Check Point researchers recently encountered WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialer which subscribes its victims to premium services without their knowledge or consent.
The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
The infection chain is very simple. After the initial application is installed on the device via 3rd party markets, WAPDropper contacts the C&C (Command and Control) server and receives the payloads to execute. The payload is the premium dialer module, which opens a tiny web-view, and contacts premium services offered by legitimate telecom companies. Once WAPDropper successfully loaded the landing pages, it attempts to subscribe the user to those services. In some cases, a CAPTCHA step is required to finalize the subscription. WAPDropper passes this test by using the services of “Super Eagle”, a Chinese company that offers an ML solution for image recognition.
Timeline and Encounter
Our story begins with this URL: https://l[.]facebook1mob[.]com/index.php?r=api/back
We noticed a large number of connections to this URL and discovered a framework of malware that with a bird’s eye view traced back to these two IP addresses:
These IP addresses resolved to the domain ip.cooktracking[.]com, which itself has an interesting story.
In April this year, Kaspersky researchers published their findings regarding a malware that drops 2nd stage malware, which they metaphorically described as a “Trojan Matryoshka”.
According to Kaspersky’s publication, this malware began the infection chain by initiating exfiltration data to a C&C server located at ip.cooktracking[.]com/v1/ls/get.
Based on the network framework and the malware capabilities, we believe that these 2 campaigns are connected and may even involve the same threat actor.
A Closer Look: Technical analysis of the WAPDropper malware
As mentioned previously, the WAPDropper malware family contains 2 different modules. The first is a dropper module, which can download additional malware modules and has the potential to spread and initiate different attack vectors.
The second module is a premium dialer, a malware whose only purpose is to subscribe victims to premium services without their knowledge or consent.
On execution, the malware primarily hides its icon to prevent any users from identifying and uninstalling the malware. In addition, the malware performs a check to identify whether or not the device has a proxy or VPN configured. If none configured, the malware initiates the dropper module to download and execute additional payloads.
WAPDropper begins with collecting data about the victim’s device and system, including:
- Device ID
- Mac Address
- Subscriber ID
- Device model
- List of all installed apps
- List of running services
- Topmost activity package name
- Is the screen turned on
- Are notifications enabled for this app
- Can this app draw overlays
- Amount of available free storage space
- Total amount of RAM and available RAM
- List of non-system applications
It sends the information to a hardcoded C&C server, https://ks7br7.3q03on[.]com:12038, which is the main C&C server.
The main C&C server in turn, sends the malware a list of additional C&Cs from which to pick one random URL for each future request it makes.
After it receives a response from the C&C server, WAPDropper parses the JSON configuration, which includes directions and specifications regarding the additional payloads that the dropper module downloads, including:
- The payload’s download URL
- MD5 verification of the downloaded file
- Class Name and Method Name for the reflection call
- Execution frequency (minutes)
- Maximum number of executions
As it finishes downloading each payload, WAPDropper decrypts the downloaded DEX files to .jar files and stores them locally on the infected device while it continues downloading pending payloads. Immediately after the decryption of the payloads, it’s execution time. WAPDropper loads the decrypted .jar files and deletes them from the device right away, to avoid leaving traces behind.
Each payload has an execution frequency that is configured in the JSON configuration. WAPDropper monitors this frequency for each different payload and continually sends a report on the payload’s current status to one of its C&C servers.
The main purpose of the premium dialer module is to manipulate money transactions addressed to Asian telecommunication companies and to subscribe victims to premium services without their knowledge or consent
The first thing the dialer module does is decrypt a DEX file that is stored in its code and write it into a file called “data.jar”.
WAPDropper uses many reflection techniques and heavily obfuscates strings to hide its intentions. When the DEX file is saved, it loads and calls the real initialization method using reflection. The dropper also loads a native library file from the memory and stores it on the device for later use.
WAPDropper next starts a timer that periodically sends basic information about the infected device to this URL: https://api[.]biwbrd[.]com/unWAPDropper then sends a request thread to the C&C server for the server to send an ad offer.
After it receives an ad offer, the malware constructs a 1×1 pixel dialog which appears almost invisible, but actually contains a tiny web view.
This tiny dialog allows the malware to load the previously unpacked native library which is responsible for removing all “X-Requested-With” HTTP headers from all HTTP requests.
“X-Requested-With” is an HTTP header which is used to verify that there is no CSRF (Cross-Site Request Forgery) attempt, i.e. that the user’s browser is not being exploited to deliver unauthorized commands from the user’s side to the target site.
WAPDropper replaces all of the occurrences of “X-Requested-With” string with “Accept-Encoding” string, which leads to immediately disabling the protection against CSRF attacks.
- Obtain the victim’s phone number.
- Obtain the victim’s phone information.
- Obtain SMS list.
- Send SMS to a specified number.
- Send POST requests to a specified URL.
Another interesting malware feature is the recognize CAPTCHA capability and how it enters the result in the web-view.
WAPDropper chooses whether to download the picture and send it to the server, or to parse the DOM tree of the picture, extract it, encode it with Base64 and then send it to the server at https://upload[.]chaojiying[.]net/Upload/Processing.php
This server is a service provided by a Chinese company called “Super Eagle”, which provides an ML based solution to image verification code recognition and image classification.
When the malware submits the verification code image to the service, the platform returns the coordinate position of the recognition result in the picture, and then parses the coordinate simulation landing.
In the next step, WAPDropper obtains a list of URLs to load them into the web-view.
Looking at the package names and the corresponding functionalities, it is quite clear that the malware is targeting telecommunication companies to manipulate money transactions.
WAPDropper also has a code for parsing HTML and for identifying specific elements in it, so it can imitate user behavior for its inputs.
Stay Protected From Mobile Threats
RWebZ Client Security (RCS) offers complete protection against internal and external threats by combining a powerful antivirus, an enterprise class packet filtering firewall and an advanced host intrusion prevention system called Advanced Protection.