Android Installer Hijacking Bug Used as Lure for Malware

Mobile users became alarmed after the discovery of an Android bug that was dubbed as the “Android Installer Hijacking vulnerability.” This flaw can allow cybercriminals to replace or modify legitimate apps with malicious versions that can steal information. Given the high profile nature of this discovery, we decided to search for threats that might exploit this vulnerability.

A scanner app was released so that users can check if their mobile devices were affected by the Android Installer Hijacking vulnerability. We thought cybercriminals might take advantage of this news and create their own malicious version of the app. However, the malware we did encounter were of a different nature.

Visiting the Sites

Using relevant keywords, we came across three websites that advertise “scanners” for the Android vulnerability, with some even using the name of the actual, legitimate scanner.

First Website

The first site features two options to download the .APK scanner file. Clicking on any of the two options leads to a site before finally redirecting to the official Google Play page of the scanner app.

Figure 1. First site “offering” the scanner via two options

But what happens if someone clicks on other parts of the site? A new site is loaded on a new tab. These sites vary from surveys to so-called software updates. Furthermore, a file is automatically downloaded onto the mobile device. During our research, we were able to download three files:

  • popBird_yinhe_en.apk – detected as ANDROIDOS_SMSPAY.FCA, which is a premium SMS abuser
  • vShareMarket_1.5.9_yeahmobi.apk – detected as ANDROIDOS_JPUSH.A, which is adware
  • LazySwipe_400105_mobvista04_37504_1.63_1631_03201923.apk – a legitimate app

Second Website

“Persistent” would be the best word to describe the behavior of the second site. After being redirected to a different site, users will encounter a pop-up window that doesn’t go away, even after clicking the “OK” button. Closing the browser doesn’t solve the problem of the pop-up window, nor does clearing the memory. The same tab was still present after re-opening the browser. It should be noted that no file was downloaded to the mobile device.

Figure 2. Second site (L) and the persistent pop-up window (R)

Third Website

Like in the second site, no files were downloaded when we visited the third site.  We found that the Google Play button leads to a suspicious site. However, further attempts to check the redirections were prevented by “bad error requests.”

Figure 3. The Google Play button leads to this site

Erratic Status

We noticed that one of the sites was sometimes down during our investigation. While it’s hard to confirm the reason behind this, it’s highly possible that this was done to avoid monitoring and scrutiny. Security researchers or organizations might be dissuaded from looking into the site if they assume the site is dead or no longer being used.

Figure 3. Inactive site

Social Engineering in Action

Rather than finding threats that exploited the Android vulnerability, what we found were threats that exploited the fear over the bug. Taking advantage of a hot topic or current event is par for the course for social engineering. Cybercriminals will exploit any topic just to convince users to do their bidding.

When it comes to pressing matters, users should keep calm. They might be tempted to visit any and every site to get as much information as they can. However, these can lead to disreputable websites with questionable or even malicious content.

Users should always visit reputable sites to get their information. To download fixes for vulnerabilities and other threats, it’s always best to go to the developer or an official source. For this particular incident, the official scanner app is available on Google Play, with more details on the developer’s website. Other reputable news sources also included links to the legitimate app.

Defense against social engineering goes beyond websites and apps. We have often seen cybercriminals use emails and social networks as their medium for social engineering. In these instances, we advise users to think and assess before they click. They need to look for little red flags that can warn them of potential malicious activity.

Users should also take the time to invest in security software for all their devices. This includes mobile devices, which is covered by Trend Micro Mobile Security. Cybercriminals aren’t too picky when it comes to infecting devices. They will take any and every device, just to gain victims. It would be an advantage for users if their security solution is able to detect and block all forms of threats like malware, spam, and bad sites. Users can also use the Trend Micro Site Safety Center to check if websites are safe before they visit them.

Hashes of related files are as follows:

  • 2bcf15ae5fd2fda84d0b6bbb4143272d97f500be – ANDROIDOS_SMSPAY.FCA
  • 5ca7fb455f76f940768482410d4bb423edc3c633 – ANDROIDOS_JPUSH.A

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Android Installer Hijacking Bug Used as Lure for Malware

Read more: Android Installer Hijacking Bug Used as Lure for Malware

Story added 7. April 2015, content source with full text you can find at link above.