About Teletype
Join
H
@hawkeye
February 16, 2021

com.book 15.02.2021

Introduction

Some applications, once analyzed, immediately give away their membership in one group. This is clearly visible in spreadsheets:

List of applications in the spreadsheet

If you look at the last column, you will immediately notice the similarity between these applications, which is what gave rise to the name of the group.

Current live:

  • com.prineschego.nareshalchego
  • com.naebemgoogle.moderatorlox

Already removed:

  • com.bogoizbran.lolipopo
  • com.lolololo.betwins
  • com.perevozilkjijsd.satifactionking
  • com.kulunkus.morbagradisr
  • com.tvoyamamka.utopilakotika
  • com.prezervativboga.lokiboginya
  • com.pavlosatanist.satanapavlo
  • com.lolisoskatook.volskayashlak
  • com.serenadaboga.merlinbochka
  • com.bumbum.frosyasuka

Analysis

The traffic analysis showed a chain of requests from the initial link to the final link:

Traffic analysis by example com.bogoizbran.lolipopo (Full size)

A chain of queries in text form:

  1. https://palbatolisee.cf/jKhvtH
  2. https://trafoed.com/go/?app=17&sub_id_1={sub1}&sub_id_2={sub2}&sub_id_3={sub3}&sub_id_4={sub4}&sub_id_5={sub5}
  3. https://pepperpartners.scaletrk.com/click?a=536&o=88&sub_id1=TRASH
  4. https://goldcupcomua.g2afse.com/click?pid=195&offer_id=29&ref_id=b4851ace292f634259bf4d21b0308a2e&sub4=536&l=1611824712
  5. https://tdskt.com/NGVzrCmz?external_id=602b7f9d17a38e00013e0653&sub_id_1=195&sub_id_2=cpa&sub_id_4=536&sub_id_5=facebook.app&sub_id_6=&sub_id_7=&sub_id_8=&sub_id_3=signup
  6. https://millionua.com/users/sign_up?_subid=3rh0uc733g0r&mtag=195&mtag1=195&mtag2=cpa&mtag3=signup&mtag4=536&mtag5=facebook.app

After receiving the requests, the initial link in the code was searched. There is a high probability that the actor is on the market recently or has been cooperating with specific developers for a short time. This conclusion was made due to the absence of any protection in the application, be it code or line protection. This made it possible to find the link in the code without using additional tools.

View of the initial link in the code (Full size)

Conclusion

Analysis of the code of the other applications from the list showed that the function with the original reference does not change, only the reference itself changes. This allowed me to write a Yara rule which can accurately detect such applications.

Link to Yara-rule: https://pastebin.com/m131gfSq

Password: Aj2TchN9Pp

@m0cn0
February 16, 2021, 11:49
0 views
0 reactions
0 replies