Posted by Evina on

A new Trojan family is targeting carrier billing and advertising. After Joker, Venus malware is spreading fast: since October, already 8 apps have been discovered infected with over 285,000 installs in total and only one has been removed from the Google Play Store.

Evina has been observing a new ads and subscription bot family on Google Play. After Joker, it is a new malware family targeting carrier billing and advertising. This type of fraud is becoming more and more widespread and is now able to bypass Google’s detection system.

The malware — going by the name Venus (the class name which executes the fraud) — simulates the interaction with ads and subscribes the user to premium services without him noticing it. The browser is fully invisible during the on-going fraud.
The Venus malware has been attacking since late October and has reached the following countries: Belgium, France, Germany, Guinea, Morocco, Netherlands, Poland, Portugal, Senegal, Spain, and Tunisia.

Some Venus malware applications

How did we detect it? 

Our security analysts noticed that the entire data was consumed by an application called “Quick Scanner” (com.chaos.chaoscompass). They analyzed the source code and quickly realized that it was protected by a library which encrypts and hides files. 

APK COntent of Venus Malware
APK content of Venus malware

The application uses the libjiagu library created by the Chinese company Qihoo. The library protects the application’s content and runs protections against reverse engineering. Unfortunately, fraudsters take advantage of the library to use it dishonestly.

Yet, we were able to recover the DEX file (compiled Android file) containing the fraudulent code. The file was imported and decrypted in memory, after the anti-reverse check, in order to bypass Google’s detection.

Fraudulent content of Venus malware
Fraudulent content of Venus malware

Venus is waiting for the right time to attack. The malware is able to register time after the application has been downloaded instead of being launched on the very first day.

Sample code of Venus malware

At the time of the attack, Venus interrogates a C&C (Command and Control) server whose domain is: glarecube.com. The sent request is encrypted by the application as much as the response.

Request to the C&C server
Response of the C&C server

If we decrypt – which we did – the server’s response, we can see two things: 
    1) All the instructions containing URLs that redirect to premium services or websites containing ads, all created by the fraudster
     2) The javascript commands making the fraudulent process

Decrypted response of the C&C server

So, what happens in actual facts? 

The URL is loaded into an invisible browser – or several – without the application even running. The user does not know what’s going on and is billed through its carrier afterward. Undetected, the fraudster can make its profit from advertisements clicks and premium services subscriptions.

Nothing suspicious at first sight... But Venus malware executed two browsers!

Today, out of the eight Venus malware discovered, only one application has been removed from the Play Store and this was after being downloaded more than 100,000 times. Last month, Evina also caught 304 Joker applications, some of which are still on the Play Store. All of our customers have been protected from and warned about those new trojan families and we recommend to all phone owners: 

  • To check the comments on the application page
  • To check the permissions (a wallpaper app doesn’t need to have phone permissions)
  • To avoid flashlight, scanner, wallpaper applications 
Venus malware list - 12/09/2019


Don’t miss any news about cybersecurity: subscribe to Evina Fraud Observer!

You should also read