03月11, 2019

Malicious PE files discovered on Google Play

Recently, 360 Beaconlab detected 2 apps with malicious PE files in the Google Play app store. Both apps are owned by the same developer with over 10,000 installations for each.

image.png

image.png

Our analysis found that a PE file named assets.exe exists in the assets folder of the two APP files. the main malicious behaviors include:

  1. Use the folder icon as a disguise and is developed with AutoIt scripts;
  2. The malicious PE file can modify the registry, hide the extension of both hidden files and known files, and it can also create a self-starting item;
  3. Traverse the files on the user's hard drive, hide the folder, and rename itself to the a hidden folder; In addition, the malicious file has been infected by infective virus. The virus can be loaded and spread in the local host and the local area network (LAN) before running the exe file.

The PE file has been detected by 360 and multiple AV software. Currently, no code fragments are founded in the application code on Google Play that calls the malicious PE file. It is suspected that it was the developer’s device used for compiling and packaging that has been infected.

image.png

IOC

Package name MD5
com.wallpapers.ha.FootballWorldCup2018 fe4d1c374e821cba1c002ac078163193 70c8b11c47203cc5590e9f42866be897
com.wallpapers.ha.SpidermanWallpaper c2c6c916825014aaa3572c38dc03206a a5c60c7827fa43238c12837efc016cf0

Timeline

  • March 8, 2019 360 Beaconlab detected the malicious apps on Google Play and reported to Google.
  • March 9, 2019 Google confirmed that the two apps were classified as PHA (Potentially Harmful Application) and were no longer available on Google Play.
  • March 11, 2019 360 Beaconlab released the report.

本文链接:http://blogs.360.cn/post/malicious_PE_files_discovered_on_GooglePlay_EN.html

-- EOF --

Comments