Android Malware Appears Linked to Lazarus Cybercrime Group
Contents
This blog was written by Inhee Han.
The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)
The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.
Figure 1: Description of the legitimate app on Google Play.
Figure 2: An overview of the malware’s operation.
Comparing Certificates
The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen …
The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)
The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.
Figure 1: Description of the legitimate app on Google Play.
Figure 2: An overview of the malware’s operation.
Comparing Certificates
The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen …
IoC
110.45.145.103
114.215.130.173
119.29.11.203
124.248.228.30
139.196.55.146
14.139.200.107
175.100.189.174
181.119.19.100
197.211.212.31
199.180.148.134
217.117.4.110
24f61120946ddac5e1d15cd64c48b7e6
61.106.2.96
8b98bdf2c6a299e1fed217889af54845
9ce9a0b3876aacbf0e8023c97fd0a21d
http://110.45.145.103
http://114.215.130.173
http://119.29.11.203
http://124.248.228.30
http://139.196.55.146
http://14.139.200.107
http://175.100.189.174
http://181.119.19.100
http://197.211.212.31
http://199.180.148.134
http://217.117.4.110
http://61.106.2.96
http://mail.wavenet.com.ar
http://vmware-probe.zol.co.zw
http://wtps.org
114.215.130.173
119.29.11.203
124.248.228.30
139.196.55.146
14.139.200.107
175.100.189.174
181.119.19.100
197.211.212.31
199.180.148.134
217.117.4.110
24f61120946ddac5e1d15cd64c48b7e6
61.106.2.96
8b98bdf2c6a299e1fed217889af54845
9ce9a0b3876aacbf0e8023c97fd0a21d
http://110.45.145.103
http://114.215.130.173
http://119.29.11.203
http://124.248.228.30
http://139.196.55.146
http://14.139.200.107
http://175.100.189.174
http://181.119.19.100
http://197.211.212.31
http://199.180.148.134
http://217.117.4.110
http://61.106.2.96
http://mail.wavenet.com.ar
http://vmware-probe.zol.co.zw
http://wtps.org