Malicious activity points to a server in Estonia

May 5, 2016 13:01 GMT  ·  By

Malicious ads on reputable news sites automatically downloaded a fake Android update package on the victim's device which would infect the user with a banking trojan specifically designed to target bank customers living in France, Germany and Russia.

This new malware, discovered by Intel Security Mobile Research and named Android/Dmisk, was first detected at the end of April, but after an extensive investigation, researchers found clues on social media that revealed the existence of a massive malvertising campaign as early as January 2016.

Dmisk hid as an official Android 6.0 upgrade

Intel Security experts say users noticed that when accessing certain sites, their browser would silently download the Android_Update_6.apk file on their device.

The malicious ads were found on the mobile versions of reputable sites such as Slashdot and Android Police, but also on local news sites in France (20 Minutes) and Germany (SPON). Of course, none of these sites is to blame for the malware's distribution. In most cases, the ads shown on these types of sites are mostly under the control of advertising networks, with little to insignificant input from the sites themselves.

Users that noticed the secretly downloaded APK file, based on its name, would be enticed to believe it was an Android 6.0 Marshmallow update.

Crooks paid special attention to hide their malicious code

Running the APK installs a new app called Android Update 6, which hints at being the Android 6.0 upgrade package. In reality, after opening this app, the Dmisk malware is launched into execution.

As with other Android financial malware, Dmisk collects data about the device so it can register it with its C&C (command and control) server, and then begins to listen to incoming SMS messages.

Because the app was packed and heavily obfuscated, Intel Security researchers weren't able to crack the malware's entire mode of operation, but this type of behavior is regularly found in Android banking trojans.

In some cases, researchers also noticed the Dmisk engage in click fraud by covertly taking over the device and clicking on ads for the crook's financial gain.

Dmisk was at one point available via the Google Play Store

Security experts had their suspicions confirmed when they saw that the malware included filters to watch for SMS messages coming from known financial institutions from France, Germany, and Russia.

Continuing their research, Intel Security also discovered earlier versions of this malware making their way on the official Play store in October 2015, but Google was quick to remove the infected apps. Intel tracked the distribution of this malware to other third-party app stores such as ApkPure.

Researchers say the Dmisk malware campaign is still active, especially for users located in France and Germany. Most of the recent activity was tracked down to C&C servers located in Estonia. Intel says it contacted local authorities and the hosting provider to have the servers shut down.

Users reporting the forced download via Slashdot
Users reporting the forced download via Slashdot

Android/Dmisk (6 Images)

Android/Dmisk
Users reporting the forced download via SlashdotUsers reporting the forced download via SPON
+3more