Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device.

As a rule, Apple always signs the latest stable version of iOS as well as the current beta version, if one is available. In addition, the company leaves a short window of about two weeks, during which Apple signs the current iOS build as well as the previous build, in order to allow users to roll back if they don’t like the update (rolling back wipes data).

Note: while users may save blobs from the previous version of iOS and then use them to go back at any time, this approach only works for the particular device from which the blobs have been captured from.

There could be exceptions. For example, on January 11, 2018, Apple accidentally allowed downgrades all the way back to iOS 6. This was a server-side glitch that didn’t last long.

From the user’s perspective, installing an iOS update requires a passcode, meaning that updating from a less vulnerable version of iOS to a more vulnerable one (e.g. updating to iOS 11 for resetting the iTunes backup password) will require the passcode.

This update policy has the following forensic consequences:

  1. Most Apple devices will be running an up to date version of iOS (which may not have a jailbreak available).
  2. If updating a device is needed during the investigation, you can only update to the allowable version of iOS, which is the latest version (sometimes updating to the build before the last version is possible).
  3. If the device is passcode-protected, the passcode will be required to update from iOS 10 to iOS 11 (for the purpose of resetting the iTunes backup password).

Android: a Bizarre Mess

While Apple is in charge of designing and manufacturing and its devices as well as the operating system, things are different on the other side of the pond. Smartphones and tablets powered by Android have a wild range of chip sets, models, and carrier variants, all requiring different versions of software.

Updates are a sore point of most Android smartphones and tablets, with the only exception being unlocked Google Pixel devices and the few phones participating in the Android One program.

It is also interesting to mention that Android OEMs may distribute updates through different channels depending on carrier branding, geographical designation of the model and the user’s current location. As an example, a Chinese or Brazilian Moto Z could be running Android 8.0 Oreo with December 2017 security patch, while Moto Z’s for the rest of the world would still be running Android 7.1.1 with the same December 2017 security patch, except for Verizon (USA) models that would receive the Oreo update. Weird? It’s just the beginning.

In Android land, the same phone may have several different models designed for different markets and carriers. Even if using identical hardware, those models may differ in supported radio bands. Manufacturers may have different policies regarding bootloader unlock for the different versions. No wonder the different versions of the same model will also have differences in software, making physical acquisition a gamble.

For a typical Android smartphone (or tablet), the following parties are involved in making a software update happen.

  1. The company releases Android sources for everyone to use. By this time, Google’s own Pixel smartphones will be already running the latest version of Android.
  2. Chipset manufacturer. The chipset manufacturer (Qualcomm, MediaTek, NVIDIA, Rockchip etc.) must make chipset drivers for the new version of Android and distribute it among its customers (OEMs). The chipset manufacturer may refuse making drivers for the new version of Android, meaning that all devices powered by that particular chipset will not be updated. This can happen to flagship chipsets, too, as in Qualcomm refusing to make Snapdragon 800/801 drivers for Android 7.
  3. Once the OEM receives the drivers from the chipset manufacturer, it may start adapting Android for its devices. This is further slowed down by the fact that many manufacturers use their own “skins” on top of pure Android that must be adapted to the new version of the OS. Obviously, this takes time.
  4. After the OEM makes a working build of Android for a particular model, the update must be certified by one of Google-approved labs. This takes more time. For unlocked smartphones, this is it: the update could be distributed by the OEM. For carrier-locked devices, one
  5. For carrier-branded smartphones, the update must be reviewed and certified by the carrier, who may then push the update to its customers. Needless to say, this extra step may not only introduce additional delays (sometimes as long as 6-9 months), but may prevent the update entirely if the carrier does not feel it sold enough of those phones.

Android scattered update policy may have the following forensic implications:

  1. Many users will run outdated versions of Android, which makes them vulnerable to exploits leading to root access, making physical acquisition trivial. In addition, they may run versions of Android that do not force full-disk encryption, making chip-off acquisition possible.
  2. Due to the sheer number of models and software versions, including carrier versions, a certain model (e.g. Moto G5) is never guaranteed to run a given version of software. Even worse; even if you have a certain model (say, Mogo G5) that runs a certain build of Android (e.g. Android 7.0, September 2017 security patch level), there will still be differences if the two Moto G5’s are branded by different carriers. For the expert, this means different offsets for bootloader-level exploits, making physical acquisition via bootloader-level exploits work on one phone and fail on its sibling. This is never the case with the iPhone: all iPhone devices (of the same model) running the same version of iOS are susceptible to the same exploits.
  3. Since full-disk encryption was introduced in Android 5 and enforced since Android 6 (but only on devices shipped with Android 6 out of the box), low-level acquisition is a hit or miss. However, some versions of Android are vulnerable to exploits. Since most manufacturers ignore or severely delay Google’s monthly security patches, the chance of successfully exploiting a vulnerability on a given device is much higher compared to iOS or Windows 10 Mobile.

Microsoft Windows 10 Mobile: It’s Interesting

We have already covered two different approaches: Apple’s (who distributes updates directly and simultaneously for all models) and Android OEM’s (who are all over the place). While those policies are very different by all accounts, there is one thing in common between Apple and Android OEMs. iOS 11.2.2 is always newer than iOS 11.2.1, and once there is an Android 8 update for a given smartphone, ROMs based on Android 7.x are no longer maintained.

Microsoft, on the other hand, has a complex (and complicated) update structure for Microsoft-branded and third-party smartphones running Windows 10 Mobile.

For W10M devices, there are different branches of Windows. There are the first Windows 10 Mobile, the November Update, the Anniversary Update, the Creators Update, and the Fall Creators Update. According to Microsoft, each branch is set to receive extended support updates and security patches for a minimum of 24 months after the lifecycle start date.

Interestingly, Microsoft delivers security patches and minor updates directly to handset users, while major updates may still have to go through the carrier for approval. However, users can bypass carriers completely by opting into the Windows Insider program, in which case Microsoft will deliver all updates directly to users.

What does it mean in practical terms? Even if the phone (e.g. Lumia 930) is not officially receiving the Fall Creators Update and is still running the previous Windows branch, it will still see bug fixes and security for two years since the initial release of the Windows 10 branch that was last available to that device. However, users may opt in to the Windows Insider program, and receive insider builds of Windows 10 Fall Creators Update on their device, even if they are not “officially” supported. The insider branch will also receive bug fixes and security patches in parallel with the older branch (Creators Update).

This update policy means that two identical phones may be both running the latest version of Windows 10 Mobile, yet one will be the Creators Update with up to date security patches, while the other could be Fall Creators Update (again, with up to date security patches).

Forensic consequences:

  1. You may never know for sure which Windows branch the phone is running. However, in most cases, the phone will have the latest security patches installed regardless of the Windows branch.
  2. Microsoft has a solid track record supporting and updating its phones. Even if Windows 10 Mobile is discontinued, existing devices will receive updates for at least two more years (yes, even the Lumia 950/950 XL released back in 2015).


The three mobile operating systems have vast differences in how they are updated and maintained. Ranging from Apple’s tight grip over iOS and the company’s full control over its updates to Android’s bizarre mess, software updates affect mobile forensics. While in most cases the newer builds are more secure compared to the older ones, iOS 11 proved to be a major exception, so updating iPhones to the latest version of iOS may be worth it.


from Advanced Password Cracking – Insight


Malware Displaying Porn Ads Discovered in Game Apps on Google Play

In the past, cyber-criminals have targeted businesses, hospitals, and governments; today, we’ve seen them begin to focus on games and apps intended for children.


Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside roughly 60 game apps, several of which are intended used by children. According to Google Play’s data, the apps have been downloaded between 3 million and 7 million times.


Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

  1. Displaying ads from the web that are often highly inappropriate and pornographic.
  2. Attempting to trick users into installing fake ‘security apps’.
  3. Inducing users to register to premium services at the user’s expense.


In addition, the malicious code can be used to open the door for other attacks such as user credential theft.


How It Works

Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects which of the above three actions to take and then displays it on the device owner’s screen.

Figure 1: ‘AdultSwine’ Operation Flow


Inappropriate and Pornographic Ads

The most shocking element of this malicious app is its ability to cause pornographic ads (from the attacker’s 3rd party library) to pop up without warning on the screen over the legitimate game app being displayed.

Children exposed to inappropriate malware.

Figure 2: A mild example of the ads presented and a comment from a parent of a four-year old victim.


Scareware – Deceptive App Install Tactics

Another course of action the malicious app pursues is scaring users into installing unnecessary and possibly harmful “security” apps.

First, the malicious app displays a misleading ad claiming a virus has infected the user’s device.

Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution.

The “virus removal solution” is anything but – it’s another fake app.

Google Play store displaying fake virus scanner.

Figure 3: Notifications shown to redirect users to download fake anti-virus apps.


Registering To Premium Services

Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the scareware tactic presented above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to register for this service.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.


Decisive Corrective Action

Upon being advised of our findings, Google collaborated with Check Point Research, took prompt action to remove affected apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed.

The scareware “virus removal solution” was suspended from Google Play for using inappropriate marketing tactics to drive installs.



Apps infected with the nasty ‘AdultSwine’ malicious code are able to cause emotional and financial distress.

Due to the pervasive use of mobile apps, ‘AdultSwine’ and other similar malicious apps will likely be continually repeated and imitated by hackers.  Users should be extra vigilant when installing apps, particularly those intended for use by children. We advise parents to verify that apps used by their children are categorized as “Designed for Families” on Google Play.

Effective protection from attack by these malicious apps, requires users to install  advanced mobile threat defense solutions such as Check Point Zone Alarm on all mobile devices.

For more full details of the research, please visit our Research Blog.

The post Malware Displaying Porn Ads Discovered in Game Apps on Google Play appeared first on Check Point Blog.

from Check Point Blog

LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play

Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hides its icon to hinder efforts to remove it. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.


Dubbed ‘LightsOut’, the code hid itself in 22 different flashlight and utility apps, and reached a spread of between 1.5 million and 7.5 million downloads. Its purpose? To generate illegal ad revenue for its perpetrators at the expense of unsuspecting users.


The deception was far reaching in its disruption to the user. Some users noted that they were forced to press on ads to answer calls and perform other activities on their device. Indeed, another user reported that the malicious ad activity continued even after he purchased the ad-free version of the app, taking the abuse to a whole new level.


Check Point notified Google about all these apps, who soon removed them from the Google Play store.


How It Works

As shown in our video, the malicious app offers the user a checkbox, as well as a control panel, in which they can enable or disable additional services, including the displaying of ads. The events that will trigger ads are any Wi-Fi connection, the ending of a call, a plugged in charger or the screen being locked.


However, if the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context. Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if he does he won’t be able to find the app’s icon and remove it from his device.


Main Takeaways:

Despite the vast investment Google has recently made in the security of their App Store, ‘LightsOut’ reminds us once again that users need to be wary of downloading from App Stores and are advised to have a ‘Plan B’ in the form of an advanced mobile threat defense solution that goes beyond anti-virus. Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights.


Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights, putting them at risk of making their winter months even darker.


Learn more:

For more details on how this malicious mobile app malware works, visit our Research Blog.

For more details on how to secure your phone, take a look at SandBlast Mobile, our mobile security solution, boasting the industry’s highest threat catch rate on iOS and Android.

The post LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play appeared first on Check Point Blog.

from Check Point Blog

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

By Lorin Wu

We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications. The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.

Figure 1

Figure 1. Swift Cleaner, the malicious app posing as an Android cleaning app

Using Kotlin to develop malware

Google announced Kotlin as a first-class language for writing Android apps in May 2017. Since Kotlin’s release, 17 percent of Android Studio projects started to use the programming language. Twitter, Pinterest, and Netflix are among the top apps that use Kotlin.

Kotlin is described as concise, drastically reducing the amount of boilerplate code; safe, because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line.

Its tooling support is also quite handy: Android Studio 3.0 provides tools for helping users with Kotlin. In addition, it can convert all Java files or code snippets on the fly when pasting Java code into a Kotlin file.

However, it’s still unknown if the abovementioned features of Kotlin can make a difference when creating malware.

Figure 2

Figure 2. Package structure of the malicious app developed using Kotlin

Technical analysis

Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server.

Figure 3

Figure 3. Malicious app collects and sends victim’s device information via SMS

After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.

Figure 4

Figure 4. Left: C&C server sends task via network. Right: code snippet of the malware in process.

In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.

Figure 5

Figure 5. Malicious app uploading the finished task to the C&C Server

The malware can also upload the information of the user’s service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.

Figure 6

Figure 6. The malicious app uploads the token that will be used to subscribe to a premium SMS service

Figure 7

Figure 7. The malicious app uploads the CAPTCHA image used to subscribe to a premium SMS service


Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed. Enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We have disclosed this security issue to Google, who verified that Google Play Protect has protections in place to protect users from this malware family.

Indicators of Compromise (IoCs):

SHA256 Package Name App Label
77D0C7DD4B3D87BE6D9DFB0A9C371B4D8EEADCCB8FDE41D942F1C35E5E3EC063 Com[.]pho[.]nec[.]sg[.]app[.]CleanApplication Swift Cleaner
5886316C0B54BBB7CE6978ACDB1AB4E2CF2B1494647B9D9AD014802E6BF5C7B8 com[.]pho[.]nec[.]pcs Swift Cleaner
AEEF3FF7CC543BBACB6AB4DF8DA639B98BE8F3C225678A4D0935F467BC6D720E com[.]pho[.]nec[.]pcs Swift Cleaner
621092856E20E628A577DBE9248649EAE78D1AF611D9168635B22057C6C7552B com[.]pho[.]nec[.]pcs Swift Cleaner
329B9C5670ECDF25248E484E23C21BBC86F943D7573FF131C0DC71BC80812D1C com[.]pho[.]nec[.]pcs Swift Cleaner
2856F3D1282DDC6BCFE65B0C91A87D998EDCCB777387E3F998BC3B6F1D0B3342 com[.]pho[.]nec[.]pcs Swift Cleaner
4F649E0EA6A6F022E7A5701CECB5B7653D1334EB40918E52DB8F3DAACFB3B660 com[.]pho[.]nec[.]pcs Swift Cleaner
AB2C4886A4E0681A55B29C653B506B66721A3F36A1B098AFA7F56DA6F89BF5DE com[.]pho[.]nec[.]pcs Swift Cleaner
7D3E61C2C58906E09D56121BE94601744E362E6F8C6B7BF87472B62B0CF8CE57 com[.]pho[.]nec[.]sg Swift Cleaner
B4822EEB71C83E4AAB5DDFECFB58459E5C5E10D382A2364DA1C42621F58E119B com[.]pho[.]nec[.]sg Swift Cleaner


C&C servers:

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

from TrendLabs Security Intelligence Blog

New Open Source Mobile OS Puts Privacy Front and Center

A renowned Linux innovator has developed a new mobile operating system, called “Project eelo,” in an effort to provide a level of data privacy that traditional Android and iOS devices fail to offer.

The new eelo system will allow mobile phone users to regain control over their personal information at a price they can afford, said Gael Duval, who created Mandrake Linux back in 1998.

Apple has become too expensive, too boring and is “going crazy with its products,” he said, while Google has “become too big” and is capturing too much information about what we do.

“They want to know us as much as possible to sell advertising,” Duval wrote in a post introducing eelo’s Kickstarter campaign, which has more than doubled its goal with 14 days remaining.

“People are free to do what they want,” Duval wrote. “They can choose to be voluntary slaves. “But I do not want this situation for me anymore.”

After deciding to leave Google and Apple for eelo, Duval received more than 6,000 reads from a couple of articles he posted detailing his plans, he told LinuxInsider.

The eelo project on Kickstarter reached more than 200 percent of goal after only 15 days.

More than 2,000 people have registered at since December 20 in response to his posted updates, Duval added.

eelo’s Lineage

The new eelo project is a fork of the LineageOS, which is an open source system that runs mainstream Android applications. Open source modules are layered on top of that, which help create a consistent mobile and Web system, Duval said.

The project, which calls for the developers to sell preloaded eelo smartphones and provide some premium services, will run as a nonprofit. As a community project, it will welcome contributors.

The developers will release privacy-enabled smartphone ROMs, as well as smartphones for ordinary users, with associated Web services.

They have been testing custom builds of LineageOS/eelo on the LeEcho Le2 — a 5.5-inch smartphone with a 1080 x 1920 pixel screen, 3G RAM, 32 GB storage, a finger sensor on the back and a 4K camera — for about Pounds130, and on a Xiaomi Mi5S.

The developers plan to have downloadable ROMs for a range of devices by 2018, Duval said, as well as a limited number of post-market Flashed devices. He also plans to discuss partnerships with Fairphone, Essential phone or similar devices, and plans to industrialize the phone by 2019.

Privacy Tradeoffs

Many consumers have expressed a desire for greater control over their experience with mobile devices, but there has to be a balance between the value proposition and customers’ willingness to share on a personal level.

“Information is currency, and people are going to want more control over who has information on their behaviors and habits on a mobile device,” said Ryan Spanier, director of research at
Kudelski Security.

“Eelo is focused on maintaining privacy,” he told LinuxInsider, “preventing tracking and monetization of your actions without your consent.”

There is growing consumer interest in a potentially less-intrusive operating system for mobile devices, but the task of establishing one in the market is daunting, said independent analyst Jeff Kagan.

Though there have been some prior efforts, no alternative mobile OS has been able to compete with iOS and Android, he told LinuxInsider.

Even if privacy is a concern, the majority of consumers don’t understand the relationship between privacy and the mechanics of their personal technology well enough to persuade them to make the shift to eelo, suggested Paul Teich, principal analyst at Tirias Research.

“Success will be made on social media stickiness and whether enough consumers or organizations think they can get ‘more privacy’ — whatever that means to them — than stock Google Android or Apple iOS products,” he told LinuxInsider.

Developing leading products like the iPhone and other devices involves the willingness to make tradeoffs, noted Gartner analyst Tuong Nguyen.

Companies must invest substantial resources to make their products appeal to the specific needs of their customers, he told LinuxInsider.

“Google spends a lot of time and effort to make [products] easy to use,” Nguyen said, “to keep you within their ecosystem.”

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain’s New York Business and The New York Times.

from LinuxInsider

New GnatSpy Mobile Malware Family Discovered

Earlier this year researchers first disclosed a targeted attack campaign targeting various sectors in the Middle East. This threat actor was called Two-tailed Scorpion/APT-C-23. Later on, a mobile component called VAMP was found, with a new variant (dubbed FrozenCell) discovered in October. (We detect these malicious apps as ANDROIDOS_STEALERC32).

VAMP targeted various types of data from the phones of victims: images, text messages, contacts, and call history, among others. Dozens of command-and-control (C&C) domains and samples were found, which were soon disabled or detected.

Recently, Trend Micro researchers came across a new mobile malware family which we have called GnatSpy. We believe that this is a new variant of VAMP, indicating that the threat actors behind APT-C-23 are still active and continuously improving their product. Some C&C domains from VAMP were reused in newer GnatSpy variants, indicating that these attacks are connected. We detect this new family as ANDROIDOS_GNATSPY.

We do not know for sure how these files were distributed to users. It is possible that threat actors sent them directly for users to download and install on their devices. They had names like “Android Setting” or “Facebook Update” to make users believe they were legitimate. We have not detected significant numbers of these apps in the wild, indicating their use is probably limited to specific targeted groups or individuals.

New capabilities of GnatSpy

The capabilities of GnatSpy are similar to early versions of VAMP. However, there have been some changes in its behavior that highlight the increasing sophistication of this particular threat actor.

App structure organization – expanded and improved

The structure of the new GnatSpy variants is very different from previous variants. More receivers and services have been added, making this malware more capable and modular. We believe this indicates that GnatSpy was designed by someone with more knowledge in good software design practices compared to previous authors.

Figures 1 and 2. Old and new receivers and services

The new code also makes much more use of Java annotations and reflection methods. We believe that this was done to evade attempts to detect these apps as malicious.

Figures 3 and 4. Java annotations and reflection methods

C&C servers

Earlier versions of VAMP contained the C&C server used in simple plain text, making detection by static analysis tools an almost trivial affair.

Figure 5. C&C server in plaintext

GnatSpy has changed this. The server is still hardcoded in the malicious app’s code, but is now encoded to evade easy detection:

Figures 6 and 7. Obfuscated C&C server

A function call is in the code to obtain the actual C&C URL:

Figures 8 and 9. Function call to obtain C&C server URL

The URL hardcoded in the malware is not the final C&C server, however. Accessing the above URL merely sends back the location of the actual C&C server:

Figures 10 and 11. Request and response pair for C&C server

The WHOIS information of the C&C domains used now uses domain privacy to conceal the registrant’s contact information.

Figure 12. WHOS information

It’s also worth noting that some of these C&C domains are newly registered, highlighting that these attackers are still active even though their activities have been reported:

Figure 13. Newly registered C&C domain

The domain names used are also curiously named. They used names of persons, but while some names appear to be those of real persons (or plausibly real names), others appear to have been directly taken from various television shows. The rationale for using these names remains unclear.

The version of Apache used has also been updated, from 2.4.7 to 2.4.18. All domains now forbid directory indexing; in at least one earlier C&C domain this was left enabled.

Figure 14. Directory indexing disabled

We note here that two of the C&C domains we encountered – specifically, cecilia-gilbert[.]com and lagertha-lothbrok[.]info – were also reported to be connected to VAMP and FrozenCell, respectively. This indicates that the threat actors behind GnatSpy are likely to be connected to these previous attacks, as well.

Increased compatibility and stolen information

Earlier samples called the System Manager on Huawei devices to grant permissions to itself:

Figure 15. Code calling app on Huawei devices

A similar line was added for Xiaomi devices:

Figure 16. Code calling app on Xiaomi devices

GnatSpy also includes several function calls targeting newer Android versions (Marshmallow and Nougat):

Figures 17 and 18. Code for Marshmallow and Nougat Android versions

More information about the device is stolen as well, including information about the battery, memory and storage usage, and SIM card status. Curiously, while previous samples collected information about the user’s location via OpenCellID, this is no longer done by GnatSpy.


Threat actors can be remarkably persistent even if their activities have been exposed and documented by researchers. This appears to be the case here. The threat actors behind GnatSpy are not only continuing their illicit activities, but they are also improving the technical capabilities of their malware.

Trend Micro™ Mobile Security for Android™ (also available on Google Play) detects these malicious apps. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise

Apps/files with the following hashes are connected to GnatSpy:

SHA256 Package Name Label
14c846939641eb575f78fc8f1ecb2dc76979a5e08366e1809be24fad240f6ad6 Voice
1b1bff4127c9f868f14bc8f2526358cfc9ff1259b7069ab116e7c52e43f2c669 com.messenger.hike Android Setting
1c0e3895f264ac51e185045aa2bf38102da5b340eb3c3c3f6aacb7476c294d62 Messenger Update
22078e0d00d6a0f0441b3777e6a418170e3a9e4cce8141f0da8af044fdc1e266 com.myapps.update Facebook Update
232807513c2d3e97bfcc64372d360bd9f7b6b782bd4083e91f09f2882818c0c5 com.myapps.update WhatsApp Update
313ae27ec66e533f7224d99c1a0c254272818d031456359d3dc85f02f21fd992 Android Setting
377716c6a2b73c94d3307e9f2ea1a5b3774fa42df452c0867e7384eb45422e4f com.apps.voice Android Setting
3c604f5150ea1af994e7411e2816c277ff4f8a02b94d50b6cf4cc951430414bf com.appdev.update Android System
4842cff6fc7a7a413ceed132f735eee3121ffb03f98453dae966f900e341dd52 com.updates.voice VoiceChat
4e681d242bebf64bbba3f0da91ad109dd14f26e97cd62f306e9fca1603a0009e Android Setting
544a1c303ef021f0d54e62a6147c7ae9cd0c84265e302f6da5ed08b616e45b78 com.myapps.update Facebook Update
566385bff532d1eb26b49363b8d91ed6881f860ffa4b5ddb2bb5fe068bb6c87e Android Setting
58ddd057ec7f2420ce94cf3fc52794d0f62603ca7eaf8c5911f55b8b100ac493 Chat Me
5de5b948aeca6e0811f9625dec48601133913c24e419ce99f75596cb04503141 com.fakebook App System Installer
6b0325b7020f203d38664be732145c5f9f95fda875c81d136b031618900210a4 com.myapps.update Messenger Update
6befd9dac5286f72516bba531371dc7769d9efecf56c8a44ce0c8de164662c6b Android Setting
76962d334b894349a512d8e533c8373b71389f1d20fd814cd8e7ecc89ed8530a com.messenger.hike Android Setting
8da31d3102524d6a2906d1ffa1118edf39cf54d72456937bfbae5546e09a3c32 Android Setting
91b3eeb8ba6853cab5f2669267cf9bccdba389149cc8b2c32656af62bd016b04 com.facebookupdate Facebook Update
93da08ced346b9958e34bda4fe41062572253472c762a3a837e0dd368fffec8b com.fakebook Android Settings
a841b71431e19df7e925d10a6e43a965fc68ccbb6523b447de82c516cfba93a8 Android Setting
af65aac4f3cf13c88422675b5261acc6c7b5d0af75323a516989a75b0374eddd Chat
b6326e17ec8307edf63e731c635fbfa8469d9264cb414592e2d2a5c71093d809 com.apps.voice Android Setting
b7007d2039abaf8b8b0db77241d400a8c4d3b48c6fece5d80dc69905d4d272c3 com.apps.voice Android Setting
c20438ba8c9e008c1e2eb4343f177757fc260437aeac52df61b156671b07ac14 com.myapps.update Facebook Update
ca8d892a616feaf240bd9e05a250db8ed4d56b7db6348bbaa415dec1e0c626f3 VoiceChat
ce4190030372465eceec60ec1687023c99f95a11b9a558f5431074de20747b81 WhatsApp Update
d17308fb06760de1b06d03448a01f3762f2712c1a66b50c8d5f4ac061d6deb27 com.apps.lets Android Setting
e2cb9140c47492e7931e0b6629caf5c03cbc4e7a28c7976a28e3158b5d1c67fb Android Setting
ebc338f3988e96e9fab53854428ea91dbabd3ee9875464008eafd52c687c3625 Best Chat
ec1ed9b064ffbd237e1808d4e156d011b8b77402042b7a6fee92923b69ba65d4 Android Setting
efc4a2014f73996fb5d90406a55aa14ac89407fd03cfc89d18ee3251d9fd1af8 Best Chat
f890ba41f6d7d2f2fb4da477adc975be7a3b8068686ff5e863d1a53e56acdfac com.facebook.update Facebook Update

The following domains were used by various C&C servers:

  • aryastark[.]info
  • cecilia-gilbert[.]com
  • cerseilannister[.]info
  • claire-browne[.]info
  • daario-naharis[.]info
  • harvey-ross[.]info
  • jorah-mormont[.]info
  • kaniel-outis[.]info
  • kristy-milligan[.]website
  • lagertha-lothbrok[.]info
  • max-eleanor[.]info
  • olivia-hartman[.]info
  • ragnar-lothbrok[.]info
  • rose-sturat[.]info
  • saratancredi[.]info
  • useraccount[.]website
  • victor-stewart[.]info


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New GnatSpy Mobile Malware Family Discovered

from TrendLabs Security Intelligence Blog

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

from Malwarebytes Labs