First Android Malware Developed in Kotlin

While much of the InfoSec community is still reeling after the Meltdown and Spectre announcements, a new trend in malware developments may be occurring. Researchers at cybersecurity firm Trend Micro have released a report detailing what they believe to be the first malware discovered developed in the Kotlin programming language.

Kotlin was, for most of its early existence, a little-known programming language. That was until May 2017 when Google, at the Google I/O 2017 conference, that the programming language would become the first third-party supported programming language for Android apps, besides Java. This gave the language a surge in popularity and use. So much so that Kotlin is estimated to surpass Java as the primary programming language used for Android apps by December 2018. In hindsight, one could argue the surge in popularity would inevitably result in malware authors looking to use the language to achieve their nefarious ends. The question would be a matter of if rather when.

Researchers at Trend Micro have not given the malware an easy to remember name yet and refer to the malware merely as ANDROIDOS_BKOTKLIND.HRX. While it may lack the easy to remember name media houses love, the questions raised by this malware are interesting all the same. The malware was found inside an Android application available on the official Google Play Store posing as legitimate phone utility cleaner app named Swift Cleaner. Google has since removed the app from the Play Store. The malicious app can be detected on Android user’s devices using the following package names:

  • com.pho.nec.sg.app.cleanapplication
  • com.pho.nec.pcs
  • com.pho.nec.sg

In the report published by Trend Micro, the malware itself comes with many features. These include remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. The malware is also capable of signing up users for premium SMS subscription services without their permission. At the time of the firm publishing their findings, the app had been downloaded approximately 5,000 times. One of the more notable features the app possesses is the ability to bypass CAPTCHA solutions employed by some of these premium SMS services.

android malware developed using kotlin programming language

As to whether the using the Kotlin language provides any extra benefits to malware authors to little is known. Kotlin as a language is regarded as a concise and safe language. One of the main advantages to using the coding language is that it drastically reduces the amount of boilerplate code needed. This results in the language avoiding entire classes of errors such as null pointer exceptions. It is also capable of leveraging existing libraries for JVM, Android, and browsers. Its tooling support is also seen as an advantage as Android Studio 3.0 provides tools for helping users with Kotlin. In addition, it can convert all Java files or code snippets on the fly when pasting Java code into a Kotlin file. While the advantages of Kotlin are numerous and help explain its rapid adoption none of these advantages are known to benefit malware authors over and above Java for instance.

So far all malware targeting Android devices in the wild has been written in Java. Now that Kotlin has officially become the second programming language supported by the Android OS, and many expect it to become the primary language for writing Android apps in the following years, its use in malware can be expected to rise in conjunction with its legitimate use.

FakeBank

In another report released by researchers at Trend Micro, a new banking trojan has been discovered targeting Russian banks. Named FakeBank, it too is an Android malware targeting only Russian speaking banks currently. So far the researchers who discovered the new malware strain have collected thousands of samples. From the samples, they have ascertained that not only Sberbank but also other Russian banks like Letobank and the VTB24 bank have been targeted. In the samples collected it appears that the trojan poses mostly as SMS/MMS management software to lure users into downloading them. Rather the being the SMS/MMS service the malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems.

The fraudulent transfer of funds is done by controlling an infected user’s open and close network function and also silently connect to the internet. This means that it can send information to its command and control server (C&C) without the user’s knowledge. It also inspects the device for anti-virus software, and if detected, will exit without executing any malicious behavior. This is a tactic that helps it remain unreported and under the radar in an attempt to avoid detection. Yet another feature of FakeBank is the ability to steal information from the device and uploads it to the C&C server. The sensitive data collected includes users’ phone numbers, a list of installed banking apps, the balance on any linked bank card, and even location information. To further ensure data collection is a success the malware forbids the user from opening the device settings, likely to prevent uninstallation. Some samples detected also required admin privileges from the user, which gives the malware even more access to the device.

Researchers have linked the discovery of FakeBank with the old Fanta SDK Android banking trojan that was active in early 2016. Fanta SDK was famous because it used an innovative technique of changing the smartphone's PIN and locking the screen while it drained funds from the victim's bank account. In the case of the older cousin of FakeBank the malware only activates if the user has the original Sberbank app installed on their phone and not on multiple banking apps. Much like in the case of FakeBank, Fanta SDK allowed the cybercriminal can now steal money silently in the background.

While many hoped for a slow and gentle start to the year, malware authors and cybercriminals have been hard at work. Much of this work has appeared to go under the radar in the wake of critical vulnerabilities affecting several generations of processors. However, it appears malware authors intend to continue 2018 in much the same way as 2017, and years previously.