Friday, 20 September 2013

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:

From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds

Play

*If you cannot play, move message to the "Inbox" folder.

2013 WhatsApp Inc 

I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.

So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.

I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).

So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.

Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].

Up until April, the IP  219.235.1.127  hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.

Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.

8 comments:

martijn said...

There used to be quite a lot of Android-malware (NonCompatible trojan) sent during the first months of the year, usually via compromised Yahoo accounts (and thus sent in relatively low volumes). Non-Android browsers just got a (harmless) weight-loss spam page.

martijn said...

BTW, I did open a link in an Android VM. The malware was downloaded, but nothing happened, for it was set to not accept installs from other app stores.

Brad Ackerman said...

Got this as well... same callback. I haven't attempted reverse-engineering the code beyond what VirusTotal does (the hash on my copy was d94e4560a6af48442c0923f6ea922c1957418575e8e1acf47fcbb02db86cf6b8), but the file assets/AffiliateSettings.xml looks rather like malware-as-a-service.

I'd rate this attack 3/10. Sadly, this actor's lame performance is more than sufficient to score plenty of victims.

rebus said...

Hello,
this is part of the Asprox botnet.
More info on:
http://rebsnippets.blogspot.com/asprox
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf

Best regards
Michal Ambroz

Unknown said...

I own a domain and have a catchall email account. I use different email addresses when ever I sign up for an account or email list. I don't do much "social networking" don't do any (nearly) gaming or junk stuff.

WhatsApp managed to get 4 (FOUR) !! different email addresses for me!!! May have come from Tom's hardware, maybe from instructables.com, maybe from DNS whois.
If I was smart enough to record which address I gave to who I'd be better able to tell who is selling my address.

rebus said...

>WhatsApp managed to get 4 (FOUR) !! different email addresses for me!!!

Hello Unknown.
If you used all those for email addresses as contact address for some DNS domain, then my guess is that it was harvested from there. There are some signs that Asprox botnet does some DNS harvesting already.

Asprox phishing emails are coming from domains having "post" or "mail" or some few additional keywords in the name. All of these used domains do not have SPF or DKIM implemented.

Best regards
Michal Ambroz

dottedfish said...

I also got one from the dyndns.com alias now.

Apparently the spam mail uses adresses leaked during breaches.

What surprises me a little is that Adobe announced they would send out notifications to the customers affected by the breach yet I never got one. Eventually the breach was bigger than anticipated (4 million accounts).

Karen said...

It's coming to my email. How do I block it? It's never sent from the same email twice. Thank you