U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Italian Job – Android malware masqueraded as Fake Tre Updater

The CSE CybSec Z-Lab Malware Lab analyzed a new strain of malware apparently developed to target the customers of the Italian telco operator “Tre”. The malware researchers from ZLab analyzed a new strain of Android malware that appears as a fake 3MobileUpdater. The malware looks like a legitimate app used to retrieve the mobile system update, but it […]

Tre android malware

The CSE CybSec Z-Lab Malware Lab analyzed a new strain of malware apparently developed to target the customers of the Italian telco operator “Tre”.

The malware researchers from ZLab analyzed a new strain of Android malware that appears as a fake 3MobileUpdater. The malware looks like a legitimate app used to retrieve the mobile system update, but it hides a powerful spyware which gathers user info from the smartphone.

In order to trick users, the malicious app pretends to be a software distributed by the Italian Telco company Tre H3G (see the app logo) to check and download smartphone updates.

Fake Tre Updater

Figure 1 – Fake Tre Updater – App logo and alert

When the user clicks on the “3 Mobile Updater”, the app shows the screen in the above picture, inviting the user to wait while the system configuration is updated.

In this way, the user will not remove the application waiting form the installation of the legitimate update, but in the background the malware is able to launch a service which periodically sends information and retrieves commands from a Command and Control available at the link “url[.]plus”.

The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.

Despite its capabilities, the app doesn’t appear well written. The DEBUG flag of the application is enabled, so many activities are logged on the Android logcat and are visible in a simple way.

The presence of the string “TEST” in many strings and some evident coding errors, along the absence  of obfuscation mechanism, suggest the malicious app is not written by skilled developers.

The fake Tre updater is probably a “beta” release or in a test phase, this means that the application is not yet widespread.

Finally, it is interesting to highlight the fact that the malware authors used the Italian language, both in the logcat messages and in the code. This circumstance along with the fact that attackers masqueraded the malware as a a fake Tre updater suggest the vxers are Italian.

According to our analysis the fake Tre updater was developed by an Italian firm, targets and motivations are still not clear.

This report could be the starting point for an investigation of Italian law enforcement, it also includes Yara rules that could be used to detect the threat.

You can download the full ZLAB Malware Analysis Report at the following URL:

https://cybaze.it/download/zlab/20171201_3mobileUpdater_report.pdf

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Android malware, Fake Tre Updater)

[adrotate banner=”5″]

[adrotate banner=”13″]