A contemporary wave of malicious Android Bundle Package (APK) recordsdata is weaving collectively two of cybercrime’s most dependable income streams—click-fraud promoting and credential theft—right into a single, adaptable risk that has begun circulating throughout Southeast Asia, Latin America, and components of Europe.
Disguised as informal video games, task-reward utilities, and even clones of legit Chrome or Fb apps, the malware lures customers away from Google Play to sideload rogue installers, a tactic that neatly sidesteps Google’s built-in vetting controls and capitalizes on social-engineering hooks akin to “Get Free $5” or “Create Your Advert Marketing campaign”.
As soon as the APK lands on a sufferer’s handset, the app instantly requests an extreme bouquet of permissions—digital camera, contacts, account administration, and the flexibility to run foreground providers—effectively past what any light-weight sport or coupon app ought to want.
Trustwave SpiderLabs analysts recognized the marketing campaign whereas tracing a Fb-ads themed lure that mechanically dropped a payload named fb20-11-en.apk from a spoofed area.
Their telemetry exhibits that the identical infrastructure followers out dozens of variant apps, every region-tuned to impersonate banks, telecoms, or betting platforms but compiled from a typical code base.
Victims are hit twice. Within the foreground, the app silently masses parked domains and affiliate funnels, simulating faucets and scrolls to inflate ad-impression counts, a maneuver clearly displayed within the redirection chain.
Redirection chain (Supply – Trustwave)
Within the background, convincing login types siphon usernames, passwords, and infrequently one-time PINs, forwarding them to an encrypted command-and-control (C2) again finish.
This dual-purpose structure, analysts warn, lets operators monetize each contaminated gadget instantly whereas quietly harvesting knowledge for resale or later account takeover.
Beneath the hood, the cluster depends on a modular configuration system that ships its C2 map as a Base64 string encrypted with AES in Digital Code Guide mode.
A tough-coded key—123456789mangofb—is embedded instantly within the APK, enabling the malware to decode contemporary API routes on the fly and rotate infrastructure when domains are blocked.
The related routine, decompiled by Trustwave, is reproduced beneath for readability:-
Cipher cipher = Cipher.getInstance(“AES”);
byte[] keyBytes = new byte[16];
System.arraycopy(“123456789mangofb”.getBytes(), 0, keyBytes, 0, 16);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, “AES”);
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.decode(encryptedData, 0));
An infection Mechanism: From Sideload to Silent Management
Set up begins with a social-media message or QR-code poster that pushes customers to a look-alike touchdown web page.
Tapping the “Begin Now” button launches a right away APK obtain and, crucially, suppresses Android’s regular install-source warning by mixing the file path with legitimate-looking sub-domains akin to apk.kodownapp.high.
As soon as executed, the app leverages the open-source ApkSignatureKillerEx framework to graft a secondary payload (origin.apk) into its personal listing with out invalidating the unique signature, guaranteeing the OS treats it as a reliable improve.
AES-wrapped config (Supply – Trustwave)
On first run, it points a beacon to 38.54.1.79:9086/#/entry, retrieves the AES-wrapped config, and solely then prompts ad-click automation or credential harvesting modules, considerably lowering the behavioral noise most sandboxes depend on for detection.
By time the consumer notices anomalous battery drain or knowledge spikes, each advert income and contemporary credential units have lengthy since been exfiltrated via a fallback “crash-log” channel masquerading behind a seemingly innocuous sub-domain.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
