Following the Trail of South Korean Mobile Malware
There have been previous reports about attacks which targeted third party app sites in South Korea resulting in more than 20,000 smartphones being infected with malicious apps. Note that none of these apps were found on the official Google Play store.
Checking our database confirmed that this malware family has already been detected as ANDROIDOS_KrBot.HRX. We decided to look further into this slew of infections.
Res Sou, the Cybercriminal
The cybercriminals behind these attacks are active members of underground forums involving pirated apps, which often involved cracked versions of top gaming apps. We found that these criminals were collecting the cracked apps, repackaging them with malicious bot code, and redistributing them into the forums.
Based on our investigation, users may encounter these apps once they install these through torrent websites, forums, and unofficial third-party app sites .
Figure 1.Malicious app posts in underground forums
Figure 2. Malicious app in Google Drive
Figure 3. Malicious app found in torrent websites
Once the malware is executed, it runs as a background service, which firstly connects to predefined mail servers.
Figure 4. Hidden bot service
Our investigation revealed that some of the email accounts were deserted, suggesting that the bot was inactive.
Figure 5. Deserted email accounts
However, we noticed that we were still seeing variants from this malware family. We soon found that there were variants which have been updated with new valid email accounts. These email accounts contain encrypted codes from a cybercriminal dubbed as “Res Sou.”
Figure 6. Encrypted control code in mail inbox
The code in the mail can be decrypted into a socket server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php:55555, and an HTTP server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php. The socket server is used by the bot to get remote commands.
The commands are as follows:
| “register” | Register to remote server |
| “request_call_log” | Request call log record |
| “request_contact” | Request contacts list |
| “request_file_list” | Request to list files in device storage |
| “request_create_new_dir” | Request to create new directory in device storage |
| “request_file_upload” | Request to upload files in device storage |
| “request_file_download” | Request to download files into device storage |
| “request_item_delete” | Request to delete files in device storage |
| “request_calendar_event” | Request to upload calendar events |
| “request_del_message” | Request to delete SMS message. |
| “request_send_message” | Request to upload SMS message. |
| “request_send_all_message” | Request to upload all SMS message. |
| “request_endcontrol” | End remote control |
Collected data are stored in /data/data/[package name]/sent_data.db. Files are meanwhile uploaded and downloaded in the HTTP server.
Tracking the Activity
From recent activities of the email accounts, we learned that the mail account was created with a Japanese IP address, and signed in within different regions. It’s likely that the cybercriminal used proxies to hide his tracks.
Figure 7. Recent activities of the malicious mail account
Meanwhile, the remote command server is set on a dynamic DNS service, with the real server is located in Kuala Lumpur, Malaysia. We found another website hosted in this server. A further look reveals that the normal web service is down, and there are no active responses from the company owning the site. This suggests that this particular server might have been compromised by the cybercriminal for hosting the remote C&C service.
The victims’ information was then sent to the following IP addresses:
- 101[.]99[.]65[.]100
- 85[.]214[.]211.47
Reviving the Bot
So is this bot targeting South Koreans once again? Yes, we did find activity in South Korean forums. But after analysis of the latest variant samples, we located several users in one of the biggest Chinese app forums posting links to a specific URL, which hosts the malware. This means that the attacks are no longer limited to South Korean users.
Figures 8-9. Variants targeting Chinese users
While the number of downloads may still be low, the fact that the malware was seen in Chinese forums means that the cybercriminal is expanding his net of potential victims. We advise users to avoid downloading apps from third-party app sites and to rely only on official app sites and stores.
We detect variants of this malware family as ANDROIDOS_KrBot.HRX. Trend Micro Mobile Security products use the Smart Protection Network to block all related threats. We advise users to install a security software in their mobile devices to secure it from malicious apps and threats.
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Following the Trail of South Korean Mobile Malware
Read more: Following the Trail of South Korean Mobile Malware