This post is the result of collaboration between 11paths (Telefonica’s Cybersecurity Global Unit) and Kaspersky Lab. Both companies have used their own expertise, researchers and tools, such as 11path’s Tacyt (Android apps monitoring) and GReAT’s internal tools and resources.
Big Brother and Google PlayFraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new. Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years.
Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2] , but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time.Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now.
[Analysis:cdd254ee6310331a82e96f32901c67c74ae12425]
This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick. First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play. Then, some days later, a new version was uploaded with a major features update, including subscription to paying services. This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015).
It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3] ) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin:
com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;
com.granhermano162; from 2015-09-29 to 2015-11-14;
com.granhermanodieciseis; from 2015-09-29 to 2015-11-11
com.granh.gh16_3; from 2015-10-05 to 2015-10-15;
com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed).
As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual:
The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way. Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers.
This app is using several commercial third party services such as Parse.com for the first network communication. This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc).
{“results”:[{“Funcionamiento”:” Ahora la única pestaa importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 espaa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]}As we can see above, it references to different URLs:
spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites.
ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing. It is used from the app in order to subscribe the user to a service called “yourmob.com”.
Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand.
Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed.
Presence outside Google PlayIt make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J. Sánchez that spotted this).
Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4
This app worked slightly different. It uses other 3rd party services and it sends Premium SMSs for monetization. They got from the server what number to use, for how many seconds and if the screen should be on or off.
We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before.
One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app:
As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one:
https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/
It was using this vps as well http://vps237553.ovh.net . Some of the panels and services provided by the VPS were located here:
http://vps237553.ovh.net/nexmo/getcode.php?code=
http://vps237553.ovh.net/poloni