Intezer - Malicious APKs share code during Covid-19 pandemic

Malicious APKs share code during Covid-19 pandemic

Written by Intezer
Join our free communityGet started
Share Article
FacebookTwitterLinkedIn

Threat actors are exploiting fear and uncertainty to spread Covid-19 themed malicious Android package kits (APKs) onto users’ mobile devices. APKs pose a significant risk to end users because of the sensitive personal information and credentials stored on mobile devices.

We analyzed a popular APK to see if it shares binary code with other Android malware. This particular sample copies significant portions of code from previous Cerberus, Anubis and Ginp variants. Code reuse appears to be an ongoing trend among malicious Android applications.

Update as of April 20
We have been monitoring a high number of malicious APK samples reported on Twitter. For instance, this tweet from MalwareHunterTeam indicating a fake APK alleging to be sponsored by the Turkish Ministry of Health:

Or this example of “Covid.apk” –

https://twitter.com/malwrhunterteam/status/1249027065048899584

Here is another example –

Many of these samples had low detections upon initial upload to VirusTotal, including this fake media player application which had only four detections –

Four Detections

We analyzed the APK using Intezer Analyze which classified the threat to Cerberus:

We analyzed the APK using our genetic analysis platform, Intezer Analyze, which immediately classified the threat to Cerberus

This application is clearly malicious, as seen under the Dalvik Code Reuse section, because it shares the majority of its code with previous Cerberus, Anubis and Ginp variants.

The main connection here is to Cerberus, a banking trojan that attempts to steal the victim’s banking credentials. Cerberus recently underwent an upgrade and is now being shipped with full RAT functionality. The malware can provide its operator with full access to the storage of the infected device. Because this particular application shares 124 genes (or 31.23%) of its code with Cerberus, we can understand that it is a new variant.

MediaPlayer.apk has a strong genetic connection to Anubis, an Android malware which source code leaked in 2019, and is being used by adversaries to develop future Android threats.

We also see shared code with Ginp, which is another APK malware and which shares code with Anubis, as seen from the analysis report. The connection between Ginp and Anubis has been documented in the past and is easy to spot in Intezer Analyze.

Intezer Analyze supports genetic analysis for Android applications
As threat actors continue to exploit fear and uncertainty to spread malware via Covid-19 themed apps, try uploading them to the free community edition to detect malicious APKs and better understand the origins of these threats.

This is a beta feature so please help us improve by sharing your feedback. If you receive an analysis that you think can be improved, let us know by clicking on the report analysis button in the upper right corner of Intezer Analyze.

Intezer

Revealing the “genetic" origins of software, Intezer introduces a new way to detect and respond to cyber threats. Intezer offers enterprises an advanced solution to detect modern cyber attacks, while providing deep context for effective incident response.

© Intezer.com 2020 All rights reserved