CATEGORIES

Does Your Mobile Anti-Virus App Protect or Infect You? The Truth Behind DU Antivirus Security

September 18, 2017

 

With mobile attacks representing nearly 20% of all cyberattacks in the Americas during the first half of 2017, users are constantly warned to be aware of security risks affecting their data and privacy, and install security software to protect their device. But what happens when antivirus solutions can’t be trusted, and actually compromise users’ privacy?

Figure 1: The DU Antivirus security app on Google Play

Check Point mobile threat researchers recently discovered a free mobile anti-virus app developed by the DU group, a developer of Android apps, which collects user data without the device owners’ consent. The app, called DU Antivirus Security, was distributed over Google Play, Google’s official app store, and downloaded between 10 and 50 million times, according to Google Play data.

According to Check Point’s research, when the app runs for the first time, the DU Antivirus Security app collects information from the device, such as unique identifiers, contact list, call logs, and potentially the location of the device. This information is then encrypted and sent to a remote server. The customer information is later used by another app offered by the DU group, called “Caller ID & Call Block – DU Caller,” which provides users with information about incoming phone calls.

While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes. Information about your personal calls, who you’re speaking with and for how long, was logged and later used.

Check Point reported the illegal use of the users’ private information to Google on August 21, 2017, and the app was removed from Google Play on August 24, 2017. A new version that doesn’t include the harmful code was uploaded to the Play store on August 28, 2017. Version number 3.1.5 of DU Antivirus Security is the latest version number found to include this privacy-leaking code, but older versions might still include it.

In addition to DU Antivirus Security, Check Point researchers detected the same code in 30 other apps, 12 of which were found on Google Play, and subsequently removed. These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller. All in all, the illicit code affected between 24 and 89 million users who installed these apps, according to Google Play data.

Users who installed the DU Antivirus Security or any of the other apps should verify they are upgrading to the latest version that does not include this code.

Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them.

Technical Details:

DU Antivirus Security steals the information from the user’s device when the app is first run. The stolen information is then sent to the server caller.work, which is not registered to DU apps. However, this domain has two subdomains which indicate it is indeed connected to the DU caller app. First, the subdomain http://reg.caller.work/ is a PHP webpage, which specifies its hostname: us02-Du_caller02.usaws02, and contains the name of the DU caller app.

In addition, the sub domain vfun.caller.work is hosted on IP 47.88.174.218, a private server which also hosts the domain dailypush.news. This domain is registered to [email protected], a Baidu employee, who used the same email address to post about parsing phone numbers (http://zliu.org/post/python-libphonenumber/). Since the DU apps are part of the Baidu group, and the post deals with a functionality related to the caller app, this indicates a connection between the stolen information and the caller app.

Figure 2: Connections between DU AV app and Caller app

The DU caller app already came under fire for an ambiguous privacy policy, which displays different terms on separate pages, and of executing its activity regardless of whether it received the user’s consent. Last year, Cheetah Mobile’s Anti-Virus faced similar accusations after providing a service which may violate privacy regulations.

Appendix 1: list of apps containing the harmful code on Google Play

 

Appendix 2: SHA256 Hash of the abusive app

24b1d9bb36e0015a56fadb59051b410181b0f05bbdbcd66 4f2b6cb234b7beccc

 

Appendix 3: additional apps containing the harmful code outside Google Play

 

com.power.core.setting
com.friendivity.biohazard.mobo
com.energyprotector.tool
com.power.core.message
batterysaver.cleaner.speedbooster.taskkiller.phonecooler
com.rammanager.pro
com.memoryanalysis.speedbooster
com.whosthat.callerid
speedbooster.memorycleaner.phonecleaner.phonecooler
com.example.demos
com.android.fb
antivirus.mobilesecurity.antivirusfree.antivirusandroid
speedtest.networksecurity.internetbooster
com.ramreleaser.speedbooster
com.dianxinos.optimizer.duplay
com.coolkeeper.instacooler
com.memoryreleaser.booster
com.freepopularhotvideo.hotube

 

 

POPULAR POSTS

BLOGS AND PUBLICATIONS

  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks