For more than two weeks, most of the world’s population has been held in pre-trial detention and forced to work in the security of their homes.
In order to stay connected, many have turned to videoconferencing software to keep businesses open or to attend classes. It was only a matter of time until cybercriminals began to trick users into installing flawed video conferencing applications in order to take advantage of the increased number of users.
Malicious Zoom Clones for the Ignorant
Zoom has recently been in the spotlight as one of the booming video conferencing applications, despite its end-to-end encryption issues and liberalized data sharing with Facebook. It didn’t take long for cybercriminals to repackage it, distribute it to third-party markets, and wait for new victims to install it. The examples documented in this article have spread outside of the Google Play Store and exclusively target users who download apps on their droids.
Sample analyzed: 30a1a22dcf7fa0b62809f510a43829b1
Packagename: us.zoom.videomeetings
Detection: Android.Trojan.Downloader.UJ
Application label: Zoom
This malware has components injected into the refurbished Zoom application, as shown in Figure 1 below.
Although the user interface is identical to the original application, it has additional “functionalities” to which the user has not registered. Malware tries to download main payload from command and control infrastructure on TCP[:]// googleteamsupport[.]ddns.net:4444
The choice of domains is probably not random, as this could indicate what attackers could target next (GoogleTeamSupportapplication is a collaborative B2B platform which also increases during COVID-19 isolation).
The sample has the same package name as the original Zoom app and has even taken additional steps to keep even more subtle differences in certificate details as close as possible to the original Zoom app. .
Aggressive adware gangs can’t miss the show
Bitdefender researchers also discovered a corrupt APK APK that specifically targets Chinese users. Once downloaded, the application requests phone, location and photo permissions at startup
Sample analyzed: fb5243138a920129dd85bb0e1545c2be
Packagename: us.zoom.videomeetings
Detection: Android.Adware.Downloader.BC
Application label: Zoom
Targets: China
Each time the victim presses the application icon, the application does nothing or briefly displays an announcement before closing.
The piece of code below shows that the main activity is transparent:
As soon as the application is opened, a native ad is loaded and displayed on the screen for one second.
When the application finally starts, the victim is presented with advertisements as soon as he tries to join a meeting and he will continue to receive these advertisements until he presses the X button.
The APK we analyzed retrieves information about adware from:
https[:]//sf3-ttcdn-tos.pstatp[.]com / obj / ad-pattern / renderer / package.json (the prefix part sf3 is different from one application to another with the same SDK)
Hard coded links:
http[:]// sf3-ttcdn-tos[.]pstatp.com/
More malware Zoom
This is another malicious example that attempts to impersonate the Zoom application and lure victims into its installation.
Sample analyzed: 9930b683d4b31a3398da0fb75c27d056
Packagename: app.z1_android_421120320_app_original_file
Detection: Android.Trojan.HiddenAds.AJR
Application label: ZOOM Cloud Meetings
When open, the application initially hides in the menu. It then triggers a repetitive alarm which will randomly send an intention to an advertising service. This service then starts an AdActivity which opens an ad. The link is in the resources: adsforapp1[.]com
The malicious application verifies another hard-coded chain in the assets, called “admin”. If the string is true, then it requests administrator rights to the device. If the value is set to false (as in our case), it then tries to download another file (theapkEntrance).
Once opened, the application will redirect to download the additional component.
At the time of this writing, this sample has been seen in the wild in the United States.
The example combines functionality to request device administrator permissions in English or Russian, depending on the default language of the mobile phone. The malware also has the ability to start itself when the device is turned on.
Bitdefender Mobile Security for Android detects and blocks these applications like Android.Trojan.Downloader.UJ, Android.Adware.Downloader.BC and Android.Trojan.HiddenAds.AJR. To minimize the risk of compromise, Android users are encouraged to install a security solution and limit their downloads to application stores recommended by the supplier.
