Overview
Recently, Proofpoint researchers analyzed a mobile malware sample that appeared to be a point-of-sale (POS) terminal management Android app for Chinese markets. However, closer inspection reveals that the app does not include any POS implementation, but is instead a robust information stealer. Malicious apps like these target a subset of users with specialized needs -- and potential access to POS systems and data -- since average users would have no use for a point-of-sale management app.
Analysis
At first glance, the app -- which was found on a public repository -- appears legitimate, featuring an icon showing a point-of-sale machine and Chinese characters that translate to "Mitsubishi POS Terminal Management" (Figure 1). The image and brand name are stolen to create a sense of legitimacy and leverage a widely used type of terminal.
Figure 1: Icon for fake POS management app
Once the app is installed and launched, the main screen shown in Figure 2 appears.
Figure 2: Main screen for fake POS management app
Like the icon, the main screen for the app is written in Chinese. The characters translate to "Mitsubishi POS terminal management system". This screen consists only of the text box with this label and a button, the label for which translates to "Close Program". When a user taps this button, the screen disappears but the app itself continues running. The main screen is the only portion of the app displayed to the user and it has no other visible functions. A closer look at the app's permissions, though, reveal risky and unnecessary capabilities.
Figure 3: Screen 1 of the permissions requested by the malicious app
Figure 4: Screen 2 of the permissions requested by the malicious app
Once installed, the app can start automatically after the device reboots. The code is written in Chinese using E4A programming tool for building Android apps. Figure 5 shows the classes included in the app with the underlying e4a runtime environment.
Figure 5: Classes included in the fake mobile POS app
The app accesses www.123cha[.]com, an IP check site in China, to obtain the external network IP for the device. Further investigation showed that this information, as well as a wide range of additional data, can be transmitted to malicious actors. In addition to network information, the app can exfiltrate text messages (SMS), contacts, device information, a list of installed apps, and location data via FTP when the app starts. The app creates a new directory on an FTP server in Hong Kong with the IP address 103.243.128[.]174 and uploads all data as TXT files. Code strings are written in Chinese but their functions are generally easy to infer. Snippets in Figure 6-9 show several of these functions:
Figure 6: SMS handling functions
Figure 7: Contact handling functions
Figure 8: Selected functions for formatting network information data for exfiltration via FTP
Figure 9: Selected functions for formatting additional data for exfiltration
The malware also has code to handle outgoing calls, answer calls, monitor the calls, and dial phone numbers. Code snippets highlighting several call-handling features are shown in Figures 10-12.
Figure 10: Code for dialing the phone
Figure 11: Code for answering the phone
Figure 12: Code for deleting call logs
The fake mobile POS app can also modify the audio settings and turn the speaker On or Off (Figure 8):
Figure 13: Code for turning on the phone speaker
As noted, the FTP address is located in Hong Kong and is actively collecting information from infected devices. The Android APK for this app also appears to have a valid certificate, making the malicious nature of this app difficult for end users to detect if they do not pay attention to the permissions requested upon installation.
Conclusion
This particular app caught our attention in part because of the complete information stealing capabilities that were built into the code. More importantly, though, the advertised function of the app - a point-of-sale system control app - automatically targeted a niche audience with potential access to a variety of sensitive data for retailers and their customers. While this example was aimed at the Chinese market, bogus apps like these are remarkably common, and as our findings with DarkSideLoader demonstrate, malicious apps and techniques for installing them can originate on Chinese-targeted app marketplaces before being exposed to a more global audience. Over one percent of worldwide app developers - almost 16,000 publishers - are distributing malicious apps through both mainstream and third-party app stores, most of which masquerade as legitimate apps but are in fact far different from what they claim to be.
Organizations, their employees, and average users all must take the time to verify that requested permissions are reasonable as they install new apps. Similarly, it is vital that users only install applications from sanctioned or corporate mobile app stores and remain vigilant to suspicious app behavior as threat actors seek new means of accessing sensitive corporate and personal data via mobile devices.
Indicators of Compromise (IOCs)
| IOC | IOC Type | Description |
|---|---|---|
| 7e1d581572af48205bc7345d8f62bbe1ef22cd2117f70272b711ebd8acebafc8 | SHA256 | Malware sample |
| 1fd5a328dca7d220178097eea4e7177a3abe2ef5d6f5443106ef1e6b8577b6cb | SHA256 | Malware sample |
| a31d3b91b49e68691c9b9d5dc69c0a588b2f92a92eae1a1dc6bc5eed514115e1 | SHA256 | Malware sample |
| 2f99f68de6aaa42c640a44d43725d4fc59ac9f0252c38b94f23929685a07c1b3 | SHA256 | Malware sample |
| 103.243.128[.]174 | IP | Exfiltration FTP server |
ET and ETPRO Suricata/Snort Coverage
2825094 ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin via FTP (CWD) (mobile_malware.rules)
2825095 ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin via FTP 2 (mobile_malware.rules)