Evina has detected the MobOk family of mobile malware in 49 Android applications. Several clues indicate a concentration of some of the malware in Germany. Even though, it is unusual to see a whole family of malware victims in the same country, fraudsters always look for accessible targets and work on the weaknesses as long as it is lucrative. Germany is unfortunately not exempted. As typical for most malware, MobOk continues to evolve the way it hides its malicious code and fraud methods. In the world of mobile malware, this makes MobOk a particularly challenging opponent.
All Evina customers: mobile operators, payment gateways and content editors are protected from MobOk and in doing so all their customers.
How does it work? MobOk collects information that is useful for its fraudulent activities such as the relevant operator details and mobile device screen size. It then launches an invisible browser that aims to subscribe the user to premium-rated mobile services using the applicable billing operator.
MobOk will ask for permission to read notifications and this is how the malware is able to retrieve the content of SMS messages. Consumers have to accept the permission manually.
There are several indications that the fraud initially perpetrated in Germany. First of all, there are almost only negative comments in German, furthermore the application communicates with the ium2.de domain and finally we have received attacks on German IPs. Other cases concern Asia, especially Thailand and Malaysia.
Evina has created a honeypot that uses a network of 3G proxy SIM cards around the world to attract fraudulent activity. When we use SIMs in Germany, we have seen fraudulent subscriptions as a result of the MobOk application.
The malware family has evolved a way to load its fraudulent code to avoid detection by the Play Store.
In the beginning, the malicious code was located directly in the application with only a simple obfuscation.
In the second generation of MobOk, the malware had an encrypted DEX file in the Assets folder thatcontained all the malicious code. The decrypted function was directly in the code.
Finally, MobOk uses the Bangcle packer, to hide all the files from the library and also has a significant anti-reverse engineering protection.
During the attack, MobOk sends information from the affected phone to a C&C (Command and Control) server whose domain is: ium2.de. The send request is encrypted by the application.
Then, MobOk turns off the WiFi to connect to the mobile network where it will be able to charge for the premium service.
MobOk is a family of malware that is constantly evolving to remain undetected by the Google Play Store. In its latest generation, and according to our sources, none of the malware in the family has been detected. It isquite likely that MobOk will spread to many other countries and, given the code, that it will extend its fraudulent activities.
HOW TO PROTECT?
If you are an end-user, it is necessary to be careful with the applications you download. To limit the risk, we advise you:
- To check the comments on the application page
- To check the permissions (a wallpaper app does not need to have any specific phone permissions)
- Avoid flashlight, scanner, wallpaper, SMS applications
If you are a service provider, such as a mobile carrier, payment gateway or content editor, you must use an independent anti-fraud solution expert in payment and mobile cybersecurity.
Evina guarantees end-users safety and ensures a sustainable growth of the German mobile payment market, collaborating with vene OVERWATCH, a complementary anti-fraud platform, along with local carriers such as Mobilcom-Debitel and T-Mobile.