This Thanksgiving deals on your private data too

In a matter of years, we’ve seen Black Friday and Cyber Monday become two of the most anticipated days of the calendar year. While consumers eagerly await the chance to buy this season’s hottest gifts, what they don’t realize is that hackers are also anticipating a holiday treat: their personal data. This weekend, Zscaler uncovered a campaign where malware turning the holiday shopping season into an opportunity to scam large number of people by creating fake apps offering early access to Black Friday and Cyber Monday offers and deals.

The Zscaler research team recently came across one such fake amazon app which was masked as an Black Friday deals app, but actually intended to collect victim’s personal data. The URL from where this fake app is downloaded is as shown below:

  • URL :  http[:]//amazon[.]de[.]offer47263[.]cc/amazon[.]apk
From the URL it can be observed that the malware authors are using cyber squatting to fool the victim and portraying itself as a legitimate Amazon site.

Once the application gets installed it disguises itself as a legit Amazon app.


When the user starts this installed fake Amazon app, it loads another app named “” as seen below.

Loading application dynamically

This newly loaded child application asks for administrative privileges and other risky permissions like sending SMS and dialing phone numbers.


This newly loaded app will first register itself as a service. Even if we remove the fake Amazon app, the “” app will stay persistent and keep doing its activity in the background. Once this malicious app is installed on the victim’s phone, the fake Amazon application will start giving the error message: “Device not supported with App”. This forces the victim to delete the fake amazon app thinking that there were some errors while installing it. As the malicious child app does not have any icon, it is quite difficult for the common users to remove the app.
The presence of this app can be seen in Settings>Apps>Running Applications section of device as shown below.

Silently working in backgroud
Administrative access

This loaded malicious application has code for harvesting user’s personal data.

The following code routine present in the app is used to collect victim’s browser history and bookmarks.

Browser data

It is also able to harvest the call logs, received inbox messages and segregate it into sender’s numbers, SMS body, received incoming call number and contact name etc as shown below.

Call logs
Inbox messages
The malicious app also gathers victims contact details.
This particular piece of malware was also found to be communicating with an IP address in Canada, “198[.]50[.]169[.]251” on port 4467 probably sending the harvest data through network socket.
Hard coded IP

The following packet capture shows the malware communication with its C&C(Command and Control Center).


Packet Capture
Data being sent
Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps. Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS. Keeping an eye on the permissions used by the app can save you from installing such fake apps.
+ posts

CIF Presents TWF – Ems Lord


Related articles

The Future of Marketing: Automation vs Innovation

Does AI Understand Your Brand Voice? AI is dropping jaws...

AI Act – New Rules, Same Task

The first law for AI was approved this month...

Time to Ditch Traditional Tools for Cloud Security

Reliance on cloud technologies has significantly expanded the attack...

AI Show – Episode 3 – Guy Murphy

In this third episode of The AI Show! Host...

6 Ways Businesses Can Boost Their Cloud Security Resilience

The rise in cloud-based cyberattacks continues to climb as...

Subscribe to our Newsletter