Keypoints
- Malware is a re-packaged DesiEsp PUBG assistant distributed via Telegram channels, not found on Google Play.
- Initial dropper requests superuser (root) access and, if granted, performs two main actions: reads system account databases and installs a secondary payload via “pm install”.
- Secondary payload disguises itself (package name like com.android.google.gsf.policy_sidecar_aps or com.google.android.gsf), runs as an Accessibility Service, and hides its icon to run in background.
- Credential harvesting methods include monitoring login windows via AccessibilityService and directly accessing system/app databases and config files (with root or other means).
- Malware attempts to activate device-admin to hinder removal and exfiltrates collected account data to a command-and-control domain over HTTP (example: hosting-b5476[.]gq).
- Samples exhibit evasive techniques such as packing, code obfuscation, and string encryption; McAfee detects it as Android/Stealer.
- Targeted apps and packages include Facebook, Twitter, Google services, and PUBG Mobile (com.facebook.kakana, com.twitter.android, com.google.android.gms, com.tencent.ig).
MITRE Techniques
- [T1548] Abuse Elevation Control Mechanism – The dropper requests superuser (root) permission to gain elevated access. (‘it will ask the user to allow superuser permission’)
- [T1059.003] Command and Scripting Interpreter: Unix Shell – Uses the “pm install” command to install the payload package from the assets folder. (‘it will install an additional payload … using the “pm install” command’)
- [T1056.001] Input Capture: Keylogging – Uses Android AccessibilityService to monitor login windows and capture account input fields from targeted apps. (‘monitor the login window and account input box text of the stolen app through the AccessibilityService interface to steal account information’)
- [T1555] Credentials from Password Stores – Accesses the Android system account database, app databases, and user config files to extract account numbers, passwords, keys, and tokens. (‘steal account information … by accessing the account database of the system, the user config file, and the database of the monitored app’)
- [T1036] Masquerading – Disguises payload package and app name (e.g., com.google.android.gsf, com.android.google.gsf.policy_sidecar_aps) and hides icons to appear as system services. (‘it usually disguises the package name as something like “com.google.android.gsf” to make users think it is a system service of Google’)
- [T1543] Create or Modify System Process (Persistence) – Attempts to enable device-admin privileges to make removal more difficult. (‘it also will try to activate the device-admin to difficult its removal’)
- [T1027] Obfuscated Files or Information – Uses packing, code obfuscation, and string encryption to evade detection. (‘use several ways to counter the detection of anti-virus software including packing, code obfuscation, and strings encryption’)
- [T1041] Exfiltration Over C2 Channel – Sends stolen account information to the attacker server via HTTP. (‘the malware will report the stolen account information to the hacker’s server via HTTP’)
Indicators of Compromise
- [File Hash – Dropper] dropper sample examples – 36d9e580c02a196e017410a6763f342eea745463cefd6f4f82317aeff2b7e1a5, fac1048fc80e88ff576ee829c2b05ff3420d6435280e0d6839f4e957c3fa3679 (and 9 more hashes)
- [File Hash – Payload] payload sample examples – 8ef54eb7e1e81b7c5d1844f9e4c1ba8baf697c9f17f50bfa5bcc608382d43778, 4e08e407c69ee472e9733bf908c438dbdaebc22895b70d33d55c4062fc018e26 (and 6 more hashes)
- [Domain] command-and-control / hosting domain – hosting-b5476[.]gq
- [Package / App Names] disguised payload and target app packages – com.android.google.gsf.policy_sidecar_aps (payload), com.google.android.gsf (disguise); targeted app packages include com.facebook.kakana, com.twitter.android, com.google.android.gms, com.tencent.ig
- [Filenames] payload disguise examples – assets files disguised with extensions like *.crt or *.mph (used to hide APK payload in assets)
McAfee’s analysis shows the malware is a re-packaged version of the open-source DesiEsp PUBG assistant distributed via Telegram channels. The initial dropper prompts the user for superuser (root) access and, upon obtaining it, performs two primary actions: it reads accounts from the Android system account database and application databases, and it installs a secondary payload from its assets using the “pm install” command. The payload file is disguised (extensions like .crt or .mph) and installed with a system-like package name (example: com.android.google.gsf.policy_sidecar_aps) and concealed iconography so it appears to be a legitimate Google system service.
The installed payload runs as an Accessibility Service, allowing it to hook into other apps’ Activities and Views to monitor login windows and capture text entered into account input fields for targeted apps (Facebook, Twitter, Google services, PUBG Mobile). In addition to Accessibility-based input capture, the malware attempts to extract credentials by reading the system account database, app databases, and user configuration files; it also gathers device identifiers such as IMEI. To resist removal it attempts to activate device-admin privileges, and it exfiltrates harvested account data to attacker-controlled servers over HTTP (example domain: hosting-b5476[.]gq).
Samples exhibit anti-detection measures including packing, code obfuscation, and string encryption. Static and dynamic indicators include multiple dropper and payload hashes (examples listed above), the disguising package names and filenames, use of “pm install” for payload installation, operation via AccessibilityService for credential capture, direct database access when root is available, and HTTP-based exfiltration to the noted domain.