| Researchers April 16, 2018


April 16, 2018

mAPT ViperRAT Found in Google Play

By Michael Flossman

Lookout researchers discovered samples belonging to the ViperRAT malware family, a known mobile advanced persistent threat (mAPT), in the Google Play Store. This is one of the few times we've seen an mAPT in an official app marketplace. We discovered two ViperRAT "chat" apps with over 1,000 combined downloads, and upon discovery, notified Google, who has since removed them from the Play Store.

Previously, the actors behind ViperRAT used phishing schemes to trick targets in the Israeli Defense Force into downloading surveillanceware. We believe the same actors are behind this instance of the malware in Google Play and are likely using the legitimacy of the Play Store to make their phishing attacks more successful.

ViperRAT's history

Early last year, Lookout researchers reported on the discovery ViperRAT, when it was used to target and spy on the Israeli Defense Force (IDF). The IDF personnel were compromised through social engineering when they were prompted to download third party chat apps by attackers posing as attractive young women. The young women would send a link to a target and persuade him to click on it and install the Trojanized app. The malware performed basic profiling of the device, and then under certain conditions attempted to download and install a much more comprehensive second stage surveillance component. This second stage provided an attacker with a considerable amount of control over a compromised device and Lookout's Threat Intelligence team uncovered nine secondary payload applications while investigation this actor.

For the majority of 2017 ViperRAT activity has been sporadic, potentially due to the increased media attention around this malware family and the release of indicators of compromise that included associated domains. Despite this tapering off Lookout recently observed its appearance in the Google Play Store which we believe is a milestone for those deploying it.  It is believed that social engineering still plays a significant role in these latest attacks, however by hosting them on the Google Play Store, ViperRAT samples are likely to appear much more credible. Moreover, victims were no longer required to enable third party installations. 

ViperRAT in Google Play

As with earlier trojanized ViperRAT apps, the latest two that were identified on the Play Store were both custom chat apps. The first, VokaChat, had received between 500 - 1,000 downloads while the second, Chattak, listed the number of downloads as between 50 - 100. It is interesting that in these new samples, the chat functionality was fully implemented, something that is different from the previous samples. Furthermore, command and control infrastructure for the two samples remained active (at the time of writing) and even included the privacy statement that Google requires from developers who publish to the Play Store.

The following domains have been attributed to these latest samples.

Domain
vokachat.website
chatackapp.com
sweetdroids.com

Vokachat also makes use of the following project on firebase. https://console.firebase.google.com/project/vokachat/

ViperRAT app 1

ViperRAT app 2

The Motive

There is currently no evidence to suggest the actor behind this new variant has deployed it against the Israeli Defence Forces. That said, whether intentionally, or due to a misconfiguration on server infrastructure, proper usage of the Chattak application that involves creating a user account, results in the app infrastructure serving up the details of what appears to be other users.

Analysis of this shows that there are likely fake accounts (based on email addresses clearly being incorrect), and the recent chat applications do not contain any mechanism to prevent users from entering either fake email addresses or email addresses not under their control. It's currently unclear whether this new variant is targeting its attacks to Saudi Arabia or the wider Middle East region.
The actors behind this attack most likely moved to Google Play not because of their targets, but because it added credibility to their chat apps. Before, the actors would trick victims into downloading an additional chat app, which would then download the surveillanceware. Now, the victim is no longer required to enable third-party installations, indicating that the malware has become even more sophisticated than before.

Independent of the target or motive of the attackers, ViperRAT in Google Play demonstrates the increasing sophistication of mobile threats. A malicious app that can be downloaded from the Google Play store is extremely dangerous, as users will not think twice about downloading it because of their trust in Google. This is alarming to us, because as attackers continually find new ways to add legitimacy to their malicious apps, thier phishing attacks will become more successful.

SHA-1s

  • b2f720c52588459cb270ac793bd4d159cd86f171
  • 0f87d079df4fceb763f2671db34c6a3eedeb5ee1
  • d5cd496c9832289f111afbb475ccd7a09d7d3d3c
  • 320f48b39320b3b2467771ac37cbc3bc88dc8c9b
  • 780b19ecd13b954d16bb1ff2975e04900ad621d7


Author

Michael Flossman,
Security Research Services Tech Lead