Analysing Third-Party App Stores for Modded APKs Through Signature Verification

 

Even after the ban of major Chinese apps like PUBG, they were available for download on third party app stores. Similarly, modified versions of apps such as Spotify and Hotstar, that offer access to premium services without intrusive advertisements, for free, are also popular on the third party app stores. Although such apps may look quite similar to their original versions, they are not developed by the same manufacturer. Users resort to third party app stores when certain apps are not available on official stores like Google Play store and Apple App Store, or if they are too expensive, or simply because they contain too many ads. Third party-app stores are popular among users due to the following features as well:

  • Provide access to the older versions of the app
  • Free games and applications as opposed to their expensive equivalent
  • Apps available in multiple languages
  • Downloads incentivized with perks such as virtual currency and other rewards
  • Access to beta versions of apps
  • Free-trial period for apps

 

High-Risk Modded APKs

Modded APKs are basically modified versions of genuine Android packages (APKs) that contain additional features, unlimited in-game currency, keys, or passes, etc. Such APKs may even contain backdoors that potentially compromise the device and its users. 

 

  • Hidden dangers in Spotify adfree apps

The third-party iOS app store TutuApp offers pirated versions of games/ apps, unauthorized games, as well as ad-free versions of applications like Spotify. In the particular case of Spotify, independent developers repackaged the original iOS app with a built-in ad blocker. Such applications request for independent permissions that allow threat actors to access different parts of a phone. 

TutuApp leverages Apple’s enterprise certificate program that allows other organizations to build and deploy in-house, proprietary apps for their employees. This is also another way to evade Apple’s screening process.

 

 

  • Suspicious Pokemon Go apps

Several applications associated with Pokemon Go have been repackaged and released into the wild, targeting both Android and iOS users. Here are the various categories these apps belong to:

  1. Repackaged versions of Pokemon Go, infected with Trojan (Android). For instance the Pokemon Go app injected with a RAT dubbed SandroRat.
  2. Repackaged versions of Pokemon Go, infected with adware (Android). 
  3. Malicious apps that masquerade as the Pokemon Go app, to carry out odd, unexpected activities such as enrolling oneself as the device admin (Android).
  4. Repackaged, modded versions of Pokemon Go that bypass in-app billing, spoof locations, etc. or disable jailbreak detection (Android and iOS).

Some of these apps are inherently malicious, made to target its users. While others have been tampered with and provide users with an advantage.

 

CloudSEK’s Analysis of Over 50 Third-Party Stores

For the purpose of an ongoing research, CloudSEK conducted an analysis on more than 50 third-party app stores. The main purpose of this study was to check the credibility of these stores and to detect whether the apps available on such stores contained any modded code that varied from the one in the official APK. In order to achieve this, the APKs of similar apps, belonging to the same version were downloaded from the official app store as well as the third-party app store. Then, we conducted signature verification on all third-party apps. 

 

The Process of Signature Verification 

By default, the Android OS requires all applications to be signed, to be installed. This signature allows you to identify the author of an application (which can be used to verify its legitimacy), as well as establish trust relationships between applications that share the same signature. Even though there are multiple versions of the APK Signature Scheme (V1 – V4), every application currently includes signature version V1 (dubbed JAR signature) to maintain backward compatibility.

 

Signature Verification Scheme V1

  1. Each APK contains a signature file in its META-INF/ folder.
  2. META-INF/<signer>.(RSA|DSA|EC) is the signature used to sign every file in the APK.
  3. The different RSA|DSA|EC options are for different crypto signatures, one META-INF folder might contain only one of these signatures.
  4. META-INF/ MANIFEST.MF contains a digest of signature for each file.

 

How does the verification process work?

  1. The process starts by searching for the signature file in the APK ZIP file within the META-INF folder.
  2. The OpenSSL is then used to extract the signature.
  3. Finally, the signatures are compared with that of the official APK and the results are returned.

 

Results of the Analysis

We verified around 990 third-party apps using the signature verification process. Some of the third party app stores that were analysed were allfreeapk, apkpure, apksfull, apktada.

We detected a total of 10 third-party apps that were modified or for which the signatures did not match and that contained a different code that’s different from the original APK. These are some of the apps that contained modded APKs:

 

App Store Name
Package Name
App Name
Oceanofapk
  1. com.picsart.studio
  2. com.spotify.music
  3. com.gaana
  1. Picsart Photo Editor
  2. Spotify
  3. Gaana
Aptoide com.truecaller Truecaller
Apk20 com.pinterest Pinterest

 

Analysis of the Modded APK

  • Picsart Photo Editor 

Package name
com.picsart.studio
Store Name
Oceanofapk
Version
PicsArt_v15.1.5

 

Vulnerabilities found 
  1. Android Fleeceware (PUA)

Apps that cajole users into buying a free trial of their services, and charges them exorbitant subscription fees once the trial period ends. Such fleeceware apps do not function unless provided with the users’ payment details. If users fall for this trick and supply their details, the app uses these details to debit the subscription fees after the trial period is over, without the consent of the user.

  1. Heur/HTML RefreshScript 

Heur/HTML.Malware is malware that is detected using a heuristic detection routine which is designed to find common malware scripts in HTML files. 

 

  • Spotify

Package name
com.picsart.studio
Store Name
Oceanofapk
Version
spotify-premium-8.5.80.1037

 

Vulnerabilities found
  1. Ewind Trojan 

The Ewind Trojan is essentially an adware that monetizes applications by displaying unwanted advertisements on the victim’s device. Adware also gathers device data and is also capable of forwarding messages to the attacker.  The adware Trojan could in fact even allow full remote access to the infected device.

  1. Riskware/Jiagu!Android

Riskware constitutes apps that are not inherently classified as malware. However, it may utilize system resources in an unexpected or annoying manner, and/ or may pose a security risk to the victim device. 

 

Users will notice screens similar to this one on their affected device
Users will notice screens similar to this one on their affected device

 

How do attackers modify official apps?

Apart from the prominent examples that we have shared above, there are quite a large number of modified apps lurking in third-party stores. And it’s only a matter of time before the next victim falls prey to one of these thousands of malicious apps. Let’s have a look at some of the methods by which attackers manage to modify official applications. 

  • Add a Debugging Flag in a Configuration File

The attacker adds “debug=true” to a .properties file in a local app, manually. The application then returns log files that are quite descriptive, upon its launch. These log files provide attackers with access to the backend systems. Which in turn enables the attacker to search for vulnerabilities within the system, so as to exploit them.

  • Code Manipulation

The attacker adds conditional jumps within the code which allows them to bypass the process of detecting a successful in-app purchase. This helps them obtain as many game artifacts and abilities as possible, without having to pay for them. The attacker may also inject spyware into the app to steal the identity of their victims. 

  • Unauthorized Access to Administrative Endpoint

An attacker could gain access to the administrative endpoint that the developers leave exposed during the process of endpoint testing. The attacker could perform string analysis of the binary to find out the hardcoded URL to the administrative REST endpoint. Followed by which the attacker could use ‘cURL’ to execute back-end administrative functions.

  • Usability Requirements

Usability requirements specify that the mobile app passwords can only be 4 digits long. Server code stores a hashed version of the password. As the password is very short, an attacker will be able to deduce the original password using rainbow hash tables. If the attacker manages to compromise the password file on the server, it could expose the user’s password.

  • Certificate inspection 

A secure channel is established when the app and the endpoint connects through a TLS handshake. If the app accepts the certificate offered by the server without inspecting it, it could disrupt the mutual authentication protocol between the endpoint and the app allowing man-in-the-middle (MiTM) attacks.

Third-party applications may thus seem innocent, but could in fact be nefarious and have grave implications on its users. However, third-party apps that are malicious can be identified with processes like signature verification. Users have to avoid or observe caution before installing apps that are not from the official app stores.

MA&RE

Malware Analysis and Reverse Engineering: Analysing Magecart Skimmer

 

Attacks that involve malware are one of the most prevalent threats on the internet. Malware is a malicious piece of code that infiltrates a computer and disrupts operations. Attackers develop malicious software and tailor them to serve specific purposes such as key logging, hijacking, phishing, etc., while targeting businesses or individuals across various sectors. Gathering insights into the properties and traits of such malware can help mitigate security threats to organizations and improve its security posture.

 

MA&RE : The Race Horse of Threat Intelligence

Malware Analysis and Reverse Engineering (MA&RE) allows incident responders to extract threat intelligence from malware samples to obtain information regarding the malware and the threat group responsible. MA&RE will help us detect, under layers of obfuscation created by actors to throw researchers off their tracks, the logic behind the malware by analysing the actual working code written by the threat actor themselves.

The following threat intelligence can be obtained with the help of MA&RE:

  • Indicators of Compromise (IoCs): URLs/ Domains/ C2-IP
  • Evasion techniques
  • Infecting mechanisms
  • Use of zero-day exploits/ vulnerabilities
  • Lateral movement and compromise

In this post, we explore the process of Malware Analysis and Reverse Engineering (MA&RE) by analysing Magecart’s skimming malware.

 

The Rise of Magecart 

Magecart is a hacking group that targets shopping cart tools and systems to steal payment information from customers. Shopping carts are easy targets for skimming attacks as it is quite convenient for threat actors to compromise these payment pages and siphon payment (card) details and other sensitive information from users. 

A web skimmer is a malware written in JavaScript that attackers leverage by injecting them onto targeted websites to: 

  • Compromise the website or the web-server itself through:
    • Brute force login attempts 
    • Phishing attacks
    • Social engineering
    • Exploiting known software vulnerabilities
  • Carry out supply chain attacks and compromise third-party tools that the website uses: Since third-party tools have several clients, compromising one such tool would mean that all the websites using this tool can be compromised. For instance, if a threat actor compromises a third-party eCommerce platform like Magento, the thousands of retailers that engage in business with them are also exposed to an attack. 

 

Magecart’s Modus Operandi

Client-side web skimming attacks are launched by the unsuspecting victims themselves. Once the attacker gains access to the website and places Magecart’s skimming code in it, the code searches for a checkout page and adds listeners to the submit button of the payment form. Then, when the customer clicks the submit button to send their card details and other information to initiate the payment, the malcode skims the entered data and sends it directly to the attacker’s server. 

Magecart attackers use different ways and methods to spread the infection and to prevent detection. Some of the techniques used to achieve this is by encrypting the content of the code, such as strings, using Base64 algorithm, and also by obfuscating the malicious code before publishing it.

Once the attackers bypass security systems and successfully skim the payment page:

  • They then sell the stolen cards on dark web marketplaces or
  •  Use the compromised cards to carry out other fraudulent schemes.

 

Dissecting a Skimmer 

In this section we explore how to analyse a skimmer malware with Magecart malware as our sample.

Firstly, the malicious code is injected onto a legitimate paying form and once the page is loaded and the client initiates interaction, the code is activated on the client’s side. The code is usually obfuscated to avoid detection.

1. The first layer of the Magecart pattern holds a set of dataTokens which contains all the strings related to the code implementation. In some cases the data will be encoded using the Base64 algorithm.

Image1 - encoded dataTokens MA&RE
Image1 – Encoded dataTokens

Magecart uses heavy obfuscation techniques to hide the skimmer malware. To accomplish this, the items in the array are shifted 5 times, rotating these elements to the right. This process also enables the malicious code.

Image2 - shifting function for the dataToken array
Image2 – Shifting function for the dataToken array

2. Once the array is shifted, the dataToken is decrypted to get the original data. The code uses the dtoa() function to modify the data decoded by the Base64 algorithm to plain text.

MA&RE Image3 - decoding function
Image3 – Decoding function

 

MA&RE Image4 - decoded dataTokens
Image4 – Decoded dataTokens

In Image4 we can see the decoded dataToken.

 

3. The final layer of Magecart’s malicious code serves two functions. Its first function is to search for html tags that hold specific ID values or class values, in which the data is entered. One of the targeted tags is ‘buttons’, to which the malicious code adds an event listener. And once the customer clicks on the button, the listener captures all the card details entered on the page. Image5 depicts this function.

MA&RE Image5 - Ready function
Image5 – Ready function

The second function is responsible for dumping credit card details, which usually includes card number, CVV, and card holder’s first name and last name. Image6 shows the list of information that the malicious code extracts or skims.

MA&RE Image6 - The list of data to be skimmed
Image6 – The list of data to be skimmed

After extracting the data, it is saved in local storage, and is then converted to JSON string and sent to the attacker.

Image7 - encrypting the data section
Image7 – Encrypting the data section

However, before sending the data, it is encrypted using an asymmetric encryption algorithm with a hardcoded public key using the JSEncrypt() function. The encrypted data is then sent to the threat actor.

Image8 - The public key that encrypt the data
Image8 – The public key that encrypt the data


In this Magecart sample, the code is executed once the page is loaded. It activates the targeted button at first, followed by the data dump function.

Image9 - Sending data section
Image9 – Sending data section


Conclusion

Threat actors have different ways to conceal their existence and obfuscate the malicious code they use in their campaigns, rendering its detection almost impossible. This could allow supply chain attacks to skyrocket, targeting thousands of eCommerce platforms that subscribe to the same third-party. In the field of threat intelligence research, Malware Analysis and Reverse Engineering (MA&RE) enables researchers to analyse and record various sophisticated tactics employed by a malware, to form actionable intelligence which can be then used to fortify businesses and individuals from such offensives.

Browser extensions

How Browser Extensions can Exploit User Activities for Malicious Operations

 

What are browser extensions?

Browser extensions are mini-applications that add more features and functionalities to the browser. Some of the most common extensions are ad blockers, password managers, grammar check extensions, screenshot creators, and translators. They allow users to integrate their browsers with their preferred services. 

Upon installation, extensions require permissions such as access to read, edit, and alter data on the websites that the user visits. Permissions that allow extensions to read the user’s browsing history or modify the data that the user copies and pastes is a surefire way to enable the extension to monitor all your activities. However, for well-functioning browser extensions users usually grant such permissions or overlook the extension’s default settings.

Browser extensions Permissions

Most browser extensions offer features that interact with the current web page, such as  password managers that fill in passwords for different websites, or dictionary extensions that provide instant definitions for words. For the same reason, users do not concern themselves with permissions. 

Some extensions require broader permissions. For example, the Web Developer extension for Chrome requires the permission to read and change users’ data on the websites they visit and their browsing history, modify the data that users copy and paste, and change user settings that control the website’s access to features such as cookies, Javascript, plugins, geolocation, microphone, camera, etc.

Browser Extensions Web Developer

If an extension is allowed to access all the web pages that the user visits, the user could be opening the door to malicious attacks. It could function as a keylogger and capture sensitive information, insert advertisements, redirect the search traffic to malicious sites, etc. This doesn’t mean that every extension is malicious, but they can surely be dangerous.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that require a connection to the server to retrieve data are more sensitive because cybercriminals may capitalize on this feature; they can hijack the server or the domain name to further their malicious scheme.

Few extensions may display ads:

Browser Extensions Ads
Extensions are part of a long-running ad-fraud and malvertising network. When Chrome’s add-ons were first announced in 2009, initially most extensions focused only on certain areas, but primarily they were used to block ads. However, currently, those same extensions display advertisements.


Is it safe to let your browser manage passwords?

Internet usage has skyrocketed over the last decade, and today an average user spends 6.5 hours online, on a daily basis. Online services such as  email, social media, online stores, and streaming services are the most popular platforms users spend their time on. However, for convenience, most users save their passwords on browsers to enter the password for that site upon login, automatically. Trying to memorize multiple passwords can be tricky. Therefore, more and more browsers ask users whether they would like the browser to save their credentials. If users enable this option, their passwords are saved and synchronised locally and on other devices that the user has used to login.


Your secure extensions can transform into malware  

In some cases, popular browser extensions that are trusted to be secure are sold to shady organizations or even hijacked. Malicious groups who take charge of such extensions set up updates that can turn seemingly harmless extensions into malware. The compromised extensions connect the browser to a command and control architecture, to exfiltrate sensitive data of unaware users, and expose them to further risks.

 

Underground marketplaces that sell fingerprints

The unauthorized data collected may include sensitive information like login credentials to the user’s online payment portal accounts, e-banking services, file-sharing or social networking websites. It may also steal cookies associated with these accounts, browser user-agent details, and other browser and PC details.

Cybercriminals, very recently, realized the value of unique fingerprints of users, where these digital identities are being sold on underground marketplaces such as the Genesis Store and Russian Market.

Genesis Store operators have developed a .crx plugin for Chromium- based browsers to make it easier to use stolen identities, in any way they want. The plugin installs stolen digital profiles into the cybercriminal’s browser, allowing the actor to activate a doppelgänger of the victim. Then, the attacker only needs to connect to a proxy server with an IP address from the victim’s location to bypass the anti-fraud system’s verification mechanisms, pretending to be a legitimate user.

A snapshot of available Genesis bots:

Genesis Bots


Conclusion

  • Fewer the extensions on your browser, the better. Do not install extensions that raise even the slightest suspicion in your mind. Fewer extensions would only help your browser to be faster. Extensions not only affect your computer’s performance but it can also be a potential attack vector. 
  • Install extensions only from official Web stores. The extensions available in such stores undergo security tests, with security specialists filtering out those that are malicious from head to toe. Even though this does not guarantee safe browsing experience, they are better than the extensions from external sources. 
  • Observe the permissions that extensions require. If an extension that is already installed on your computer requests a new permission, it could be a red flag. There is always the possibility that the extension might’ve been hijacked or sold.
  • Before installing any extension, it’s always a good idea to go through the permissions they require and make sure that they are appropriate for the functionality offered by the extension. If the permissions requested do not seem logical in correspondence to the extension’s functions, it’s probably better not to install that extension at all.