Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Confucius cybergang shifts social engineering strategy for Android malware

The Confucius cybergang has altered its social engineering tactics, replacing a malicious chat app with two additional offerings in its on-going attempt to push Android malware onto its victims' devices.  

The group, according to Trend Micro, is still targeting Pakastanis but has created two new offerings, one that shows photos of naked women and another that promises to help the potential victim find a romantic partner. Previously, Confucius just used a chat app that also looked to attract lonely hearts, before downloading a slew of malware to their phone.

The first app is named Fuddi Duniya and links directly to the fake website homepage. In order to allay any fears, the site tells the user it is bypassing Google's official app store because it does not allow apps that show nudity. Once the target is convinced to download the app, the phone is hit with the same malware Confucius used previously, which records audio and steals SMS accounts, contacts and certain file types from specific directories. There is also a new addition: the malware can now retrieve the device's last known location and uses Google Firebase to upload the stolen content.

The second app is similar to the original chat app in that it has a romance component, but added a bit of believability by connecting to a malicious chat app that was located in Google Play, which has since been removed. This app was loaded with malicious .NET code and had the ability to download a secondary malware package.

The first stage simply grabs the device's username, antivirus type, IP address and operating system version. It then attempts to connect to a command-and-control server and if the Confucius folks so desire they can send a second payload.

“We obtained a second-stage payload (Detected as TROJ_DELF.XXWZ), which is a filestealer based on the Delphi programming language similar to the 'svctrls' malware,” Trend said, adding this function is similar to the backdoors such as sctrls and sip_telephone.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.