Malicious Android apps observed during Thanksgiving season of 2019


The shopping season during Thanksgiving is amplified by numerous deals during Black Friday and Cyber Monday. There are a lot of mobile apps that keep track of deals, provide discount coupons and provide the convenience of shopping from mobile devices and skipping long lines at shopping malls. Malware writers use this opportunity to spread malware under the guise of shopping/deals related apps.

SonicWall Threats Research Team keeps a vigilant eye on such apps during the shopping season. We observed a number of malicious Android apps in the past few weeks that use the shopping theme to trick users into downloading and installing these apps.  Below are a few highlights from our findings

  • Name: Amazon Shopping Hack
  • Package:
  • SHA: fa87b95eead4d43b2ca4b6d8c945db082b4886b395b3c3731dee9b7c19344bfa


After execution this app shows a human verification page to continue using this app further. This essentially leads to survey related scams that aim towards extracting sensitive user related information such as email address, credit card details, address, etc.

One of the domains contacted by this app during its execution is A quick search about this domain revealed a number of other survey related pages:

This domain is associated with a number of malicious apps, survey scam links and malicious executables:

During analysis of this app, we observed a GET request to which downloads a json file containing a list of different survey scams:


  • Name: 逛街早知道
  • Package:
  • SHA: b8eae5573540392431c71dc4cbe0ca64db95ae494d8e0d8403f7041a16756f44

After execution this app shows coupons from different categories. In the background we saw this app communicate with malicious domains and transmit sensitive information from he infected device. In one instance we saw device location and IMEI details being sent to suspicious domains:

One of the domains that was communicated with is which is connected with a number of malicious apk detections:


  • Name: Daily coupons – hot shopping
  • Package: cn.appfly.dailycoupon
  • SHA: 1ebb118b35d1b9f906f1e78db9a0ea92ba45f86836f63141a48d0dbbb03844b3

After execution this app appears to show coupons from different categories. In the background we saw this app communicate with a domain that has a number of malicious apps associated with it:


  • Name: معجزه شکرگزاری
  • Package: com.marjansb1.thanksgiving
  • SHA: 45149b486cdb79c7bdce5eca95defb64f9b69f3f617d112e790863fbb228bd66

During the app execution we observed sensitive data being transmitted from the device to suspicious domains. Again IMEI data was seen transmitted to these domains along with other device related information:

This app communicated with a domain  which is connected with a number of malicious apks:


SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.Verification.AM
  • AndroidOS.Verification.BR
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.