Android.uupay

Original Issue Date:- June 4, 2019

Virus Type:-Android Malware

Severity:- Medium

It has been reported that the variants of a malware named as “uupay” targeting android devices are spreading. It is a Trojan that comes hidden in malicious applications and once installed via source (carrier) application, it attempts to gain "root" access to the infected device without user’s knowledge. The malware mainly spreads by installing apps from third party app stores. The earlier smartphone models infected by this malware includes Lenovo S860, Xiaomi MI3, Star N9500 and Huawei G510.

The malware is capable of performing the following functions:

Gather information from the device, such as the IMEI number, device ID, display information and network type.
Download and install additional apps and malware
Requires additional permissions during application installation
Gathers a list of Access Point Names (APNs) and force the device to use specific APN information
Read and Send SMS messages
Enable or disable the device's network connectivity
Extract data from logcat information and send to remote command and control server.

Indicators of Compromise:

Command and Control servers contacted:

s.fsptogo[].com
s.kavgo[.]com
dns[.]com
log6[.]com
push7[.]com
cloud6[.]com
g[.]cn

File Hashes:

fc8c04c2834ca3746d9df8bf1913bc1f
37af8b4c5e54bdbfbd6ac2c86d94260c
9497078861764b7974402791b96773de
04bf01c799e8babf36fed3df946b07a4
1308c1e0354077e6ccc9e45bf3176a81

Some of the compromised app were:

com.android.googleservice
com.google.system.king
com.uucun4470.android.cms

Best Practices:

If you have been infected by Apps such as those mentioned above, kindly uninstall it and if required, reinstall the apps from authentic app stores.
Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
In settings, do not enable installation of apps from "Untrusted Sources".
Exercise caution while visiting trusted/untrusted sites for clicking links.
Install Android updates and patches as and when available from Android device vendors.
Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
Confirm that the banking app you’re using is the official, verified version.
If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
Use two-factor authentication if it’s available.
Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
Refer to security best practices for mobile Phone users:
http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf

References: