Keypoints
- Malicious apps posing as “Smartphone Anshin Security” were published on Google Play and via Google Drive; Google removed the known apps and files after notification.
- Attackers lured victims with SMS messages containing Google Play links and social-engineering text prompting a security-app update.
- The APK loads a Go-written native library (libmyapp.so) that establishes a persistent WebSocket to a C2 and uses WAMP to process RPC calls.
- Registered RPCs include connect_to (creates a reverse proxy), toggle_wifi (switch network), get_info/get_status (send device/network info), and show_battery_opt (prompt to disable battery optimization).
- The malware exfiltrates the mobile payment “Service password” entered by victims (the app deliberately shows incorrect-password prompts to collect precise entries).
- By creating a reverse proxy through the victim device, attackers can route purchase requests via the victim’s network, enabling fraudulent transactions.
- McAfee detects the threat as Android/ProxySpy; IoCs published include IPs, domain ruboq[.]com, multiple SHA256 hashes, and package names like com.z.cloud.px.app.
MITRE Techniques
- [T1204] User Execution – SMS lures with Google Play links are used to trick users into installing the app (‘the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware’).
- [T1071] Application Layer Protocol – The malware uses WebSocket and WAMP for command-and-control and RPC processing (‘tries to connect to the C2 server using a Web Socket… WAMP is used to communicate and process Remote Procedure Calls (RPC)’).
- [T1090] Proxy – The malware creates a reverse proxy allowing the attacker to use the victim’s network (‘connect_to — Create reverse proxy and connect to remote server’).
- [T1056] Input Capture – The app collects credentials via a fake UI that repeatedly prompts for a Service password to capture the correct value (‘it asks for the Service password… the malware shows incorrect password messages to collect the more precise passwords’).
Indicators of Compromise
- [IP] C2/network indicators – 193[.]239[.]154[.]23, 91[.]204[.]227[.]132
- [Domain] Hosting / related domain – ruboq[.]com
- [SHA256] Malicious APK hashes – 5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd, e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0, and 4 more hashes
- [Package name] Android package identifiers – com.z.cloud.px.app, com.z.px.appx
The malware is delivered mainly through social-engineered SMS messages linking to Google Play and via Google Drive-hosted APKs; the Google Drive method reduces visible installation traces and can install the APK with only a few taps if unknown-app installs are already allowed. Researchers observed multiple developer accounts publishing variants to Google Play; after disclosure Google removed the known apps and Drive files associated with the listed hashes.
At runtime the app loads a Go-based native library (libmyapp.so) that opens a persistent WebSocket to a C2 server and uses the WAMP protocol to register and execute RPC commands. On connection the binary sends device/network metadata and the phone number, then registers RPC handlers such as connect_to, disconnect, get_status, get_info, toggle_wifi, and show_battery_opt; when the user enters the mobile payment “Service password” the activity forwards that secret to the attacker over the socket.
Key malicious capabilities include connect_to, which establishes a reverse proxy allowing the attacker to route purchase requests through the victim’s network (bypassing NAT/firewall), and toggle_wifi, which switches the device between Wi‑Fi and cellular to control routing. The combination of credential-harvesting UI and reverse-proxy network access enables fraudulent transactions billed via the victim’s mobile account. McAfee detects this family as Android/ProxySpy and published IoCs and package names to aid detection; users should avoid installing untrusted apps and be cautious entering sensitive passwords into unfamiliar applications.