FluBot

FluBot infiltrates devices using the native SMS service and smishing attacks designed to trick a user into installing an application which will facilitate the ability to “listen to a voicemail” message. The Android Accessibility service is leveraged to disable Play Protect, a Google service which prevents certain applications from being installed on Android devices.

Attackers use overlay attacks, html pages which mimic a users’ legitimate banking or payment apps, to trick users into supplying sensitive details such as username and passwords. This sensitive data is then exfilled to the newly established C2. While the exact attacker is unknown, it has been loosely attributed to a Russian attack group based on analysis of the C2.¹

Additional Examples:

RANA Family

The Malware family known as RANA, which is attributed to Threat Actor, APT-39, has continuously evolved their malware to exploit devices of Android users. The attack begins with infecting the devices using Optimizer.apk, when upon setting up C2 communications sends AES-encrypted sensitive system and device data back to the server. Capabilities include the ability to record audio and take pictures as well as forcing the device to answer incoming calls received from certain pre-defined telephone numbers.²

They have, again, expanded their capabilities by focusing on messaging data from popular communication applications like Instagram app, Skype, Telegram, Viber, and WhatsApp, by exploiting Android’s Accessibility Service to retrieve sensitive information to exfil from the devices. ³

RedDrop

RedDrop malware was discovered in March 2018 by security research firm Wandera’s machine intelligence engine “MI:RIAM.” It is a zero-day threat that was unknown within the mobile security community prior to its discovery. RedDrop is included within at least 53 applications and is distributed by a network of 4,000+ domains registered to the same underground group.

When the app is opened, seven additional APK files are silently downloaded, unlocking new malicious functionality. Each user interaction with affected applications triggers the sending of an SMS to a premium service, which is then deleted before it can be detected.

The additional APKs include spyware-like components. They are capable of harvesting sensitive user data and can passively record the device’s audio and exfiltrate photos, contacts, user files, and other data. RedDrop then uploads the data straight into remote file storage systems, such as Dropbox, for extortion purposes.⁴

References:

[1] https://for585.com/flubot

[2] https://for585.com/ranamalware

[3] https://for585.com/ranamalware2

[4] https://for585.com/nul-o (Wandera’s write-up on RedDrop malware for Android)