The APK means Android Package Kit (APK for short).
APK files are the raw files of an Android app similar to how.
This service subsequently starts an AdActivity that opens an ad.In other to have a smooth experience, it is important to know how to use the APk or Apk MOD file once you have downloaded it on your device. It then starts a repeating alarm that randomly sends an intent to an Ad Service. When opened, the application initially hides itself from the menu. Packagename: app.z1_android_421120320_app_original_file This is another malicious sample that attempts to impersonate the Zoom application and lure victims into installing it.Īnalyzed sample: 9930b683d4b31a3398da0fb75c27d056 Https//sf3-ttcdn-tos.pstatpcom/obj/ad-pattern/renderer/package.json (the sf3 prefix part is different across various apps with the same SDK) The APK we analyzed retrieves adware info from: They will keep receiving these ads until they press the X button. When the application finally starts, the victim is presented with ads as soon as they try to Join a Meeting. The piece of code below shows that the main activity is transparent: Īs soon as the app opens, a native ad is loaded and displayed on the screen for just a second. When the victim taps the app icon, the application either does nothing, or it briefly displays an ad before closing itself. Once sideloaded, the application asks for phone, location and photo permissions on start.Īnalyzed sample: fb5243138a920129dd85bb0e1545c2be Aggressive adware gangs can’t miss the showīitdefender researchers have also uncovered a tainted Zoom APK that specifically targets Chinese users. The sample has the same package name as the original Zoom application and the developers have taken even subtle measures to keep the Certificate details as close as possible to the original Zoom app. Last year, security researcher Dancho Danchev also linked this subdomain to several targeted attacks using remote access tools. We were able to link the sweetman2020 subdomain as a command and control server for SandoRAT / DroidJack, an Android remote access tool. Our domain history shows that this subdomain was pointed at an IP address in Jordan (92.253.77.106) that seems to also have resolved. This is a dynamic DNS service that allows an user with a dynamic IP address to map it to a subdomain, so they can offer a service without interruption, even when their dynamic IP address changes.
Update (): We have investigated the domain and uncovered some interesting historical details. The choice of domains is likely not random, as it could indicate what the attackers might target next (the Google TeamSupport application is a business-to-business collaborative platform that is also surging during the COVID-19 isolation). The malware tries to download its main payload from a command-and-control infrastructure at tcp//:4444 While the user interface is identical with the original application, it comes with extra “functionality” that the user did not sign up for. This piece of malware has components injected in the repackaged Zoom application, as shown in figure 1 below. The samples documented in this article spread outside of the Google Play Store and exclusively target users who sideload applications on their Droids.Īnalyzed sample: 30a1a22dcf7fa0b62809f510a43829b1
It did not take long for cyber-criminals to re-package it, disseminate it on third-party markets and wait for new victims to install it. Zoom has been in the spotlight lately as one of the booming applications for video conferencing, despite its issues with end-to-end encryption and liberalized data sharing with Facebook. It was just a matter of time until cyber-criminals started to trick users into installing tainted video-conferencing apps to capitalize on the expanded pool of users. Many have turned to video-conferencing software to keep businesses open, to attend classes or just to stay connected. Most of the world’s population has been under lockdown for more than two weeks, forced to work from the safety of their own homes.