Christmas themed Android malware/adware for 2019

The Christmas season brings new targets and themes for malware writers, they use these themes to lure and infect new victims. SonicWall Capture Labs Threats Research team searched for Christmas themed Android samples with malicious intentions.

We scanned popular threat portals for Android samples with keywords like ‘Christmas’, ‘Santa Claus’, ‘Holidays’, etc.  We observed the following trends among Android samples with detection. The number of Christmas themed samples increases as we near the month of December:

• MD5: dec0a7b5e450139ae1bfcf7e80e9fc8e
• Package Name: com.amphibius.santa_vs_zombies1

After installation and execution the app displays the menu screen, in the background it communicates with the domain apir.direct-tap.com:

VirusTotal relations show a number of apps with malicious rating communicate with the domain apir.direct-tap.com:

Once we exit from the app, we observed a shortcuts created on the homescreen:

We observed this app was present in the assets folder and are locally stored at /storage/emulated/0/temp1/:

Once the app shortcut is clicked, a Google Play Protect prompt that requests the user to grant permission to allow the installation of this app from a custom source:

This is dangerous as it is a security risk to install apps from sources other than the Play store.

• MD5: 26fbbe52012d9ba69215892fa32d9fee
• Package Name:com.infovine.yo.app

After installation and execution this app displays a screen with very few options to click:

In the background the app sends sensitive information about the device to the domain gamedroid.pm. This domain has been observed to communicate with malicious Android apps:

On clicking the ‘proceed’ button a GET request goes out to despfans.com/minionrushcheats.apk. This domain is currently down so the apk was not downloaded:

Like the previous app that was analyzed, this app shows a shortcut on the screen as well. Upon clicking this shortcut an attempt is made to download an apk from the domain antivirus-pro.us. Since this domain is currently unregistered the app is not downloaded:

This domain was scanned in the past to host malicious apps:

• MD5: 63b99543b9f87e7718fe5804868fa8c5
• Package Name: com.gogyimogyi.livewallpaper.goldchristmas3d 

We encountered a number of samples with high number of detection ratio on VirusTotal as AirPush adware. These samples contain the AirPush advertisement library which likely triggered detections for these samples.

VirusTotal graph below for the domain api.airpush.com shows a large number of samples with high detection ratio communicating with this domain:

Malware writers hide malicious applications under the guise of what is popular currently. With Christmas almost upon us, we are seeing increasing number of malicious Christmas themed Android apps.

SonicWall Capture Labs provides protection against these threats with the following signatures:

• AndroidOS.InstallApk.GM
• AndroidOS.Downloader.DN
• AndroidOS.Airpush.AD_2

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.