Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.
Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as sohu.com and baidu.com. Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.
Proficio Threat Intelligence Recommendations:
- Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign)
- Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations
- SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur
General Information – Click Here