Android Spyware Masqarading As Popular Messaging Applications For Stealing Sensitive Data
Cyble Research & Intelligence Labs (CRIL) discovered a new variant of Android Spyware that has set its sights on unsuspecting users in Vietnam. As the malware variant is new in the wild, hence we are referring to this malware as “HelloTeacher” based on the test service present in the source code.
HelloTeacher malware disguises itself as a popular messaging application like Viber or Kik Messenger, luring its targets into installing the malicious application. The malware is armed with sophisticated capabilities such as exfiltrating contact details, SMS data, photos, installed applications list, and even capturing pictures and recording infected device’s screen.
But that’s not all; the TA behind the HelloTeacher attempted to integrate this spyware with the power of a banking trojan by abusing an Accessibility Service. Their primary focus was on three prominent Vietnamese banks mentioned in the below table :
| Package name | Banking Application name |
| com.tpb.mb.gprsandroid | TPBank Mobile |
| com.mbmobile | MB Bank |
| com.vietinbank.ipay | VietinBank iPay |
Unleashing this malware, the TA implemented code specifically designed to fetch account balances from “TPBank Mobile.” TA also tried to implement on-device fraud targeting MB Bank, attempting to insert values in the text fields of the MB Bank mobile application. While this particular module remains unfinished, it indicates that the TA behind the HelloTecheacher malware may come up with new features.
The following analysis focuses on the latest variant sample, identified by the hash value “00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e”. This sample cleverly utilizes the name and ICON of the legitimate Viber application, aiming to deceive users into believing it is a legitimate version and enticing them to install it on their devices. A comprehensive examination of this variant is provided in the subsequent section.
Technical Analysis
APK Metadata Information
- App Name: Viber
- Package Name: com.zcq.mjb_08
- SHA256 Hash: 00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e
The figure below shows the metadata information of the application.
Upon installation, HelloTeacher malware prompts the victim to enable the Accessibility service. Once it is granted, the malware starts abusing the Accessibility service to grant auto permissions and execute banking trojan functionalities.
Meanwhile, in the background, the malware communicates with Command and Control (C&C) server hxxp://api.sixmiss[.]com/abb-api/client/ to send stolen information. The HelloTeacher uses the below URL pattern to send different data from an infected device to the C&C server.
- /status – Malware sends basic device information to check the status of the socket connection
- /log – Malware sends error logs
- /data – Malware sends stolen information such as contact, SMS, and other details
The malware exploits the Accessibility services to monitor events related to a targeted banking application. Upon detecting user interaction with the TPbank mobile app, the malware checks the component ID associated with the genuine banking app’s account balance information (“com.tpb.mb.gprsandroid:id/accBalance”). Subsequently, the malware retrieves the account balance and stores it in a file named applog.txt. This file is later sent to the C&C server.
Similarly, the TA also implemented code to steal the lock pattern or password using the Accessibility service and store it in the same file, “applog.txt”.
Moreover, HelloTeacher malware also monitors the victim’s actions related to the MB Bank mobile application. By examining the node information of the legitimate banking app, the malware inserts the received text from the C&C server into the text field. However, it is currently unknown what specific value the malware is inserting into the text field, as the C&C server is offline, and the relevant code elements for the mobile banking application’s text field are absent.
In addition, the malware examines elements associated with the password and username fields of the MB Bank mobile application. It checks for the presence of keywords related to “password” and “username” in both English and Vietnamese languages. The TA has included this code, but upon analyzing it, no further utilization of this method call was found. The incomplete code suggests that the malware is still in the development phase, and the TA is working towards enhancing the functionalities of the banking trojan.
The malware has the ability to receive commands from the C&C server and execute malicious operations on the compromised device. These operations include performing automated gestures, manipulating the display by opening and closing a black screen, and preventing uninstallation, among others.
HelloTeacher malware employs MediaProjection to record the screen of the targeted device and send it to the C&C server, utilizing the type named “screen,” as shown in Figure 6. During the transfer of stolen information, the malware utilizes the variable “type” as a label[DS1] [RP2] to classify the data. For instance, it uses “contact” as the type when sending contacts and “photo” as the type for transmitting photos, and so forth.
The malware also captures the picture using an infected device’s camera and sends the clicked pictures to the C&C server using the type “camera” as shown in the below figure.
In addition to recording the screen and capturing photos, the HelloTeacher malware also gathers various sensitive data from a compromised device. This includes stealing text messages, contact information, photos, and a list of installed applications. The stolen information is then transmitted to the C&C server with their respective types.
Furthermore, the malware has introduced a test service named “HelloTeacherService” which is triggered by the AlarmReceiver. The exact purpose of this service remains ambiguous, as its name implies that it is a testing service. However, we suspect that the TA may add new functionality to this test service.
The TA has incorporated several Chinese language strings within the code. These strings have been utilized for logging purposes and, in certain instances, have been used in C&C communication. The inclusion of these Chinese-based strings has aroused suspicion regarding the possibility that the TA behind HelloTeacher malware may be originating from China.
Conclusion
The discovery of HelloTeacher Android malware, specifically aimed at users in Vietnam, highlights the evolving sophistication and deceptive tactics employed by malicious actors. The TA behind this spyware demonstrated their intent to incorporate banking trojan functionalities by leveraging an Accessibility Service, with a particular emphasis on prominent Vietnamese banks. The existence of unfinished banking trojan features suggests ongoing development and refinement of the malware, indicating the possibility of encountering a new variant in the near future.
To safeguard against such advanced malware, it is crucial for users to exercise vigilance and refrain from downloading popular messaging apps from third-party stores or suspicious websites. By adopting this cautious approach, individuals can significantly reduce the risk of falling victim to these sophisticated threats.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Collection | T1432 | Access Contact List |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1512 | Capture Camera |
| Collection | T1513 | Screen Capture |
| Collection | T1533 | Data from Local System |
| Discovery | T1418 | Application discovery |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e | SHA256 | Hash of analyzed APK |
| f1e674e58cd60b634febd0be0da38fee7fd40a5c | SHA1 | Hash of analyzed APK |
| 43162a1c5494d6c84d940beaa7dbd507 | MD5 | Hash of analyzed APK |
| hxxp://api[.]sixmiss.com | URL | C&C server |
| d0dc26b3485b7e40ec400f681d39767042d30ae50f6f47340adc971cce7fba50 | SHA256 | Hash of analyzed APK |
| ba20865f51d46f2bd25a3e6b9f11b26e220ed7ee | SHA1 | Hash of analyzed APK |
| b6fa402a0d0fab1dabeb3c90cd8847f9 | MD5 | Hash of analyzed APK |
| 7c634665f5f2c3b837d7211bf92c095e7e1d6cd3aa4cb86ca75def4146b14ea6 | SHA256 | Hash of analyzed APK |
| a8fe89c844699ea2aaba87afd9919907c17ac199 | SHA1 | Hash of analyzed APK |
| 5b0d2fc2107fd18a0cb125b4997e2d10 | MD5 | Hash of analyzed APK |
| hxxp://api[.]viberrx.com | URL | C&C server |
