Enter WAPDropper – An Android Malware Subscribing Victims To Premium Services By Telecom Companies

Research by: Aviran Hazum, Danil Golubenko, Ohad Mana

Overview

Check Point researchers recently encountered WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialer which subscribes its victims to premium services without their knowledge or consent.

General

The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2^nd stage malware, and a premium dialer module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
The infection chain is very simple. After the initial application is installed on the device via 3^rd party markets, WAPDropper contacts the C&C (Command and Control) server and receives the payloads to execute. The payload is the premium dialer module, which opens a tiny web-view, and contacts premium services offered by legitimate telecom companies. Once WAPDropper successfully loaded the landing pages, it attempts to subscribe the user to those services. In some cases, a CAPTCHA step is required to finalize the subscription. WAPDropper passes this test by using the services of “Super Eagle”, a Chinese company that offers an ML solution for image recognition.

Figure 1 – Attack Chain flow illustration

Timeline and Encounter

Our story begins with this URL:  http://l[.]facebook1mob[.]com/index.php?r=api/back
We noticed a large number of connections to this URL and discovered a framework of malware that with a bird’s eye view traced back to these two IP addresses:

34.233.155.78

52.54.159.156

These IP addresses resolved to the domain ip.cooktracking[.]com, which itself has an interesting story.
In April this year, Kaspersky researchers published their findings regarding a malware that drops 2^nd stage malware, which they metaphorically described as a “Trojan Matryoshka”.
According to Kaspersky’s publication, this malware began the infection chain by initiating exfiltration data to a C&C server located at ip.cooktracking[.]com/v1/ls/get.
Based on the network framework and the malware capabilities, we believe that these 2 campaigns are connected and may even involve the same threat actor.

A Closer Look: Technical analysis of the WAPDropper malware

As mentioned previously, the WAPDropper malware family contains 2 different modules. The first is a dropper module, which can download additional malware modules and has the potential to spread and initiate different attack vectors.
The second module is a premium dialer, a malware whose only purpose is to subscribe victims to premium services without their knowledge or consent.
On execution, the malware primarily hides its icon to prevent any users from identifying and uninstalling the malware. In addition, the malware performs a check to identify whether or not the device has a proxy or VPN configured. If none configured, the malware initiates the dropper module to download and execute additional payloads.

Figure 1. The malware hides its icon on execution.

Figure 2. The malware initiates the dropper module.

WAPDropper begins with collecting data about the victim’s device and system, including:

• Device ID
• Mac Address
• Subscriber ID
• Device model
• List of all installed apps
• List of running services
• Topmost activity package name
• Is the screen turned on
• Are notifications enabled for this app
• Can this app draw overlays
• Amount of available free storage space
• Total amount of RAM and available RAM
• List of non-system applications

It sends the information to a hardcoded C&C server, http://ks7br7.3q03on[.]com:12038, which is the main C&C server.

The main C&C server in turn, sends the malware a list of additional C&Cs from which to pick one random URL for each future request it makes.

Figure 3&4. The malware randomly picks a C&C server.

After it receives a response from the C&C server, WAPDropper parses the JSON configuration, which includes directions and specifications regarding the additional payloads that the dropper module downloads, including:

• The payload’s download URL
• MD5 verification of the downloaded file
• Class Name and Method Name for the reflection call
• Execution frequency (minutes)
• Maximum number of executions

Figure 5. The payload’s JSON configurations.

As it finishes downloading each payload, WAPDropper decrypts the downloaded DEX files to .jar files and stores them locally on the infected device while it continues downloading pending payloads. Immediately after the decryption of the payloads, it’s execution time. WAPDropper loads the decrypted .jar files and deletes them from the device right away, to avoid leaving traces behind.
Each payload has an execution frequency that is configured in the JSON configuration. WAPDropper monitors this frequency for each different payload and continually sends a report on the payload’s current status to one of its C&C servers.
The main purpose of the premium dialer module is to manipulate money transactions addressed to Asian telecommunication companies and to subscribe victims to premium services without their knowledge or consent

The first thing the dialer module does is decrypt a DEX file that is stored in its code and write it into a file called “data.jar”.

WAPDropper uses many reflection techniques and heavily obfuscates strings to hide its  intentions. When the DEX file is saved, it loads and calls the real initialization method using reflection. The dropper also loads a native library file from the memory and stores it on the device for later use.

Figure 6. Loading a native lib file from the memory.

WAPDropper next starts a timer that periodically sends basic information about the infected device to this URL: http://api[.]biwbrd[.]com/un

Figure 7. The information that is sent to api[.]biwbrd[.]com.

WAPDropper then sends a request thread to the C&C server for the server to send an ad offer.
After it receives an ad offer, the malware constructs a 1×1 pixel dialog which appears almost invisible, but actually contains a tiny web view.

Figures 7&8. The malware constructs a 1×1 pixel dialog.

This tiny dialog allows the malware to load the previously unpacked native library which is responsible for removing all “X-Requested-With” HTTP headers from all HTTP requests.

“X-Requested-With” is an HTTP header which is used to verify that there is no CSRF (Cross-Site Request Forgery) attempt, i.e. that the user’s browser is not being exploited to deliver unauthorized commands from the user’s side to the target site.

WAPDropper replaces all of the occurrences of “X-Requested-With” string with “Accept-Encoding” string, which leads to immediately disabling the protection against CSRF attacks.

Figure 9. The malware replaces all of the occurrences of “X-Requested-With” string with “Accept-Encoding” string.

The next step is to inject a malicious JavaScript to the new vulnerable web-view.

This JavaScript is an interface that provides a remote website capable of the following actions:

• Obtain the victim’s phone number.
• Obtain the victim’s phone information.
• Obtain SMS list.
• Send SMS to a specified number.
• Send POST requests to a specified URL.

Another interesting malware feature is the recognize CAPTCHA capability and how it enters the result in the web-view.

WAPDropper chooses whether to download the picture and send it to the server, or to parse the DOM tree of the picture, extract it, encode it with Base64 and then send it to the server at http://upload[.]chaojiying[.]net/Upload/Processing.php
This server is a service provided by a Chinese company called “Super Eagle”, which provides an ML based solution to image verification code recognition and image classification.
When the malware submits the verification code image to the service, the platform returns the coordinate position of the recognition result in the picture, and then parses the coordinate simulation landing.

Figure 10. The malware’s CAPTCHA recognition capability.

In the next step,  WAPDropper obtains a list of URLs to load them into the web-view.
Looking at the package names and the corresponding functionalities, it is quite clear that the malware is targeting telecommunication companies to manipulate money transactions.

Figure 11. The malware’s main targets, redacted.

WAPDropper also has a code for parsing HTML and for identifying specific elements in it, so it can imitate user behavior for its inputs.

Stay Protected From Mobile Threats

Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Learn more.

Appendix 1 – IOCs