Mobile Malware Masquerades as POS Management App

March 13, 2017
Proofpoint Staff

Overview

Recently, Proofpoint researchers analyzed a mobile malware sample that appeared to be a point-of-sale (POS) terminal management Android app for Chinese markets. However, closer inspection reveals that the app does not include any POS implementation, but is instead a robust information stealer. Malicious apps like these target a subset of users with specialized needs -- and potential access to POS systems and data -- since average users would have no use for a point-of-sale management app.

Analysis

At first glance, the app -- which was found on a public repository -- appears legitimate, featuring an icon showing a point-of-sale machine and Chinese characters that translate to "Mitsubishi POS Terminal Management" (Figure 1). The image and brand name are stolen to create a sense of legitimacy and leverage a widely used type of terminal.

Icon for fake POS management app

Figure 1: Icon for fake POS management app

Once the app is installed and launched, the main screen shown in Figure 2 appears.

Main screen for fake POS management app

Figure 2: Main screen for fake POS management app

Like the icon, the main screen for the app is written in Chinese. The characters translate to  "Mitsubishi POS terminal management system". This screen consists only of the text box with this label and a button, the label for which translates to "Close Program". When a user taps this button, the screen disappears but the app itself continues running. The main screen is the only portion of the app displayed to the user and it has no other visible functions. A closer look at the app's permissions, though, reveal risky and unnecessary capabilities.

Screen 1 of the permissions requested by the malicious app

Figure 3: Screen 1 of the permissions requested by the malicious app

Screen 2 of the permissions requested by the malicious app

Figure 4: Screen 2 of the permissions requested by the malicious app

Once installed, the app can start automatically after the device reboots. The code is written in Chinese using E4A programming tool for building Android apps. Figure 5 shows the classes included in the app with the underlying e4a runtime environment.

Classes included in the fake mobile POS app

Figure 5: Classes included in the fake mobile POS app

The app accesses www.123cha[.]com, an IP check site in China, to obtain the external network IP for the device. Further investigation showed that this information, as well as a wide range of additional data, can be transmitted to malicious actors. In addition to network information, the app can exfiltrate text messages (SMS), contacts, device information, a list of installed apps, and location data via FTP when the app starts. The app creates a new directory on an FTP server in Hong Kong with the IP address 103.243.128[.]174 and uploads all data as TXT files. Code strings are written in Chinese but their functions are generally easy to infer. Snippets in Figure 6-9 show several of these functions:

SMS handling functions

Figure 6: SMS handling functions

Contact handling functions

Figure 7: Contact handling functions

Selected functions for formatting network information data for exfiltration via FTP

Figure 8: Selected functions for formatting network information data for exfiltration via FTP

Selected functions for formatting additional data for exfiltration

Figure 9: Selected functions for formatting additional data for exfiltration

The malware also has code to handle outgoing calls, answer calls, monitor the calls, and dial phone numbers. Code snippets highlighting several call-handling features are shown in Figures 10-12.

Code for dialing the phone

Figure 10: Code for dialing the phone

Code for answering the phone

Figure 11: Code for answering the phone

Code for deleting call logs

Figure 12: Code for deleting call logs

The fake mobile POS app can also modify the audio settings and turn the speaker On or Off (Figure 8):

Code for turning on the phone speaker

Figure 13: Code for turning on the phone speaker

As noted, the FTP address is located in Hong Kong and is actively collecting information from infected devices. The Android APK for this app also appears to have a valid certificate, making the malicious nature of this app difficult for end users to detect if they do not pay attention to the permissions requested upon installation.

Conclusion

This particular app caught our attention in part because of the complete information stealing capabilities that were built into the code. More importantly, though, the advertised function of the app - a point-of-sale system control app - automatically targeted a niche audience with potential access to a variety of sensitive data for retailers and their customers. While this example was aimed at the Chinese market, bogus apps like these are remarkably common, and as our findings with DarkSideLoader demonstrate, malicious apps and techniques for installing them can originate on Chinese-targeted app marketplaces before being exposed to a more global audience. Over one percent of worldwide app developers - almost 16,000 publishers - are distributing malicious apps through both mainstream and third-party app stores, most of which masquerade as legitimate apps but are in fact far different from what they claim to be.

Organizations, their employees, and average users all must take the time to verify that requested permissions are reasonable as they install new apps. Similarly, it is vital that users only install applications from sanctioned or corporate mobile app stores and remain vigilant to suspicious app behavior as threat actors seek new means of accessing sensitive corporate and personal data via mobile devices.

Indicators of Compromise (IOCs)

IOC IOC Type Description
7e1d581572af48205bc7345d8f62bbe1ef22cd2117f70272b711ebd8acebafc8 SHA256 Malware sample
1fd5a328dca7d220178097eea4e7177a3abe2ef5d6f5443106ef1e6b8577b6cb SHA256 Malware sample
a31d3b91b49e68691c9b9d5dc69c0a588b2f92a92eae1a1dc6bc5eed514115e1 SHA256 Malware sample
2f99f68de6aaa42c640a44d43725d4fc59ac9f0252c38b94f23929685a07c1b3 SHA256 Malware sample
103.243.128[.]174 IP Exfiltration FTP server

ET and ETPRO Suricata/Snort Coverage

2825094          ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin via FTP (CWD) (mobile_malware.rules)

2825095          ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin via FTP 2 (mobile_malware.rules)