Recently, an application was detected on Google Play that included code to display phishing web pages to steal the credentials of users who install it.
During the analysis, a phishing attack targeting a Spanish bank was detected, whose logo bears a certain resemblance to the app's icon, and which the attackers have probably used to reduce the suspicions of users when the phishing page is displayed.
App on Google Play
The fraudulent application is a modified version of the open source QKSMS application, which offers the functionality required to manage and send SMS messages on Android devices, with the idea of replacing the default application that comes with the operating system.
While the original QKSMS application has been installed a litemtle over 500,000 times on Google Play, the modified app has only reached just over 100 downloads, which, although it may not seem like a lot compared to the original, is still a significant number of users who could potentially have entered their credentials into the phishing page.
The way this malicious application works is simple and has almost nothing to do with how bank trojans for Android usually work. In the case of bank trojans, it's common for them to use multiple banking entities among those that are affected to increase the likelihood of success.
In this case, it appears that the attackers are only interested in one entity, since the WebView that displays the phishing only displays it for one entity.
At the time of our analysis, no other phishing websites were found on the control server, except for the website for the affected entity. However, the attackers could modify it and include other entities if they want, since the phishing is done through a WebView that loads a URL from the control server. The fraudulent website loads when the application is opened.
Web with a phishing page requesting the user's telephone number
The data is only requested from the user once, and after the user has entered it for the first time, the application will instead load a website with a message notifying the user that the device has been registered and will be given access in 12 hours after validating it.
Message displayed after displaying the phishing page
Both the sending of the data stolen on the phishing website and the content of the received text messages are transferred to a Firebase database, instead of the server itself where the fraudulent website is hosted.
Sending of the received SMS messages to Firebase
Well, as usually happens in these cases in which malware sneaks into Google Play, what the attackers do is disable the malicious functionality until the application is approved and, in many cases, they wait even longer, thus trying to maximize the number of users who download an apparently non-malicious application, but which then starts working overnight.
In this case, as in many others, the malware contacts the control server to determine whether or not it should show the phishing page. It makes a POST request and waits to receive a JSON response with the "check" field equal to "1". In that case, it will display the phishing page and the malicious activity begins. On the contrary, it will start executing the code of the legitimate SMS management application.
Code that makes the request and shows the phishing page when applicable
This way, the attacker only has to wait for the app to be approved and to be installed enough times to then activate the malware and start collecting private data from its users.
This strategy of hiding the malicious functionality during the app's approval period is one of the most commonly used, although a date included in the application's code is also often also used as the start date of the malicious activity.
A new malicious application has been discovered on Google Play, and in this case it's a bank trojan that uses a phishing web page to steal user data, in addition to received text messages, probably with the intention of obtaining the one-time codes of the two-factor authentication.
In order to sneak into the Google store, its developers have modified a legitimate open source application and added in the malicious code, which will run only if the control server tells it to.
During the review period before being accepted into the store, the attackers configure the server so that the malicious code doesn't run and appears to be the legitimate application. However, upon approval, the control server will respond to requests correctly to activate the malicious code.
This strategy for activating the malicious functionality, along with adding a specific date in the app's code, are the most frequently used by attackers to sneak their creations into the official Google store, which increases the number of downloads due to a greater sense of security when installing applications that come from Google Play.