- ONE MOBILE MARKET GOOGLE PLAY APK
- ONE MOBILE MARKET GOOGLE PLAY ANDROID
- ONE MOBILE MARKET GOOGLE PLAY CODE
Google customers will be able to treat Google Play a bit like a locker for their digital purchases.
ONE MOBILE MARKET GOOGLE PLAY ANDROID
The idea behind Google Play is to bring together Google’s primary digital content offerings in a single place, then make that online storefront accessible not just from Android devices, but to everyday Web browsers as well. In its place is Google Play, a new unified digital storefront that will not only offer access to Android apps, but also to Google’s e-book, movie, and music offerings. While ((!Thread.currentThread().Internet giant Google raised eyebrows yesterday by announcing it was doing away with the Android Market. ServerSocket = new ServerSocket(sock_port) // sock_port = 1111 This malicious app opens TCP port 1111 locally to communicate with the loaded native library. This feature can be activated by registering the Android receiver. SMS and MMS are saved in the “/data/data//files/” directory as file name “sms.txt” and “mms.txt” respectively.įigure 7. We discovered the following available commands:Īmong the malicious commands, an eye-catching feature is SMS and MMS capturing. Now the application is working as a spy agent, waiting for actions from the selected server and ready to execute commands. Guessing from its usage, the TUID might be a target device ID to manage contaminated targets. The first job of the “doMainProc” is selecting the C2 server randomly.Īfter selecting the C2 server, a randomly created TUID is sent to the server. “doMainProc” is the core function called by “Libfunc”. However, it does not affect the overall process. But szServer_XX_3 has several functions that are added, removed or modified a little bit. The file sizes and data for szServer_XX_1 and szServer_XX_2 are the same as shown in Table 2. Additional information of downloaded file Accordingly, it is assumed that there is some important in this file.
ONE MOBILE MARKET GOOGLE PLAY CODE
Lastly, the downloaded code starts from exported function name “Libfunc”.Īs for the RC4 cryptographic library, encryption is the most common way to hide or protect important things. Once the library is loaded, the downloaded file is deleted to avoid detection. It downloads the next payload from a hacked web server by using a dropped curl binary, decrypts it and loads the library. Simply put, libmovie.so is a downloader and executer. All decoded URLs appear to have been hacked and the decoded URLs drop RC4 encrypted ELF files. The XOR value is 0x8E and it is globally used in this library. The first loaded library, libmovie.so, contains a curl binary and URLs for secondary payloads in XOR encoded data which are decoded at runtime.
ONE MOBILE MARKET GOOGLE PLAY APK
The malicious native library embedded in the APK The first one loads native library “libmovie.so” and calls one of its exported functions, “playMovie”, with a phone number as an argument while the second one creates a Java server socket for communication with another native library.įigure 5. Using LastUpdateTime to check latent periodĪfter the latent period, it starts two threads.
The overall flow of this application, focusing on the malicious function, is explained below:Īfter the malware is installed, the malicious code has a latent period of 10 hours to avoid being discovered by dynamic analysis.įigure 4. Infected version history of the application Google Play still offers version 26, though this is also clear of infection.įigure 2. The ONE Store is now servicing version 29 which does not contain malicious code. No other application developed by the same author was found on the ONE Store. The App Signature Certificate for versions 26 through 29 distributed from the One Store are the same. We found malicious code injected by an attacker, via the developer’s account, into versions 27 and 28 of the application distributed through the ONE Store. Screen capture from the application page on the ONE Store The Campaign McAfee Mobile Security detects this threat as Android/Malbus and alerts mobile users if it is present, while protecting them from any data loss.įigure 1. The malicious application downloads and runs an encrypted payload with malicious functions. The application in question is distributed via Google Play and the ONE Store at the same time. It has 35 million users (close to 70% of South Korea’s population) and has already surpassed Apple’s app store sales from the end of 2018. ONE Store is a joint venture by the country’s three major telecom companies and is a preinstalled app on most Android phones selling in South Korea. In the previous Malbus case, the author distributed the malware through Google Play, but new variants are distributed via the ONE Store in much the same way.
McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a South Korean developer. Authored by: Sang Ryol Ryu and Chanung Pak