Keypoints
- Malicious Android app masquerades with familiar app icons to trick victims into installation.
- On install it requests Accessibility Service and Device Admin permissions to gain elevated control of the device.
- The app connects to a Command-and-Control (C&C) server to receive commands including reading SMS, call logs, contacts, installed packages, changing wallpaper, toggling flashlight, and sending SMS.
- It opens specific URLs in the device browser for phishing; fraudulent HTML pages stored in an ‘assetwebsite’ folder capture credentials via JavaScript and forward them to the malware.
- The malware collects phone numbers and other local data, and can toggle the camera flashlight using CameraManager API.*
- Multiple SHA-256 sample hashes were identified and at least one sample was found uploaded to VirusTotal.
MITRE Techniques
- [T1548] Abuse Elevation Control Mechanism – The malware prompts the user to enable elevated permissions: “it prompts the victim to enable two permissions: Accessibility Service Device Admin Permission”.
- [T1056] Input Capture – The malware harvests credentials via fraudulent web pages and JavaScript: “After taking credentials using JavaScript, it collects and shares all the user information to the ‘showTt’ function.”
- [T1566.002] Phishing: Spearphishing Link – The app opens URLs in the browser to present phishing pages: “‘opweb’ … ‘Open URLs on web browser for phishing’”.
- [T1071.001] Application Layer Protocol: Web Protocols – The malicious app “establishes a connection with the Command-and-Control server to receive instructions and execute specific tasks accordingly.”
- [T1005] Data from Local System – The malware reads local data such as messages, call logs, contacts and installed packages, shown by commands like “‘dmpsms’ Read Messages” and “‘dmpcon’ Device Contact list”.
- [T1041] Exfiltration Over Command and Control Channel – Collected credentials and device information are sent back via the C2 channel: “it collects and shares all the user information to the ‘showTt’ function.”
Indicators of Compromise
- [File Hash – SHA256] Malware samples identified – 0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d, 37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509, and 8 more hashes.
- [File/Folder] Embedded phishing assets – fraudulent HTML pages bundled in the app’s “assetwebsite” folder (used to present credential capture forms and JavaScript handlers).
- [C2 URL] Command-and-Control reference – a C&C server URL is embedded in the resource file (not active during analysis; shown in Figure 5 of the report).
- [Public Repository] Online sample uploads – at least one recent sample was observed uploaded to VirusTotal (Figure 17 reference).
The malicious app is packaged to appear legitimate (using well-known app icons) and, once installed, requests Accessibility Service and Device Admin privileges to gain persistent, elevated control. After acquiring permissions it establishes contact with a Command-and-Control server to receive commands such as reading SMS/call logs/contacts, enumerating installed packages, changing wallpaper, toggling the camera flashlight via CameraManager, and sending SMS messages. Commands are enumerated in the sample (e.g., dmpsms, dmpcall, dmpcon, getpackages, changewall, opweb, sendsms) and the app uses these to collect and act on device data.
For credential harvesting the malware either opens attacker-specified URLs in the device browser or serves bundled fraudulent HTML pages from an ‘assetwebsite’ folder. Those pages present login forms and use JavaScript to capture user IDs and passwords, then call an internal function (showTt) to collect and forward the harvested credentials. The app also collects phone numbers and other local data from the device and can exfiltrate that information back to the C2 channel; while the resource file embeds the C2 URL, it was inactive during the analysis.
Static and dynamic analysis produced multiple SHA-256 indicators (listed above) and at least one sample was observed on VirusTotal. Detection and prevention should focus on blocking known sample hashes and C2 infrastructure, monitoring for suspicious requests for Accessibility/Device Admin permissions, and detecting in-app behavior that opens external URLs or serves embedded HTML designed to collect credentials.