Friday, 22. January 2016

Operation Emmental Revisited: Malicious Apps Lock Users Out

Imagine getting a notification from your bank, asking for your cooperation in installing an updated version of their mobile app. After downloading the app, it asks for administrator privileges. The notification you received said it would indeed prompt the question and so you allowed it. You try the app out and it works fine. You were even able to do a transaction without a hitch.

The next day, you notice that your phone fails to recognize your password. You don’t know who changed it or how this happened since you haven’t lent your phone to anyone. You try a couple of password combinations but your phone doesn’t recognize them. You only have a few more attempts remaining to guess the right password, otherwise, the automatic phone wipe will be triggered. And while you spend the whole day trying to figure out how to unlock your phone, someone is already emptying your bank account.

In 2014, we uncovered “Operation Emmental”, a cybercriminal operation that uses malicious apps that can intercept SMS to hijack a user’s banking session.  Recently, our researchers came across malicious apps used in the said operation that are also capable of allowing remote attackers to issue commands in real time—including resetting the phone’s password—via SMS. This routine can temporarily lock the user out of the device’s home screen, perhaps as a delaying tactic while fraudulent transactions are taking place.

 Fake OTP Generators

Similar to previous apps used in Operation Emmental, recent versions pose as a banking app that supposedly generates one-time passwords (OTPs). The latest samples we have seen spoof local banks in Austria:



Figure 1. Screenshot of the fake OTP generator

In reality, the “password” is just randomly selected from a static list.

Once the malware is activated, it silently and periodically performs the following tasks:


•  Download and parse the configuration file
•  Check to make sure the pre-set URLs of C&C servers are usable
•  Create communication line between the affected phone and a remote user through Blowfish algorithm
•  Send out stored SMS


The malware communicates to specific URLs or phone numbers without the user’s awareness or consent. Depending on the attacker’s preference, the malicious app can send messages to these destinations in real-time via SMS, or at a later time via an internet connection. These URLs and numbers are stored in a shared preference file, “MainPref.xml”, which can be configured any time.



Figure 2. MainPref.xml

The following URLs named with the prefix “USE_” are used in run time:

“USE_URL_MAIN” Source for getting configuration “USE_URL_SMS” Destination of sending SMS via internet “USE_URL_LOG” Destination of sending log “PHONE_NUMBER” Destination phone number of sending SMS in real time  



Figure 3. Parse and set configuration

Apart from intercepting messages sent to the user, this malware is also capable of accepting commands via text message. When a text message received, it is intercepted and checked if it is a controlling command. The command “LOCK”, for instance, resets the users’ screen lock password, and a new password can be configured by remotely and in real time by the attacker. The Device Administration API currently only supports passwords that are alphanumeric. Keep in mind that if an app sets itself up as a device administrator, it should already arouse suspicion.

Once the attacker changes the password, the infected phone may be rendered unusable to an extent. The attacker may freely unlock the phone unit with the “UNLOCK” command, and relock the user’s phone anytime.

Attackers can lock a user’s phone to keep them preoccupied as they tamper with the user’s bank account or this may be done to prevent mobile communication between the user and the bank.



Figure 4. Command list of newer malwareParse and set configuration

The attacker made use of popular sites as shortcut commands. “GOOGL” sets an indicator to intercept SMS via sending messages. “GOOGLE” removes phone number and sets an indicator to stop intercepting SMS. “YAHOO” sets the C&C URL and starts to send intercepted SMS.

 

GOOGL 0 Sets indicator to intercept SMS via sending messages STARTB 1 Sets indicator to intercept by storing in DB GOOGLE 2 Removes phone number and sets indicator to stop intercepting SMS DEL 3 Sets delete indicator YAHOO 4 Sets C&C URL and starts sending intercepted SMS CLEARB 5 Clear C&C, like USE_URL_SMS SETP 6 Sets C&C phone number CLEARP 7 Removes C&C phone number DROPBOX 8 Removes C&C URL and C&C phone number LOCK 9 UNLOCK 10 HELLO 11 No action BYE 12 No action

Figure 5. Lock, unlock device, and change passwords by SMS commandParse and set configuration

With a possibility of remote users pulling the strings on mobile devices, we advise users to also backup for the files in their mobile. Users should have security in all devices, including desktop or laptops, as well as security apps programs like Trend Micro Mobile Security Personal Edition, which detects these malicious apps.

The SHA1 hashes and URLs related to this threat can be found in this appendix.

With additional insights by Rainer Link