Fake WhatsApp (adware) in Google Play

viernes, 25 de octubre de 2013

During yesterday and even today, an almost exact copy of WhatsApp appeared in Google Play that is, actually, simple adware. There are thousands of malicious programs in Google Play, created daily... but this case is a little special for several reasons.

There is a lot of malware in Google Play, adware and all kinds of surprises. That is not breaking news. "Open doors" policy and apps that do not need to be digitally approved or signed, makes it easy. Few days ago ElevenPaths discovered a copycat of a fake AdBlock Plus that (when Kaspersky published it, crediting us) made some noise. The funny thing of that issue is that AdBlock Plus was "retired" long ago from Google Play because ads is Google's business, and do not like applications to block them. So, an exact copycat of this application in its market was very attractive for the user... and the attackers.

Same with WhatsApp. Is one of the most used and downloaded apps in Spain, and many other countries, used by more than 10 million people, just in Spain in 2011, and hundreds of millions of accumulated downloads.

We would like to clear up the different kinds of malware that can be (permanent or ephemerally) hosted in Google Play:
  • Malware and spy apps. Without copying any apps, they are simple tracking and spying systems. For users that directly want to trojanize someone.
  • Apps that "look" like others, but they aren't really. They try to confuse the user.
  • Apps that look like others, they really work like the originals, but aside they include adware. Attackers "repack" the original adding malware just as the "classic" trojan programs did long ago.
  • Apps that, in Google Play are presented as exact copies of some others (excluding the vendor name) but are just malware, they do not have any real functionality. This would be "fake apps" that we are talking about.
These last ones are the most interesting, because it's where the user may be fooled more easily. Only by knowing the real vendor name (that you don't always know), paying attention to the number of downloads and stars (that even the attackers try to raise), date of the program... and being very careful may prevent the user from falling victim of malware.

In this case, as we already stated, there are many Google Play fake apps. But since a few months, a certain team of attackers are focusing in WhatsApp as a fake app. We have researched a bit and have some indications about these attackers being from the Chinese Shandong province, and are making the same model of attack since a few months ago (we will go on investigating, since there is another group of attackers that use WhatsApp as a decoy as well). Since today, they didn't "dare" to create an almost identical copy, not with the same name or icon. These are just some examples of what they have been doing since the last month. You can tell that sometimes they have used the old icon and sometimes they have added some element to the current one... and the name was always different in some way.

 But the one used as a fake app today is:

And the original one:

That makes them different just because of the background transparency (that we guess it has been the attacker's carelessness). The fake App is less than 300 kilobytes, and the original one is 11 megabytes. It is not detected by any antivirus engine (because it does not contain code recognized by adaware, and does not abuse of permissions), and its only functionality is to send intrusive ads to the user once installed, is has no useful functionality even remotely related with the app it's trying to fake. As a funny note, it needs less permissions than the original app:
  • complete access to network
  • see network connections
  • check identity and state of the telephone
  • modify or remove content from USB storage
  • install shortcuts
  • access to USB storage filesystem
  • try access to protected storage
Why do they sometimes resemble more to the original one and sometimes less? Because the more they look similar, the riskier it getsGoogle Play will remove them sooner. When the name or icon are not exactly the same, the fake app can make it longer in the market. It's a trade off between effectiveness and "attack duration".

Sergio de los Santos

No hay comentarios:

Publicar un comentario