MA-973.092023: MyCERT Advisory - APT36 (Transparent Tribe) Exploiting Android Devices via YouTube App Clones

  • 24 Sep 2023
  • Advisory
  • android, rat, trojan, youtube, mobile, malware

1.0 Introduction

Recently, MyCERT has been aware of a new campaign launched from The APT36 hacking group, also known as 'Transparent Tribe,' targeting Android users in India and Pakistan using clones YouTube application. 

That clone YouTube app to infect devices with their signature remote access trojan (RAT), 'CapraRAT.' Once the malware is installed on a victim's device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.

The malicious APKs are distributed outside Google Play, Android's official app store, so the victims are most likely socially engineered to download and install them.

The APKs were uploaded to VirusTotal in April, July, and August 2023, with two of them being called 'YouTube' and one 'Piya Sharma' associated with the channel of a persona likely used in romance-based tactics.

Figure 1: The interface of the malicious apps attempts to imitate Google's real YouTube app, but it resembles a web browser rather than the native app due to using WebView from within the trojanized app to load the service. Also, it misses several of the features available on the actual platform.

2.0 Impact
Once the CapraRAT is up and running on the device, it performs the following actions:

  • Recording with the microphone, front & rear cameras
  • Collecting SMS and multimedia message contents, call logs
  • Sending SMS messages, blocking incoming SMS
  • Initiating phone calls
  • Taking screen captures
  • Overriding system settings such as GPS & Network
  • Modifying files on the phone's filesystem

Figure 2: Screenshot during installation, the malware apps request numerous risky permissions, some of which the victim might treat without suspicion for a media streaming app like YouTube.

3.0 Affected Products
Android mobile devices

4.0 Recommendations
To protect your personal data and privacy, it is imperative that you take the following actions immediately:

  • Avoid Third-party App Stores: Download apps only from trusted sources, such as Google Play, to minimize the risk of downloading malicious applications.
  • Verify App Permissions: Review the permissions requested by an app during installation. Be cautious if an app requests unnecessary permissions.
  • Keep Software Updated: Ensure your Android device's operating system and apps are up-to-date with the latest security patches.
  • Security Software: Install reputable antivirus or anti-malware software to detect and remove threats on your Android device.
  • Regular Backups: Regularly back up your data to prevent data loss in case of an attack.
  • Exercise Caution: Be vigilant when downloading apps, especially if they are outside of official app stores. Avoid clicking on suspicious links or downloading attachments from unknown sources.

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.bleepingcomputer.com/news/security/apt36-state-hackers-infect-android-devices-using-youtube-app-clones/

https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html

https://www.linkedin.com/pulse/transparent-tribe-utilizes-counterfeit-android-youtube?trk=article-ssr-frontend-pulse_more-articles_related-content-card

https://www.securityweek.com/pakistani-apt-uses-youtube-mimicking-rat-to-spy-on-android-devices/

 

 

 

MA-951.062023: MyCERT Alert - WhatsappPink Malicious Fake Update Message

  • 13 Jul 2023
  • Alert
  • whatsapp, pink, malware, sms, android

1.0 Introduction

Recently, MyCERT has been aware of an malware campaign targeting Android users using messages that are being circulated on WhatsApp and other major messaging platforms that promise to provide a new color theme for WhatsApp. 

Disguised as an official update for the chat app, the “WhatsApp Pink” theme is in reality a variant of a wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play.

WhatsApp Pink is an updated version of the WhatsApp auto-reply worm that surfaced in January 2021. It seems to have been first spotted in India, where it was shared in various massive chat groups on popular instant messaging services. The Trojan’s updated version doesn’t auto-reply just to WhatsApp messages, but also to messages received on other instant messaging apps, which could be the reason for its apparent wider spread.

Figure 1: Screenshot from WhatsApp message stating “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp”. Upon clicking the link, WhatsappPink.apk is downloaded.

2.0 Impact
The malware Trojan identified by ESET products as Android/Spams.V automatically replies to messages received in apps such as WhatsApp, WhatsApp Business, Signal, Skype, Viber, Telegram, and one of the various unofficial, third-party versions of WhatsApp, with a link to a website from which it, the Trojan, can be downloaded.

In general, below are some possible impacts of installing unofficial applications in your devices:

  • Misuse of contact numbers and pictures saved in mobile
  • Financial loss
  • Misuse of your credentials
  • Lose control over your mobile
  • Spam messages

3.0 Affected System and Devices
Android mobile devices.

4.0 Technical Details
Installing the downloaded APK didn’t show any visible suspicious behaviour, but analysing the app statically showed that the app looks for notifications from a predefined list of applications, including Viber, Telegram, WhatsApp, Skype etc., and auto responds to the sender with the reply “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp” for them to download the app, spreading like a worm. Unfortunately the link in the message was down at the time of writing this alert.

The predefined list of chat apps is as shown in Figure 2. 

Figure 2: Apps list hardcoded in the fake app

Chat apps in the list are: 

  • com.viber.voip
  • com.skype.raider
  • com.skype.insiders
  • org.thoughtcrime.securesms
  • com.whatsapp.w4b
  • com.whatsapp
  • org.telegram.messenger
  • com.gbwhatsapp
  • com.whatsapp.plus
  • com.og.whatsapp
  • com.yowhatsapp
  • com.retro.whatsweb
  • com.FmWhatsApp

Also the app confirms if it has the permission to listen to the notifications by either verifying if it is listed under “enabled_notification_listeners” or by requesting for the permission as shown in Figure 3 and Figure 4. 

Figure 3: Verification of notification listener permission


Figure 4: Request for notification listener permission

Once the service is listed under notification listeners, the service starts and keeps monitoring for any posted notification. If any notification is posted, this app verifies if the notification is meant for any of the apps in the predefined list. If yes, it collects the phone number as shown in Figure 5. 

Figure 5: Collecting the phone number from notifications

After which it auto responds to the phone number using sendReply as shown in Figure 6. 

Figure 6: Sending auto reply to the notifications

Random_Message is the string variable that carries the message and the link to download malicious Whatsapp app.

Also, we noted that the malware author has not suppressed notifications or messages from those chat apps. Instead the spam message auto sent via notifications is visible to the user in the chat message screen of the sender. This suggests that the app could still be under the development stage or just a start of an attack as the app just auto replies to the notifications and no other malicious activities have been identified at the time of writing this blog. 

This attack may not sound new, however, users are falling prey to such attacks because of curiosity and eagerness to be trendy at the earliest. 

5.0 Indicators Of Compromise (IOCs)

File NameHashK7 Detection Name
WhatsappPInk.apk9a902d186c948e72af6b269862c27055Trojan ( 0057b1c11 )
WhatsappPInk.apke1870d613d54239e8fb5f09b6a4e880dTrojan ( 0057b20e1 )
WhatsappPInk.apk90cfcde60b6cd57a2e9b2047cff51fb7Trojan ( 0057b20e1 )

URLs

hxxp[://lookpink.xyz/?whatsapp

hxxp[://whatsapp.profileviewz.com/?whatsapp

hxxp[://whatsapp.wwwy.xyz/?pinklook

 

6.0 Recommendations
If you downloaded “WhatsApp Pink” you can either remove it through Settings and the App Manager submenu or install a full-featured Android security solution that will scan your device and remove it automatically.

By way of prevention, there are several steps you can take to mitigate the chances of falling victim to similar schemes in the future:

  • Never click on links or attachments that you received via an unsolicited message or from someone you don’t know
  • Only download apps from official app stores, since they have rigorous approval processes in place
  • Always use a reputable mobile security solution
  • Be wary of what kinds of permissions you grant to applications

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0    References
 

MA-940.052023: MyCERT Advisory - Snake Malware Threat From Russian Cyber Actors

  • 25 May 2023
  • Advisory
  • snake, malware, espionage

1.0 Introduction

Recently, The US Cybersecurity & Infrastructure Security Agency (CISA) and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. The advisory titled Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.

2.0 Impact
Snake can be considered to be the most sophisticated cyber espionage tool designed and used for long-term intelligence collection on sensitive targets. The sophistication of Snake stems from three principal areas. 

First, Snake employs means to achieve a rare level of stealth in its host components and network communications. 

Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. 

Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.

3.0 Affected Products
Windows, MacOS, and Linux operating systems.

4.0 Recommendations
MyCERT urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance.

Kindly refer to https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a for more information on Snake malware.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-931.042023: MyCERT Alert - RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

  • 20 Apr 2023
  • Alert
  • redline, malware, stealer, credential

1.0 Introduction

The popularity of generative AI platforms like Google Bard and OpenAI’s ChatGPT has captured audiences worldwide. Google Bard is an artificial intelligence (AI) language model developed by Google that uses deep learning techniques to generate poetry and lyrical verses. It leverages large amounts of text data to compose original and creative poems in various styles and forms, such as sonnets, haikus, and free verse. Google Bard's output is known for its coherence, rhythm, and imagery. It is a valuable tool for writers, poets, and artists seeking inspiration or looking to enhance their creative works with evocative language. Also, ChatGPT is a large language model developed by OpenAI based on the GPT-3.5 architecture. It is an advanced AI chatbot trained to understand and generate human-like text responses. ChatGPT can interact with users on various topics, providing information, answering questions, and generating text-based responses. It is designed to understand context, contextually respond to user queries, and provide detailed and coherent responses. ChatGPT has been trained on a vast amount of text data, allowing it to generate fluent and coherent text, and making it a powerful tool for various applications, including customer service, content creation, and virtual assistance.

Security experts uncovered a new campaign to spread the RedLine Stealer malware strain by taking advantage of the popularity of these AI platforms. The malware was first spotted in March 2020, Redline Stealer is a piece of malware that specifically targets end users. Distributed through compromised software downloads, phishing, and drive by downloads. RedLine Stealer is a type of malware sold as ‘malware-as-a-a-service’ (MaaS), which can be purchased on underground forums. It is designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software. The malware can upload and download files, execute commands, and regularly send information about the infected computer to the perpetrators.

2.0 Impact
Successful execution of the malware at victims’ computers allows sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data will be stolen from the victims’ computers. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software.

3.0 Technical Details
The MaaS ecosystem is supported by online discussion boards that serve as markets for hackers to sell their malware and stolen information. Access to viruses, stolen data, and even hacking tools are just a few of these forums' services. Sometimes, forum moderators serve as a middleman between buyers and sellers and receive a revenue cut.