JSDialers: apps calling premium rate numbers (with new techniques) in Google Play

20 de febrero de 2015

During last year, a lot of "made in Spain" malware was found in Google Play. It was basically malware that tried to silently subscribe the victim to premium SMS numbers. From a while now, the problem has vanished, and it was hard to find this kind of apps, at least in Google Play. In Eleven Paths we have found seven apps during these last weeks that use new techniques based in JavaScript, more dynamic and smart. They managed to upload fraudulent apps to Google Play. We have called them JSDialers. Let's see how they work.

With Google Play more vigilant about SMS premium apps in their market, the attackers have tried some other techniques that avoids Java and focus in JavaScript received from the servers. Besides, they do not only subscribe to SMS premium services, but they make phone calls to premium rate numbers. Everything in a very smart way, because, for example, they try to mute the telephone and microphone during the phone calls, tries to hide the phone call itself from the screen... and take the whole code from the servers instead of embedding it.

What the user perceives

When the user downloads and installs any of these apps, something like this will be shown.

First views of the apps
These are the typical "terms and conditions" that probably nobody will read. Accepting them implies making the phone call in an automatic and transparent way for the user. The image "Aceptar" image shown, is taken from this jpg file:

hxxp://www.contentmobileapps.com/called/images/continuar_call_100.jpg

Whatever the user responds about the age, the device will show an animation (a GIF taken from here hxxp://www.contentmobileapps.com/called/images/loading.gif) while the actual phone call is done to a premium rate number.

GIF shown to the user while the phone call is done
It seems that, depending on the phone, a green bar may appear during a few seconds, but the developer tries to hide it.

The device making the call may be detected in the background
The attacker mutes the telephone and microphone so the user is unable to hear the message of the phone calling and the locution.

On the last line one can observe the attempt to mute the microphone and device volume
The victim will be subscribed to this service and will have to face the costs of premium rate calls. The user will now be able to browser the recipes, but the phone call has already been made.

The app is just some links to a web, but the phone call has been made
Once clicking on the "Help" button, the option to unsubscribe is given.

The app offers instructions on how to cancel the subscription
What happens and how does it work?

These apps depend strongly on the servers and work via Cordova plugin. It is a set of device APIs that allow a developer to access device functions via JavaScript... The permissions of the analyzed app are these, although they are not the same in all of them. Some of them lack of the SMS permissions.

Permissions in one of the apps. Some of them lack SMS permissions
The first thing the app does is executing a WebView with Cordova that shows an internal HTML.

The obfuscated domain starts the real communication with the server A request like this is done: hxxp://highmas.com/alcalinas/home.php?movil=ffffffff-XXXX-ffff-ffffd6de17fd&version=16&modelo=GT-XXXX%20(goldenxx). The user will receive a welcome screen and will be asked for his/her age. Whatever is clicked, the app will go to the same function that gathers some information with a form. The value in CAPTCHA field is useless. It seems to belong to some discarded proofs.

Form sent to the server A web redirect after the request, takes the user to a webpage where the country and carrier is checked.

The app checks the country and carrier via JavaScript Once everything is checked, terms and conditions are shown. When accepted, the app calls"term_acept.asp", which finally returns dynamically the premium rate number to be called.

The premium rate number is returned. The app will make an unnoticed phone call
With Cordova's help and a dialler plugin, it finally makes an actual phone call.

Some other interesting info and more apps

The developers have found a way to get back to fraudulent activity with premium rate phone calls. Who is behind these apps? The domains being used and terms and conditions are very clear. We are investigating the developers and some other apps they have, and will try to offer a report soon.

With Path5, we could find similar apps. Some of them have already been removed, but not all of them. They are working on uploading fraudulent apps since early January.

Some examples of found apps
Some apps have mutated from apps related with cars (in Japanese), to porn. This is the preferred way to hide better in Google Play.

App that changed at some point These are the applications, package names and hashes. Only one of these apps has been analyzed in Virustotal, and it was not detected by any engine so far.

Videos hd peliculas porno sexo, com.gepekline, 6f1c3a596920298873f1e38842f751991875e6d6
Peliculas videos sexo Porno hd,com.wheelpvies,34b2bba921e9b7d9c8242d31e2cc011908684d9a
Videos hd peliculas porno sexo ,com.spportss,ada71fc53f9aae5f84cc69814b58f65f1e273067
Canciones infantiles y videos, com.sursongsonline, 1fcce1b8effdcbdef54cc02675eefc5214fec67b
Peliculas videos porno sexo hd,com.escarsysview, 031490dd0b824c02be7d0fe728d67f998ef7c914
Cine estrenos peliculas online, com.filmsmeka, e856cd2d4a366abbb1df18c8bc53c7a35a6da535
Un millón de recetas de cocina, com.recippes, 194362c46b124161a5289d1d3c4c56f93b142044

With our database, we have been able to locate some other apps, and prove that the developers behind them come from Valencia and have been working on these frauds for a few months now.