FBC_haretolas

As of this writing, the list of "live" applications:

• com.haretolas.nerot

list of deleted applications:

• com.bestrelax.komand
• com.supapps.avdenture.slo
• com.gamehob.finalarchery

Analysis

The analysis is shown using the com.haretolas.nerot application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The complete chain of transitions looks like this:

1. https://firebaseremoteconfig.googleapis.com/v1/projects/202035042614/namespaces/firebase:fetch
2. http://chek-global.com/index.php?key=mu0cuwk06u3b2pvvy7vy&id=haretolas&utm_source=google-play&utm_medium=organic&install_time=2021-06-10_13:05:07.285&af_message=organic_install&af_status=Organic&is_first_launch=true&event_data=com.haretolas.nerot|erUqKaWAufKcJfHCxx38b7|1623296193977-4415272586468261393
3. https://bhufgtds.com/dany/cvlnk?param=haretolas&click_id=0e6daftqq7s1mwje3d&lp=00
4. https://huffsongpp.live/clbv/p7200/?goto=sitereg&atp=haretolas&plid=8194&bnid=21815&click_id=0e6daftqq7s1mwje3d
5. https://huffsongpp.live/m1059/check/register/?goto=sitereg&atp=haretolas&plid=8194&bnid=21815&click_id=0e6daftqq7s1mwje3d&no-smart=1&no-antiblock=1&ref=mb_BQACIAAAN1UAACAcAAA.2021-06.10.haretolas&uuid=5d799d4f539e1c19a42a1fe53c0144a6cb76a228

The initial link comes from the firebaseremoteconfig service.

The result of searching for this data in the source files:

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/PUweuGPe

Password: C4D89dAsFY