An advertising dropper in Google Play

Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over the past month have indicated the presence of unwanted features.

After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.
Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.
Technical details about Necro.n
When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.

Spy Wrist Watch 32GB Mini Hidden Camera Record Video Audio DVR DV Camcorder US

$28.27
End Date: Friday Sep-27-2019 15:18:16 PDT
Buy It Now for only: $28.27
Buy It Now | Add to watch list

[2-Pack] iPhone X XS XR XS Max Privacy Anti-Spy Tempered Glass Screen Protector

$4.45
End Date: Saturday Sep-21-2019 3:29:19 PDT
Buy It Now for only: $4.45
Buy It Now | Add to watch list

Next, the configuration file with the name “comparison” is decrypted.

Once we decrypt it, we obtain the following configuration with the addresses of the attackers’ servers.
{
“hs”: {
“server”: “https://abc.abcdserver[.]com:8888”,
“default”: “https://bcd.abcdserver[.]com:9240”,
“dataevent”: “http://cba.abcdserver[.]com:8888”,
“PluginServer”: “https://bcd.abcdserver[.]com:9240”
},
….
}
Dropper downloads an additional module from these URLs:

And then it executes its code:

The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.
IOCs
MD5
7b7064d3876fc3cb1b3593e3c173a1a2
b6656bb8fdfb152f566723112b0fc7c8
d3ccb1b4feea5fee623fad5c5948b09b
7186f405f82632f45ad51226720a45b5
9d6439756af0686974ac9f920d56dd39
10573004477fb4a405d41d6ee4dbdd64
e8d361827438873ae27ac5200f3f91be
85c96e359dd48bb814e2ddf34bc964fa
cdf045f1d96fae53d3986b985d787b59
9fbc7c3c3326bfc710f9b079766cf85c
2087986583416f45ae411ebd8c5db8aa
a1b3551ec1dcdce7ac2655994697a02d
d0ae4282d629518458fb5ca765627a71
d28ec38edda65324299fc0dcddca9740
2e9eef8b88bf942e416ed244a427d20c
45fac5ad7be24f5110c5e77c2a7a42f6
5d52373b32cbcfdfb25dd20d267b5186
66db48ce2ff503a27cb9c1617e9a2583
bcbf463050a0706b008e21a846b3185e
19c6604f18d963f0320d8ddee98a9fd0
44196cbce4e57e60443a9c19281e532f
1807f8d8e711fd12a6127455afe98e85
3e3db74a1ee8da53f05b61dde65a95b3
170646ee90094db9516ca4a054bf2804
da953233a618570336e2e5ddd6464e67
c69a2d2b0bf67265590c9be65cd4286b
96db624fa2532d14dd43c7ad3124c385
d07846903cb78babac78f0dd789d262e
a02811248a0d316a1f99d07e60aa808e
74709014aa553b92fe079cf8941d64f6
f8b8fd44952ca199d292570ff6da5e8f
9eff49dc969eea829e984bad34b7225c
5bf2d280557e426e90c086fb89dc401f
e7705517e9e469921652ad33f87d7c22
dbb53ee8229cf4e8ae569a443bcd59d3
3d37fbbffc45b7ca11e20ed06cc2f0f6
ec11fb61eababc7586e1874c92f7629e
b5c7b67e9650bf819b70d2c0a5ca7c63
7b7064d3876fc3cb1b3593e3c173a1a2
b6656bb8fdfb152f566723112b0fc7c8
d3ccb1b4feea5fee623fad5c5948b09b
7186f405f82632f45ad51226720a45b5
9d6439756af0686974ac9f920d56dd39
10573004477fb4a405d41d6ee4dbdd64
e8d361827438873ae27ac5200f3f91be
85c96e359dd48bb814e2ddf34bc964fa
cdf045f1d96fae53d3986b985d787b59
9fbc7c3c3326bfc710f9b079766cf85c
2087986583416f45ae411ebd8c5db8aa
a1b3551ec1dcdce7ac2655994697a02d
d0ae4282d629518458fb5ca765627a71
d28ec38edda65324299fc0dcddca9740
2e9eef8b88bf942e416ed244a427d20c
45fac5ad7be24f5110c5e77c2a7a42f6
5d52373b32cbcfdfb25dd20d267b5186
66db48ce2ff503a27cb9c1617e9a2583
bcbf463050a0706b008e21a846b3185e
19c6604f18d963f0320d8ddee98a9fd0
44196cbce4e57e60443a9c19281e532f
1807f8d8e711fd12a6127455afe98e85
3e3db74a1ee8da53f05b61dde65a95b3
170646ee90094db9516ca4a054bf2804
da953233a618570336e2e5ddd6464e67
c69a2d2b0bf67265590c9be65cd4286b
C&C
https://abc.abcdserver[.]com:8888
https://bcd.abcdserver[.]com:9240
http://cba.abcdserver[.]com:8888
https://bcd.abcdserver[.]com:9240






Click here for best antivirus and antispyware software

Powered by WPeMatico