EVINA PROTECTS END-USERS, MOBOK: A MALWARE FAMILY IN CONSTANT EVOLUTION THAT PERPETRATES MOBILE FRAUD IN GERMANY

Posted by Evina on

Evina has detected the MobOk family of mobile malware in 49 Android applications. Several clues indicate a concentration of some of the malware in Germany. Even though, it is unusual to see a whole family of malware victims in the same country, fraudsters always look for accessible targets and work on the weaknesses as long as it is lucrative. Germany is unfortunately not exempted. As typical for most malware, MobOk continues to evolve the way it hides its malicious code and fraud methods. In the world of mobile malware, this makes MobOk a particularly challenging opponent.

All Evina customers: mobile operators, payment gateways and content editors are protected from MobOk and in doing so all their customers.

How does it work? MobOk collects information that is useful for its fraudulent activities such as the relevant operator details and mobile device screen size. It then launches an invisible browser that aims to subscribe the user to premium-rated mobile services using the applicable billing operator.

Some MobOk malware applications

MobOk will ask for permission to read notifications and this is how the malware is able to retrieve the content of SMS messages. Consumers have to accept the permission manually.

Phone Booster, a MobOk malware that looks very professional

There are several indications that the fraud initially perpetrated in Germany. First of all, there are almost only negative comments in German, furthermore the application communicates with the ium2.de domain and finally we have received attacks on German IPs. Other cases concern Asia, especially Thailand and Malaysia.

Google Play comments

DETECTION

Evina has created a honeypot that uses a network of 3G proxy SIM cards around the world to attract fraudulent activity. When we use SIMs in Germany, we have seen fraudulent subscriptions as a result of the MobOk application.

 

MOBOK GENERATIONS

The malware family has evolved a way to load its fraudulent code to avoid detection by the Play Store.

First generation

In the beginning, the malicious code was located directly in the application with only a simple obfuscation.

NService class contains the service to read SMS in notifications

Second generation

In the second generation of MobOk, the malware had an encrypted DEX file in the Assets folder thatcontained all the malicious code. The decrypted function was directly in the code.

Encrypted DEX file
The filename after decrypted is renamed a22777.dex

Third generation

Finally, MobOk uses the Bangcle packer, to hide all the files from the library and also has a significant anti-reverse engineering protection.

Phone Booster source is packed by Bangcle....
...And then after we unpacked it

FRAUD SCENARIO

During the attack, MobOk sends information from the affected phone to a C&C (Command and Control) server whose domain is: ium2.de. The send request is encrypted by the application.

Request to the command and control server ium2.de

The server in response provides MobOk with the URLs and Javascript to execute in order to achieve this fraud. The response is also encrypted.

Server response decrypted

Then, MobOk turns off the WiFi to connect to the mobile network where it will be able to charge for the premium service.

Disable WIFI network

Finally, the malware launches an invisible browser where it browses the URLs it has received and executes Javascript commands.

Load url and javascript in invisible webview

SUMMARY

MobOk is a family of malware that is constantly evolving to remain undetected by the Google Play Store. In its latest generation, and according to our sources, none of the malware in the family has been detected. It isquite likely that MobOk will spread to many other countries and, given the code, that it will extend its fraudulent activities.

 

HOW TO PROTECT?

If you are an end-user, it is necessary to be careful with the applications you download. To limit the risk, we advise you:

  • To check the comments on the application page
  • To check the permissions (a wallpaper app does not need to have any specific phone permissions)
  • Avoid flashlight, scanner, wallpaper, SMS applications

If you are a service provider, such as a mobile carrier, payment gateway or content editor, you must use an independent anti-fraud solution expert in payment and mobile cybersecurity.

Evina guarantees end-users safety and ensures a sustainable growth of the German mobile payment market, collaborating with vene OVERWATCH, a complementary anti-fraud platform, along with local carriers such as Mobilcom-Debitel and T-Mobile.

APPS

(02/04/2020)

You should also read

A MALWARE RISES TO THE TOP APPLICATIONS IN GOOGLE PLAY STORE

Evina found a malware in the Google Play Store’s top application rankings called "Stars Wallpapers." This malware is able to simulate real...

Read more
PRESS RELEASE: TELCOS FURTHER COMMIT TO SAFER DIGITAL MONETIZATION WORLD

Pre-installed malware have managed to bypass Google’s security PARIS, FRANCE - Malicious traffic sources have managed to bypass Google’s...

Read more
EVINA LAUNCHES FRAUD OBSERVER!

Evina, your trusted partner, is launching its newsletter. Evina's mission is to help the market to benefit from cybersecurity, to...

Read more