MoqHao evolution: New variants start automatically right after installation

Authored by Dexter Shin 

MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted several articles related to this malware family that traditionally targets Asian countries such as Korea and Japan. 

 Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a previous post but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android/MoqHao. 

How it is distributed 

MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns: 


Figure 1. Smishing message impersonating a notification from a courier service. 

One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service. 

What is new in this variant 

As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction: 

Figure 2. Differences between typical MoqHao and Modern MoqHao

We explained this auto-execution technique in detail in a previous post but to briefly summarize it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. This feature is the one that is being abused by the highly active Trojan family MoqHao to auto-execute itself without user interaction. The distribution, installation, and auto-execution of this recent MoqHao variant can be seen in the following video: 

 

On the other hand, this recent MoqHao variant uses Unicode strings in app names differently than before. This technique makes some characters appear bold, but users visually recognize it as “Chrome”. This may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome): 

Figure 3. App name using Unicode strings.

 

Additionally, they also use social engineering techniques to set malicious apps as the default SMS app. Before the settings window appears, they show a message telling you to set up the app to prevent spam, but this message is fake: 

Figure 4. Fake message using social engineering techniques. 

 

Also, the different languages used in the text associated with this behavior suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India: 

Figure 5. Fake messages designed to target different countries.

 

After the initialization of the malware is completed, it will create a notification channel that will be used to display phishing messages: 

Figure 6. Create a notification channel for the next phishing attack.

 

The malware checks the device’s carrier and uses this notification to send phishing messages accordingly to trick users into clicking on them. MoqHao gets the phishing message and the phishing URL from Pinterest profiles 

 

Figure 7. Phishing message and URL in Pinterest profile

 

If the phishing string is empty, MoqHao will use the phishing message in the code: 

Figure 8. Phishing notification code for each carrier

 

This variant also connects to the C2 server via WebSocket. However, it has been confirmed that several other commands have been added in addition to the commands introduced in the previous post: 

Command  Description 
getSmsKW  Send all SMS messages to C2 server 
sendSms  Send SMS messages to someone 
setWifi  Enable/disable Wifi 
gcont  Send whole contacts to C2 server 
lock  Store Boolean value in “lock” key in SharedPreferences 
bc  Check SIM state 
setForward  Store String value in “fs” key in SharedPreferences 
getForward  Get String value in “fs” key in SharedPreferences 
hasPkg  Check specific package installed on device 
setRingerMode  Set Sound/Vibrate/Silent mode 
setRecEnable  Set Vibrate/Silent mode according to SDK version 
reqState  Send device information (Network, Power, MAC, Permission) to C2 server 
showHome  Emulate Home button click 
getnpki  Send Korean Public Certificate (NPKI) to C2 server 
http  Send HTTP requests 
call  Call a specific number with Silent mode 
get_apps  Get list of installed packages 
ping  Check C2 server status 
getPhoneState  Get unique information such as IMEI, SIM number, Android ID, and serial number 
get_photo  Send all photos to C2 server 

MoqHao malware family is an active malware that has been around for years. Although many years have passed, they are using more and more different ways to hide and reach users. We are seeing a much higher number of C2 commands than in previous, the active use of legitimate sites like Pinterest to store and update phishing data, and code with the potential to target Asian countries like Japan and South Korea, as well as countries like France, Germany, and India. Moreover, we expect this new variant to be highly impactful because it infects devices simply by being installed without execution. 

 It is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices. For more information, visit McAfee Mobile Security. 

Indicators of Compromise (IOCs) 

SHA256  Application Name  Package Name 
2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528  chrome  gb.pi.xcxr.xd 
61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e  chrome  malmkb.zdbd.ivakf.lrhrgf 
b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b  chrome  vfqhqd.msk.xux.njs 
bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a  chrome  hohoj.vlcwu.lm.ext 
e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136  chrome  enech.hg.rrfy.wrlpp 
f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42  chrome  gqjoyp.cixq.zbh.llr 

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top