Fake Play Market: Zimperium’s z9 against Social Engineering Attack Vectors

Share and earn Cybytes
Facebook Twitter LinkedIn Email
Analysis & Post By:
Alex Calleja (@alximw)
Matteo Favaro (@fvrmatteo)


Since the beginning of 2018, researchers in Zimperium’s zLabs have been tracking a rise in the frequency and sophistication of applications that have been loaded outside of the official Google Play Store. Many of these have leveraged social engineering techniques such as duplicate Play Stores.

At the start of August, zLabs decided to take a look at some previously unknown malware samples that Zimperium’s z9 machine learning-based engine detected in the first half of the year. z9 for Mobile Malware is the only machine learning-based engine capable of detecting previously unknown malware on-device in real-time. One of these apps, “Play Market”, seems to be part of a campaign targeted at monetization through the abuse of advertisements and subscriptions. To help illustrate the threat of apps loaded outside of the Play Store, our analysis of Play Market follows.


Play Market shows a collection of interesting behaviors that are clearly designed for persistence and to trick users into starting the execution the first time, namely:

  • It mimics the Google Play Store application using the same logo and application icon and has “Play Market” as its label; this is clearly a common trick to deceive the user into opening the malware at least once as show here:

  • Once the application has been opened, the MainActivity sets two properties called DONT_KILL_APP and COMPONENT_ENABLED_STATE_DISABLED which hide the application’s icon from the drawer (and forced our analyst to re-enable the component via adb to re-launch it);
  • The AndroidManifest.xml exports a Broadcast Receiver with the intent-filter android.provider.Telephony.SMS_RECEIVED; the only action of the onReceive method is to abort the further broadcasting of the SMS_RECEIVED message;

  • One of the classes exports some interesting utility methods: a method to disable the WiFi connection, one to enable the mobile data connection (via reflection) and one to set the ringer mode to RINGER_MODE_SILENT (avoiding vibration and sound notifications);

  • The MainActivity also takes care of inviting the user to enable access to the DevicePolicyManager (the included configuration is the default one). The malware author crafted two messages to trick the user into enabling the access and possibly not revoking it. In fact, while the Device Admin is active, the application cannot be uninstalled:
    • “Для продолжения установки требуется доступ к памяти устройства, подтвердите доступ” which translates to “To continue the installation, you need to access the device’s memory, confirm access”;
    • “Отключение данной функции может навредить вашему телефону или планшету, вы согласны ?” which translates to “Disabling this feature can damage your phone or tablet, do you agree?”

The aforementioned list of interesting techniques is actively combined with the main chain of events executed by the application:

    • The application declares two methods to fetch the content from an URL and to load web pages into a WebView with JavaScript enabled. The main URL embedded in the application is http://cpw.00xff.net/p.php and it’s loaded with the device information (v is the device API version, im is the device IMEI, sv is the device Android version) and the parameter act with the following values:
      • gettype: in our tests it always returned the string “full”; the “full” response instruct the application to disable the WiFi and forcibly enable the mobile data, then to execute the requests with actions “getcont” and “getrul”;
      • getcont: returns the russian string “подп|стоимость” which translated to “sub|cost of”;
      • land or adv: fetches an URL that redirects to advertisement or subscription websites;
      • getrul: downloads a sequence of JavaScript codes that are split, loaded in the WebView and clearly used to automate the clicking of Ads and subscription buttons.
  • After the first execution, the application also sets up timers to execute the advertisement and subscription fetching to every 24 hours or 1 hour. The AndroidManifest.xml also exports Broadcast Receiver to start the execution after a reboot.
  • Every time the auto-click functionality kicks in, the user is completely unaware of it because the whole execution takes place in a hidden WebView.

Downloaded JavaScript code

The following is an example of downloaded JavaScript code. After splitting on the ||| separator (which is used as lines separator) and the || separator (which is used as elements separator), we obtain the following:


As can be seen, it contains ad-hoc written javascript calls to fill forms and click buttons. This kind of code is traditionally used by clickers. Also, it contains several URLs proving that the author is trying to trigger particular events in carefully selected sites.

Additional information

Although completely unrelated to the main execution chain, the application includes a file named htrerfgh (md5 e80e8801bebf93fd26c37cca85f32cb6) in the Assets folder. It turned out to be an MP4 video with a few seconds of the “Never Gonna Give You Up” song by Rick Astley, and after some seconds, the face of Rick Astley is changed to the face of Rick Harrison.


During dynamic analysis, some domains have been contacted by the malware, either during the configuration phase or during the execution of the advertisement and subscription auto-click tasks, and they change based on the localization of the request.

The configuration domain embedded in the APK is cpw.00xff.net, while some of the domains contacted for advertising and subscription are:

  • di6sartote.ru
  • blw4-1.com
  • marcaapuestas.es
  • mpsnare.iesnare.com
  • r.remarketingpixel.com
  • tracking.perfecttoolmedia.com
  • stats.g.doubleclick.net
  • 7xc4n.com

The hashes of the sample are:

  • MD5: 4aa837d0fc1bf57b1e5df3884b6cfc71
  • SHA1: 8df961d3722fcd02a5e14e51c2cf14821d40f9bb
  • SHA256: 38dead873bc40db7c6ecfc57c24b33758c4443a62cb179378401f1796cf3c11c

App Metadata

Application Name: Play Market

Package Name: com.tosveokrtbv.xjortnrkl
SHA256:  38dead873bc40db7c6ecfc57c24b33758c4443a62cb179378401f1796cf3c11c

Availability: The sample wasn’t available on the Play Store and is not available on VirusTotal

Initial z9 Detection: Detected by z9 for Malware on January 1st, 2018


Like it has for numerous other samples this year, Zimperium’s z9 machine learning-based engine detected these samples while other vendors did not… both at initial sample time and even currently.


The post Fake Play Market: Zimperium’s z9 against Social Engineering Attack Vectors appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.
Promoted Content
Mobile Threat and Vulnerability Report
Download Zimperium's Enterprise Mobile Threat Report for information mobile malware and Wi-Fi attacks around the globe plus how to defend against, KRACK, BankBot, and other mobile device vulnerabilities.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?