Evina protects end users from MobOk: an incessantly mutating malware family in Germany

Evina has detected the MobOk family of mobile malware in 49 Android applications.

Several clues indicate a concentration of some of the malware in Germany. Even though it is unusual to see a whole family of malware victims in the same country, fraudsters always look for accessible targets and work on the weaknesses as long as it is lucrative. Germany is unfortunately not exempted. As typical for most malware, MobOk continues to evolve the way it hides its malicious code and fraud methods. In the world of mobile malware, this makes MobOk a particularly challenging opponent.

All Evina customers: mobile operators, payment gateways and content editors are protected from MobOk and in doing so, so are all their customers.

How does it work? MobOk collects information that is useful for its fraudulent activities such as the relevant operator details and mobile device screen size. It then launches an invisible browser that aims to subscribe the user to premium-rate mobile services using the applicable billing operator.

Some MobOk malware applications

MobOk will ask for permission to read notifications and this is how the malware is able to retrieve the content of SMS messages. Consumers have to accept permissions manually.

Phone Booster, a MobOk malware that looks very pro

There are several indications that this type of fraud initiated in Germany. First of all, the majority of negative comments are in German, furthermore the application communicates with the ium2.de domain and finally we have received attacks on German IPs. Other cases concern Asia, especially Thailand and Malaysia.

Google Play comments

DETECTION

Evina has created a honeypot that uses a network of 3G proxy SIM cards around the world to attract fraudulent activity. When we use SIMs in Germany, we have seen fraudulent subscriptions as a result of the MobOk application.

MOBOK GENERATIONS

The malware family has evolved a way to load its fraudulent code to avoid detection by the Play Store.

First generation

In the beginning, the malicious code was located directly in the application with only a simple obfuscation.

NService class contains the service to read SMS in notifications

Second generation

In the second generation of MobOk, the malware had an encrypted DEX file in the Assets folder that contained all the malicious code. The decrypted function was directly in the code.

Encrypted DEX file


The filename after decrypted is renamed a22777.dex

Third generation

Finally, MobOk uses the Bangcle packer, to hide all the files from the library and also has significant anti-reverse engineering protection.

Phone Booster source is packed by Bangcle
.. And then after we unpacked it

FRAUD SCENARIO

During the attack, MobOk sends information from the affected phone to a C&C (Command and Control) server whose domain is: ium2.de. The send request is encrypted by the application.

Request to the command and control server ium2.de

The server in response provides MobOk with the URLs and Javascript to execute in order to achieve this fraud. The response is also encrypted.

Server response decrypted

Then, MobOk turns off the WiFi to connect to the mobile network where it will be able to charge for the premium service.

Disable wifi network

Finally, the malware launches an invisible browser where it browses the URLs it has received and executes Javascript commands.

Load url and javascript in invisible webview

SUMMARY

MobOk is a family of malware that is constantly evolving to remain undetected by the Google Play Store. In its latest generation, and according to our sources, none of the malware in the family has been detected. It is quite likely that MobOk will spread to many other countries and, given the code, that it will extend its fraudulent activities.

HOW TO PROTECT YOURSELF?

If you are an end-user, it is necessary to be careful with the applications you download. To limit the risk, we advise you:

  • To check the comments on the application page
  • To check the permissions (a wallpaper app does not need to have any specific phone permissions)
  • Avoid flashlight, scanner, wallpaper, SMS applications

If you are a service provider, such as a mobile carrier, payment gateway or content editor, you must use an independent anti-fraud solution expert in payment and mobile cybersecurity. 

Evina guarantees end-users safety and ensures a sustainable growth of the German mobile payment market, collaborating with local carriers such as Mobilcom-Debitel and T-Mobile.

APPS

The Fraud Observer

Do you like this article ?

Articles, interviews, analyzes, debates ... Once a month, the most valuable insights and news to fight fraud and grow your business.