Take a good look at this find in Google Play. It goes by the name Super Free Music Player and has so far attracted between 5,000 and 10,000 downloads:
Now that you’ve had a good look, take our advice and don’t download it. It’s malware.
According to SophosLabs researcher Rowland Yu, the application was uploaded to Google Play on March 31, and uses sophisticated techniques formerly found in BrainTest malware to bypass detection by Google and security researchers. Those techniques include:
- Use of time bombs
- Domain and/or IP mapping
- Use of dynamic code loading and use of reflection
- Use of multiple layers
The malware is able to download additional payloads from remote websites and upload device information, including installed applications and the country, language, manufacture, model, SDK version, and so on, Yu said.
- Related article: SophosLabs report examines Top 10 Android malware
Check Point discovered BrainTest on a Nexus 5 smartphone in 2015. It used multiple techniques to avoid Google Play malware detection and to maintain persistency on infected devices. Google Play removed it, but attackers simply repurposed it, Yu said, adding:
It came back to Google Play as Super Free Music Player and attracted 5,000 – 10,000 Downloads. Sophos has detected them as Andr/Axent-DS.
Technical analysis
SophosLabs has identified the following characteristics of Super Free Music Player:
- The dropper downloaded from Google Play is named com.superfreemusic.songapp.
- The payload is decrypted and planted on Android devices by the dropper.
First, the dropper starts a service called com.hole.content.Erpbiobuft to decrypt and drop the payload. It will continues running this service every hour:
It decrypts and drops the payload:
It then continues running this service every hour. The dropper then uses dynamic code and reflection to load the payload method (com.fb.content.core.enter):
To avoid detection from Google Play, the payload will verify if a device is an emulator by checking several properties such as the emulator phone number (15555215554, 15555215556…) and specific strings such as (/system/lib/libc_malloc_debug_qemu.so, /sys/qemu_trace …). Moreover, it is able to check if a popular Android research sandbox, TaintDroid, is used. Also, another time bomb is used to avoid detection.
Com.fb.content.core. is entered into the payload:
A string checklist for the Android emulator is added:
It then checks to see if an Android research sandbox or TaintDroid exists:
The second time bomb will wait for eight hours to start the malicious payload. The malicious app is able to download more encrypted payloads from remote websites:
It will then submit a list of device info to hxxp://s1.deepcups.com/s2/ and hxxp://s1.deepcups.com/s1/:
Defensive measures
As we mentioned above, SophosLabs has identified this as Andr/Axent-DS and protected Sophos users against it.
Our advice to non-Sophos customers is not to download this app if you see it in Google Play. We’ve told Google Play about our discovery.
The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus such as our free Sophos Mobile Security for Android.
By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.