This was the case with Netflix and Pokemon GO.
This step may be taken to prevent data from being easily detected during malware analysis through a proxy.Īttackers will continue to target victims by embedding malicious code into any new, popular Android app, as it’s an easy way to quickly widen their attack base. One more final precaution is taken by the fake Sarahah app while transmitting stolen data over the wire. It uses AES encryption to send the data to the C&C server.
Bind malicious code with any desired APK.
A few months back, we posted a blog about a fake system update on Google Play that was using traces of DroidJack. We also wrote recently about fake Pokemon GO variants, prepared using DroidJack, that were making the rounds in the wild.ĭroidJack is a sophisticated piece of software that allows users to build Android Trojans with the ability to perform many invasive tasks: The payload is a RAT variant created using DroidJack, a RAT builder that has been in the wild for quite a while. The Zscaler sandbox readily marked the fake Android app as malicious, as shown in screenshot below: We kept a close watch for any malicious indicators and came across a remote access Trojan (RAT) portraying itself as the app. Though it seems like a good concept, the app has already been criticized for silently uploading users’ contacts to its servers.Īs a result of its quick growth, the ThreatLabZ team was certain the Sarahah app would be a top-of-mind target for attackers. A new app called Sarahah, which allows people to receive anonymous feedback messages from friends and coworkers, has been quickly gaining popularity.