SonicWall RTDMI engine recently detected an AndroidAdware which has an app icon that looks similar to the Settings app icon. The non-existence of this malicious file at the time of detection on popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.
When a user clicks on the app icon, it starts its execution in the background and hides itself from the app list as shown below:
It then connects to a malicious URL, sends victim’s device information and saves the response data into a file named “Config” as shown below:
The response data from the server is in JSON format which contains events to identify the victim’s device’s Internet connectivity type (WiFi, Mobile Data) as shown below:
Depending on the victim’s connectivity type, a malicious URL is opened and the victim is flooded with random ads as shown below:
Indicators of Compromise:
Shown below is the Capture ATP report of the malicious APK file detected by the RTDMI engine:
Share This Article
An Article By
An Article By
Security News
Security News