News

VisualThreat Security Lab Uncovers "Se-Cure Mobile AV": a new suspicious Android Fake AV

April 29, 2014

Today VisualThreat’s Security Lab announced the discovery of “Se-cure Mobile AV”, a new Android FakeAV app. It has been more than two weeks since “Virus Shield” fake AV found on Google Play.

This app was spotted by VisualThreat’s online mobile threat analysis platform at www. Visualthreat.com. VisualThreat researchers have built the behavior profile of normal Anti-malware engines. As a result, by comparing this profile with new-claimed mobile AV apps, researchers can determine whether an app belongs to the fake AV category. Besides, the patent-pending 4-layer threat correlation: static, behavior, malware intra-family and cross-family correlations, also give a hint of how mobile threats grow, shift and change.

Main findings on Se-Cure Mobile AV (Kudos to our researchers: ZhengFang, Thomas, Kunlun and WenJun from XJTU):

  • In out testing, this app cannot detect any malicious APK file.
  • The app tries to download another apk file at http://malicious.coproration.hxor.ex/test.apk. However, the URL is not accessible now.
  • Just like Virus Shield, there was initially a red “Secured!” on the right-upper corner of the UI. Once the scanning done, it changed to a green checkmark.
  • The good news is that there was no evidence to show the app would also charge user $3.99 like Virus Shield
  • GET requests for http://malicious.coproration.hxor.ex/request00.php, equest01.php,equest02.php

  • For SMS Scan, Google account is required for registration. After that, it will use the Google account to send spam mails to contacts.


    onActivityCreated method in dv:

    In Javascript, dv.a() was called:


    Run() method in dx:

    For email spamming:
    
    doInBackground samli codes in ea class:
    .method protected varargs synthetic doInBackground([Ljava/lang/Object;)Ljava/lang/Object;
        .locals 1
        check-cast p1, [Ljava/lang/String;
        invoke-virtual {p0, p1}, Lea;->a([Ljava/lang/String;)Ljava/lang/String; #调用ea本类的String a(String[] paramArrayOfString)
        move-result-object v0
        return-object v0
    .end method
    protected String a(String[] paramArrayOfString):
    

    
    public void a(String paramString1, String paramString2, String paramString3, String paramString4):
    	Param1——subject
    	Param2——content
    	Param3——sender
    	Param4——receiver
    	
    

    
    private void a(String paramString1, String paramString2) in eo class:
    	POST http://malicious.coproration.hxor.ex
    

    The last but no the lease, this app gets gmail.com accounts

For more information about our threat report for this app, please visit http://www.visualthreat.com/report.action?md5=16BD4B23B55F0ADE6DF16D8C6DCF502C

No vendor detected it as fakeAV app as of writing this blog.
Updated on May 8th 2014, a lot of labs reported this FakeAV.