Cyble-FluBot-Malware-FakeApp-Via-Voicemail

FluBot Variant Masquerading As The Default Android Voicemail App

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

During our routine threat hunting exercise, Cyble Research Labs came across a sample of the FluBot malware from our OSINT research. This variant calls itself “Voicemail” to trick users into thinking that it’s the default Voicemail app.

FluBot is a type of malware that operates by taking over devices, collecting sensitive information from them, and even sending messages to the victim’s contacts.

The application uses Smishing (a combination of SMS+Phishing) attacks to spread the malware. In the case of phishing, attackers send fraudulent emails that trick recipients into opening an attachment which includes malware, or by clicking on a malicious link. In the case of Smishing, emails are replaced by text messages.

Cyble Research Labs downloaded the malware sample and performed a detailed analysis. Through our analysis, we determined that the malware performs suspicious activities such as reading Contact data, SMS data, and device notifications.

The malware explicitly requests users for complete control of their devices. After gaining full access and permissions, the malware further enhances its functionalities.

The image below shows the statistical view of FluBot samples distributed by the attackers observed through our open-source analysis from one of our Threat hunting sources. Refer to Figure 1.

Figure 1: Statistical View

Technical Analysis

APK Metadata Information

Figure 2 shows the metadata information of the application.

Figure 2: Metadata Information

We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 3.

  • The application asks the users to turn on the accessibility service.
  • The application asks for complete control of the device.
  • The application asks the users to allow access to notifications.
  • The application asks the users to allow it to replace the default SMS app. Once it gets this permission, the application can handle SMS data.
Figure 3: Application Start Flow

Upon simulating the application, it requests that users enable the Accessibility service. Attackers can abuse this service to carry out malicious activities such as clicking buttons remotely to gain admin privileges and trick users into clicking on overlay content over the screen. Refer to Figure 4.

Figure 4: Requests Accessibility Service

Figure 5 shows the malware asking users to give them complete access to the device. Once the malware gains complete control over the device, it can perform the following activities:

  • View and control screen.
  • Control device data, including contacts, SMSs, and pictures.
  • Delete or manipulate the device’s data.
Figure 5: Asks for Full Control

Figure 6 shows that the malware asks the users to enable Notification access for the application. Once the application gets notification access, it can read all notifications on the device, including the SMS data of the device.

Figure 6: Asks for Notification Access

Upon receiving notification access, the application requests users to make the application their default SMS app. Upon becoming the default SMS app, the app proceeds with its malicious activities. Refer to Figure 7.

Figure 7: Asks for Default SMS App Permission

Manifest Description

Voicemail requests sixteen different permissions, of which the attackers could abuse seven. In this case, the malware can:

  • Reads SMS and Contacts data.
  • Make calls without user intervention
  • Delete SMS data
  • Can kill background process of other apps
  • Receive and send SMSs

We have listed the dangerous permissions below.

PermissionsDescription
READ_SMSAccess phone messages.
READ_CONTACTSAccess phone contacts.
WRITE_SMSAllows applications to write SMS messages. Malicious apps may manipulate SMS data.
KILL_BACKGROUND_PROCESSESAllows applications to kill the background processes of other apps.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface to confirm the call.
RECEIVE_SMSAllows an application to receive SMS messages.
SEND_SMSAllows an application to send SMS messages.
Table 1: Permissions’ Description

Upon reviewing the code of the application, we identified the launcher activity of the malicious app as shown in Figure 8.

Figure 8: Launcher Activity

We were able to identify that the permissions and services defined in the manifest file can replace the default Messages app. After getting default app permissions, this app will be able to handle sending and receiving SMSs and MMSs. Refer to Figure 9.

Figure 9: Handles SMS and MMS

Figure 10 demonstrates that the malware has defined customized services that leverage the BROADCAST_WAP_PUSH service. Using this service, an application can broadcast a notification stating that a WAP Push message has been received.

Figure 10: Using Broadcast WAP Push Permission

Threat Actors (TAs) can abuse this service to generate false MMS message receipts or replace the original content with malicious content. As per Google, this service is not for use by third-party applications.

Figure 11 demonstrates that the malware has defined customized services that leverage the permission SEND_RESPOND_VIA_MESSAGE, permitting the application to send a request to other messaging apps to handle Respond-via-Message action for incoming calls.

Figure 11: Using Send Respond VIA Message

Source Code Description

The code given in Figure 12 shows that the malware is capable of reading Contact data.

Figure 12: Reads Contact Data

The code shown in Figure 13 demonstrates that the malware is capable of sending text messages as well.

Figure 13: Sending SMS

The code in Figure 14 shows that the malware is capable of reading notification data and removing the notifications altogether.

Figure 14: Reads Notification Data

The code shown in Figure 15 demonstrates the encryption technique used by the malware to encrypt the data.

Figure 15: Encryption Technique Used by the Malware

The below code shows encrypted strings. After decrypting some strings, we determined that they also contain the FluBot malware variant version information. Refer to Figure 16.

Figure 16: Encrypted Strings

The malware obfuscates certain data such as strings, Command and Control (C&C) Commands, malicious APIs using custom encryption techniques.

Upon analyzing the sample, we found that the malware uses a simple XOR algorithm. The input to the algorithm has been stored in the form of integers. Refer to Figure 17.

Figure 17: Decryption Code

Traffic Analysis Description

During our traffic analysis, we observed the malware communicating with various IP addresses. Refer to Figure 18.

Figure 18: Communicates with the Server

Figure 19 shows that the malware has hardcoded data, i.e., the malicious URL, based out of Russia.

Figure 19: Hardcoded Data

Conclusion

Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.

Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid exposure to such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Download and install software only from official app stores like Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Users should be careful while enabling any permissions on their devices.
  • If you find any suspicious applications on your device, uninstall, or delete them immediately. 
  • Use the shared IOCs to monitor and block the malware infection. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Keep your Android device, OS, and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204.002User Execution: Malicious File
Defense EvasionT1418 Application Discovery
Credential AccessT1412
T1432
Capture SMS Messages
Access Contacts List
ImpactT1565Manipulation

Indicators of Compromise (IOCs)  

IndicatorsIndicator typeDescription
9624131c01da6d5b61225a465a83efd32291fa3f2352445c3c052d9d8cfb2daaSHA256Malicious APK
hxxp://85.214.228[].]140/p.phpIPCommunicating URL
asfnfpfibhtrafy[].]ruURLC2 Domain
hxxp://87.106.18[].]146/p.phpIPCommunicating URL
kkwpifwkkxilltk[.]ruURLC2 Domain  
hxxp://181.129.180[].]251/p.phpIPCommunicating URL
poceeubeciuqyto[].]ruURLC2 Domain  

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.

Scroll to Top