy.lovetest.android
  18. com.fast.code.scanner.nmd
  19. com.filemanagerkilopro.android
  20. com.filemanagerupro.android
  21. com.filemanageryo.android
  22. com.filemanagerzeropro.android
  23. com.find.difference.detective.little
  24. com.find.you.lover.test
  25. com.frame.easy.phone
  26. com.frank.video.call.lite
  27. com.free.code.scanner.nmd
  28. com.free.lucky.prediction.test
  29. com.funny.lie.truth.detector
  30. com.funny.word.game.english
  31. com.game.color.hunter
  32. com.ice.survival.berg
  33. com.idays.dayscounter.android
  34. com.important.days.matter
  35. com.instanomo.android
  36. com.isleep.cycleclock.android
  37. com.led.color.light.rolling
  38. com.lite.fake.gps.location
  39. com.lovetest.plus.android
  40. com.love.yourself.women
  41. com.lucky.charm.text
  42. com.lucky.destiny.teller
  43. com.magnifying.glass.tool
  44. com.math.braingame.puzzle.riddle
  45. com.math.iq.puzzle.riddle.braingame
  46. com.math.puzzles.riddle.braingame
  47. com.multiple.scanner.plus.nmd
  48. com.my.big.days.counter
  49. com.my.constellation.love.work
  50. com.my.pocker.mobile.mirror
  51. com.nanny.tool.data
  52. com.nice.mobile.mirror.hd
  53. com.nomophotoeditor.android
  54. com.non.stop.writing
  55. com.phone.lite.frame
  56. com.phone.mirror.pro
  57. com.pocker.pro.mobile.mirror
  58. com.prank.call.fake.ring
  59. com.phonecallmaker.android
  60. com.pro.test.noise
  61. com.puzzle.cute.dog.android
  62. com.scan.code.tool
  63. com.simple.days.counter
  64. com.sleep.comfortable.sounds
  65. com.sleep.in.rain
  66. com.sleepassistantool.android
  67. com.sleeptimer.android
  68. com.smart.scanner.master.nmd
  69. com.test.find.your.love
  70. com.test.fortune.tester
  71. com.test.lover.match
  72. com.tiny.scanner.tool.nmd
  73. com.wmmaster.android
  74. com.word.fun.level.english
  75. good.lucky.is.coming.hh
  76. mobi.clock.android
  77. my.lucky.goddness.today.test
  78. newest.android.fake.location.changer
  79. nmd.andriod.better.calculator.plus
  80. nmd.andriod.mobile.calculator.master
  81. nmd.android.best.fortune.explorer
  82. nmd.android.better.fortune.signs
  83. nmd.android.clam.white.noise
  84. nmd.android.fake.incoming.call
  85. nmd.android.good.luck.everyday
  86. nmd.android.location.faker.master
  87. nmd.android.multiple.fortune.test
  88. nmd.android.scanner.master.plus
  89. nmd.android.test.what.suitable
  90. photo.editor.pro.magic
  91. pic.art.photo.studio.picture
  92. relax.ezzz.sleep.cradle
  93. super.lucky.magican.newest
  94. test.you.romantic.quize
  95. well.sleep.guard.relax
  96. your.best.lucky.master.test.new
  97. com.ssdk.test
  98. bedtime.reminder.lite.sleep
  99. com.frank.video.call.lite.pro.prank
  100. com.personal.fortune.text
  101. com.daily.best.suit.you
  102. com.false.call.trick
  103. magicball.funnyapp.useful.crystal
  104. yourdestinypredict.yourlifetest.amazingma gic

">





It’s a seriously compelling offer—of that there can be no doubt. The Best Fortune Explorer app on Google’s Play Store promises a test that will “help you to find out the answer” to a number of critical life questions. “Do you want to know when your true love will come? Do you want to know if you will be given a promotion and an increase in salary in the future?” Of course you do, who wouldn’t. Better still, the app is free—all of this wisdom is available without charge. Unfortunately, for the near 200,000 Android users that have taken the plunge, a new report claims the only thing that’s certain in their future is malware and a plague of fraudulent ads.

The app is just one of many disclosed by the research team at White Ops Threat Intelligence on December 19. The “100+ malicious apps, with more than 4.6 million downloads” all threaten the same fraudulent outcome, each using a common code module that the research team has named “Soraka.” Worse, though, this strain of adware actively hides, making itself harder to detect and delete. “Those hiding behaviors are significant,” White Ops’ John Laycock told me. “The fraudsters are getting smarter—they know this is now an arms race, they’re trying to slow down analysis with these tactics. We’re seeing these types of behaviours more and more.”

Many of the disclosed apps are relatively recent additions. Leveraging these latest, more sophisticated tools and techniques. Despite report after report, the prevalence of Play Store adware seems to show no signs of abating—there have now been hundreds of apps removed and millions of downloads impacted. And while such malware is usually just a nuisance, we have seen subscription and call fraud masquerading in the same way, and—as ever—the real warning is that any malware on your device is very much a bad thing to be avoided. Adware can—and does—lead to worse outcomes.

Right at the heart of this issue is free, often nonsensical apps. As I’ve written many times, free is free for a reason. If you’re not paying for an app in an obvious way, then you’re paying for it in some other way. The ability to sneak countless ad displaying machines onto your device makes millions for the fraudsters—there is often common code, developers, operators sitting behind numerous bad apps. The concept is simple, develop something flippant and catchy, offer it for nothing, wait.

The store reviews often give the issue away, this despite the efforts of many operators to obfuscate by promoting their apps with fake reviews to pump their popularity. But the fortune telling app has not gone to such lengths. “The main problem,” one reviewer warns, “is that you will get non stop ads—it’s like a virus.” Another complains that “this app doesn't work,” I’m assuming that’s a technical issue and not a complaint that it failed to accurately predict the future—but you never know.

The developers of this particular malicious code module have focused on avoiding detection from antivirus software and security researchers. The apps will only display ads if the install follows a promotional push, in essence a user responding to a click, an invite to install. The app seeks to avoid detection from organic installs—meaning automated systems that find and install the app and then check it for any unwanted threats. This is part of a framework that can flex the numbers of ads delivered over time windows, all based on the behaviours and status of the infected device.

The fraudsters had “several methods to maintain what we call persistence,” Laycock explained. “The other was obfuscation—we’ve seen that before, but it was interesting to us that they were using characters from the Udmurt language.” A Cyrillic character was used within the code execution “to make analysis more difficult.” Udmurt is a local dialect from the Volga region of Russia. Whether this was selected at random for its obscurity or because there are Russian origins to the code has not been disclosed.

Other apps disclosed by White Ops and found to be hiding the same malicious code are listed below. They include a bedtime reminder, a “cute” love test, a lie detector and even a days counter. They’re all free and, according to White Ops, they should all be removed immediately. As to why Android seems to be plagued by such issues—Laycock puts it down to scale, the use of open source code and side loading from third party stores. More simply, “it’s like the Willie Sutton quote,” he told me. “‘Why do you rob banks? Because that’s where the money is’.”

Both the developer behind the Best Fortune Explorer app and Google were asked for comments before this story was published. Nothing has been received as yet. Google was also given the full list of apps, many of which remain on the Play Store, available for download—including, at the time of publishing, the Best Fortune Explorer itself.

As always in such reports, the advice remains to take care on what you allow onto your phone. When it’s free, trivial and from an unknown developer, it’s best avoided. And if you do download such apps, be mindful of the permissions you are granting. Once you allow a malicious app access to your data, phone, camera and microphone, contacts, then you are inviting much more serious trouble than adware.

The App Packages that White Ops says contain the Soraka module or derivatives are below. It is worth quickly checking your installed apps against the list.

  1. com.cute.love.test.android
  2. com.daily.wonderfull.moment
  3. com.dailycostmaster.android
  4. com.dangerous.writing.note
  5. com.data.securite.data
  6. com.days.daysmatter365.android
  7. com.days.remind.calendar
  8. com.detector.noise.tool
  9. com.dodge.emoji.game
  10. com.dog.bark.picture.puzzle
  11. com.drink.water.remind.you
  12. com.ezzz.fan.sleep.noise
  13. com.fake.call.girlfriend.prank2019
  14. com.fakecaller.android
  15. com.fake.caller.plus
  16. com.false.location
  17. com.fancy.lovetest.android
  18. com.fast.code.scanner.nmd
  19. com.filemanagerkilopro.android
  20. com.filemanagerupro.android
  21. com.filemanageryo.android
  22. com.filemanagerzeropro.android
  23. com.find.difference.detective.little
  24. com.find.you.lover.test
  25. com.frame.easy.phone
  26. com.frank.video.call.lite
  27. com.free.code.scanner.nmd
  28. com.free.lucky.prediction.test
  29. com.funny.lie.truth.detector
  30. com.funny.word.game.english
  31. com.game.color.hunter
  32. com.ice.survival.berg
  33. com.idays.dayscounter.android
  34. com.important.days.matter
  35. com.instanomo.android
  36. com.isleep.cycleclock.android
  37. com.led.color.light.rolling
  38. com.lite.fake.gps.location
  39. com.lovetest.plus.android
  40. com.love.yourself.women
  41. com.lucky.charm.text
  42. com.lucky.destiny.teller
  43. com.magnifying.glass.tool
  44. com.math.braingame.puzzle.riddle
  45. com.math.iq.puzzle.riddle.braingame
  46. com.math.puzzles.riddle.braingame
  47. com.multiple.scanner.plus.nmd
  48. com.my.big.days.counter
  49. com.my.constellation.love.work
  50. com.my.pocker.mobile.mirror
  51. com.nanny.tool.data
  52. com.nice.mobile.mirror.hd
  53. com.nomophotoeditor.android
  54. com.non.stop.writing
  55. com.phone.lite.frame
  56. com.phone.mirror.pro
  57. com.pocker.pro.mobile.mirror
  58. com.prank.call.fake.ring
  59. com.phonecallmaker.android
  60. com.pro.test.noise
  61. com.puzzle.cute.dog.android
  62. com.scan.code.tool
  63. com.simple.days.counter
  64. com.sleep.comfortable.sounds
  65. com.sleep.in.rain
  66. com.sleepassistantool.android
  67. com.sleeptimer.android
  68. com.smart.scanner.master.nmd
  69. com.test.find.your.love
  70. com.test.fortune.tester
  71. com.test.lover.match
  72. com.tiny.scanner.tool.nmd
  73. com.wmmaster.android
  74. com.word.fun.level.english
  75. good.lucky.is.coming.hh
  76. mobi.clock.android
  77. my.lucky.goddness.today.test
  78. newest.android.fake.location.changer
  79. nmd.andriod.better.calculator.plus
  80. nmd.andriod.mobile.calculator.master
  81. nmd.android.best.fortune.explorer
  82. nmd.android.better.fortune.signs
  83. nmd.android.clam.white.noise
  84. nmd.android.fake.incoming.call
  85. nmd.android.good.luck.everyday
  86. nmd.android.location.faker.master
  87. nmd.android.multiple.fortune.test
  88. nmd.android.scanner.master.plus
  89. nmd.android.test.what.suitable
  90. photo.editor.pro.magic
  91. pic.art.photo.studio.picture
  92. relax.ezzz.sleep.cradle
  93. super.lucky.magican.newest
  94. test.you.romantic.quize
  95. well.sleep.guard.relax
  96. your.best.lucky.master.test.new
  97. com.ssdk.test
  98. bedtime.reminder.lite.sleep
  99. com.frank.video.call.lite.pro.prank
  100. com.personal.fortune.text
  101. com.daily.best.suit.you
  102. com.false.call.trick
  103. magicball.funnyapp.useful.crystal
  104. yourdestinypredict.yourlifetest.amazingma gic

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑