Reearchers Found 'Etinu', Which Are Some 'Clever Billing Fraud' Android Apps

Android evil, Get it on Google Play”

Android is likely the most flexible mobile operating system out there in the market. But that advantage comes with some huge issues.

One of which, is poorly vetted apps. Even inside the official Google Play Store, there have been many instances of malware-infected apps that managed to gain significant amounts of downloads and users. And this time, things are no different.

Security researchers from McAfee have found a batch of apps inside the Play Store that managed to steal users’ text messages, and also capable of making unauthorized purchases on users’ behalf.

The malware, which was hidden in a number of apps, had more than 700,000 downloads.

The researchers said they find this particular malware, after investigation an attacker-operated server that controlled infected devices.

Within it, they found that the server stored all kinds of date from users' phones, including their mobile carrier, phone number, SMS messages, IP address, country, and network status. The server also stored auto-renewing subscriptions.

In a blog post, the researchers at McAfee wrote that:

"A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula [...] ."

"Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases. While apps go through a review process to ensure that they are legitimate, these fraudulent apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates to the app later."

According to the researchers, this malware is similar to a prolific family of Android malware known as Joker, which also steals SMS messages and signs up users for expensive services.

"As always, the most malicious functions reveal themselves in the final stage. The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission. Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface."
Etinu-infected apps on Google Play Store
Etinu infected Android apps on Google Play Store. (Credit: McAfee)

But that is where the similarity ends.

While Etinu's and the Joker's payloads are similar, "in-depth, its processes for loading payloads, encryption, targeting geographies are different from Joker,” said McAfee’s Sang Ryol Ryu.

The Etinu payloads appear in an Android Assets folder with file names such as “cache.bin,” “settings.bin,” “data.droid,” or "image files."

“Interestingly, this malware uses key management servers,” the McAfee researchers wrote.

“It requests keys from the servers for the AES encrypted second payload, ‘2.png.’ And the server returns the key as the ‘s’ value of JSON. Also, this malware has self-update function. When the server responds ‘URL’ value, the content in the URL is used instead of ‘2.png’. However, servers do not always respond to the request or return the secret key.”

The team at McAfee said that they have reached to Google, resulting the company in removing the said apps from its Play Store.

Further reading: Google Play Store Is Android's Biggest Security Problem, Research Found

Published: 
19/04/2021