The Zscaler research team recently came across one such fake amazon app which was masked as an Amazon.com Black Friday deals app, but actually intended to collect victim’s personal data. The URL from where this fake app is downloaded is as shown below:
- URL : http[:]//amazon[.]de[.]offer47263[.]cc/amazon[.]apk
From the URL it can be observed that the malware authors are using cyber squatting to fool the victim and portraying itself as a legitimate Amazon site.
Once the application gets installed it disguises itself as a legit Amazon app.
When the user starts this installed fake Amazon app, it loads another app named “com.android.engine” as seen below.
|Loading application dynamically|
This newly loaded child application asks for administrative privileges and other risky permissions like sending SMS and dialing phone numbers.
This newly loaded app will first register itself as a service. Even if we remove the fake Amazon app, the “com.android.engine” app will stay persistent and keep doing its activity in the background. Once this malicious app is installed on the victim’s phone, the fake Amazon application will start giving the error message: “Device not supported with App”. This forces the victim to delete the fake amazon app thinking that there were some errors while installing it. As the malicious child app does not have any icon, it is quite difficult for the common users to remove the app.
The presence of this app can be seen in Settings>Apps>Running Applications section of device as shown below.
|Silently working in backgroud|
This loaded malicious application has code for harvesting user’s personal data.
The following code routine present in the app is used to collect victim’s browser history and bookmarks.
It is also able to harvest the call logs, received inbox messages and segregate it into sender’s numbers, SMS body, received incoming call number and contact name etc as shown below.
The malicious app also gathers victims contact details.
This particular piece of malware was also found to be communicating with an IP address in Canada, “198[.]50[.]169[.]251” on port 4467 probably sending the harvest data through network socket.
|Hard coded IP|
The following packet capture shows the malware communication with its C&C(Command and Control Center).
|Data being sent|
Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps. Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS. Keeping an eye on the permissions used by the app can save you from installing such fake apps.