Trojan Poses as Security App

Security firm TrendMicro has discovered a new variant of the XLoader trojan is targeting Android devices by posing as a security app. Mac users are not out of the woods either as the trojan also attempts to infect iPhones and iPads through a malicious iOS profile. Previously researchers have seen Xloader posing as both Facebook and Chrome. This latest variant includes a new deployment technique and modifications to the source code.

The malware is also hosted on fake websites that mimic legitimate domains, this is done in an attempt to trick users into downloading what they believe is a legitimate and necessary security product. Researchers also found that links to the malicious websites are sent to potential victims using SMiShing, short for SMS phishing.

These attacks involve the user been tricked into downloading a trojan sent via an SMS. David Rayhawk, a senior researcher at McAfee Avert Labs, explains how SMiShing works,

“Some cell phone users have started receiving SMS messages along these lines: 'We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com.' (This is an example and was not a real URL at the time of writing)This phenomena, which we at McAfee Avert Labs are dubbing ‘SMiShing’ (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses, and scams.”

If an Android user unwittingly downloads XLoader the APK is installed only if the user has allowed the installation of apps from unknown sources. For Mac users, they are served a phishing page, but only after they accept to install a malicious configuration profile that claims to resolve an issue preventing the site to load in yet another way the malware authors attempt to trick users. Further, the malware leverages Twitter profiles to encode its real command and control (C&C) addresses in the Twitter names.

This has spiked the researchers’ interest in the new variant as they pointed out, this added operation could be very dangerous as threat actors can use it to perform targeted attacks. On Apple devices, the malicious iOS profile gathers the unique device identifier (UDID), International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), mobile equipment identifier (MEID), version number, and product number.

trojan poses as security app

According to TrendMicro,

“After the profile is installed, the user will then be redirected to another Apple phishing site. The phishing site uses the gathered information as its GET parameter, allowing the attacker to access the stolen information,”

The authors on the latest variant are not only content to go after Apple and Android users wanting to improve their mobile security, but XLoader has also been seen posing as an adult content app. In this instance, South Korean Android users are targeted. If downloaded the malware connects to a malicious website that runs XLoader in the background and uses a different fixed Twitter account. The researchers also discovered a variant that exploits Instagram and Tumblr instead of Twitter to hide its command and control address.

XLoader and FakeSpy

According to TrendMicro XLoader activity has been observed since 2018, but can be traced back to January 2015. Researchers further believe that XLoader and other malware, FakeSpy, are intrinsically linked. This is based on the deployment technique, the cloning of legitimate Japanese websites to host malicious apps, and the use of the same naming method, in addition to the abuse of social networking sites to hide the command and control address. Even the fake iOS profile was also found hosted on a site that has been previously linked to FakeSpy. Much of the investigation into the link between the two types of malware was completed towards the end of 2018.

Not only has a link between the malware types been established but also who might be behind the development and distribution of both XLoader and FakeSpy. Researchers believe that both XLoader and FakeSpy to a cybercriminal collective known as the Yanbian Gang. Evidence for the link is closely associated with the links between the two types of malware. Another clue came when it appeared to researchers that XLoader and FakeSpy share some 126 separate domains used in the distribution of the malware. Both threats imitated legitimate apps of a Japanese home delivery firm to dupe users into installing the mobile malware on their devices, and the domains in question were registered with phone numbers from the same Chinese province where researchers believe the Yanbian Gang is based.

The group rose to prominence in 2015 when they managed to steal millions from South Korean mobile banking users. In this case, the gang used several Android malware to infect mobile banking customers, none of the malware used by the gang was distributed through Google Play or third-party app stores. The Yanbian Gang has infected the victims by sending malicious text messages or downloading the malware component by other malicious code used to infect the mobile. The malware used by the Yanbian Gang was primarily remote access tools (RATs) that attackers used to gain complete control of the victims’ mobile device. It doesn’t take a security researcher to see the similarities in technique between the distribution of XLoader and the stealing of millions from victims.

The gang is believed to be made out of four distinct subgroups which have been described as:

  • The cowboys, which are responsible for collecting the proceeds from successful attacks and passing them onto the organizer.
  • The translators, which are responsible for localizes the threats.
  • The malware creators, which develop malware.
  • The organizer, which synchronizes the operations.

They have been targeting South Korean and Japanese mobile users predominantly since 2013.