The Check Point research team recently uncovered a new Android malware campaign on Google Play, which it calls: Viking Horde. The malware campaign is being used for fraud, DDoS attacks and to send spam.
Viking Horde conducts ad fraud, but can also be used for other attack purposes such as DDoS attacks, spam messages, and more. At least five instances of Viking Horde managed to bypass Google Play malware scans so far.
Check Point notified Google about the malware on 5 May 2016.
On all devices — rooted or not — Viking Horde creates a botnet that uses proxied IP addresses to disguise ad clicks, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots are used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.
On rooted devices, Viking Horde delivers additional malware payloads that can execute any code remotely, potentially compromising the security of data on the device. It also takes advantage of root access privileges to make itself difficult or even impossible to remove manually.
Meet the Horde
The most widely-downloaded instance of Viking Horde is the app: Viking Jump, which was uploaded to Google Play on 15 April 2016, and has achieved 50,000 – 100,000 downloads. In some local markets, Viking Jump is a Google Play top free app.
The oldest instance is Wi-Fi Plus, which was uploaded to Google Play on 29 March 2016. Other instances include the apps Memory Booster, Parrot Copter, and Simple 2048. All Viking Horde-infected apps have a relatively low reputation which the research team speculates may be because users have noticed the odd behaviour, such as asking for root permissions.
The botnet created by the attackers spread worldwide to users from various targeted countries. The Check Point research team collected data on the distribution of victims from one of the many Command & Control servers (C&C’s) used by attackers, which is illustrated below:
How Viking Horde Works
From its research of Viking Horde’s code and the C&C servers used in the attack, our research team can illustrate the malware process flow.
1. The malware is first installed from Google Play. While the app initiates the game, it installs several components, outside of the application’s directory. The components are randomly named with pseudo-system words from a preset list, such as core.bin, clib.so, android.bin and update.bin. They are installed on the SD card if the device is not rooted, and to root/data if it is. One of these files is used to exchange information between the malware’s components. A second file contains the list of the generated names of the components, to make them available to all components.
2. The malware then checks whether the device is rooted:
- If the device is rooted, the malware initiates two additional components:
app_exec. Implements communication protocol with the server.
app_exec_watch_dog Binary implements update and persistency mechanism. Watchdog monitors app_exec process and restarts it if needed.
- If the device is not rooted, the malware loads app_exec file as a shared library and calls its functions by JNI – Java Native Interface, which allows Java code run native binaries
In both scenarios, once app_exec application is installed, it establishes a TCP connection with the C&C server and starts the communication. The communication consists of the following commands:
- Ping. Every 10 seconds application sends 5 bytes to the server. The server responds with the same 5 bytes.
- Update of device information: Sends to server charge battery, type of connection and phone number.
- The next step is to accomplish the main malicious functionality by creating an anonymous proxy connection. The C&C sends a “create_proxy” command with two IP addresses and ports as parameters. These IP addresses are used to open two sockets one for a remote server (which is a client of the botnet exploiting the anonymous proxy) and the other for the remote target. Then it reads the data received from the first socket and channels it to the target host. Using this technique, the malware developer (or someone using this botnet as “malware as a service”) can hide his IP behind the infected device’s IP.
It is important to understand that even if the device is not rooted, Viking Horde turns the device into a proxy capable of sending and receiving information per the attacker’s commands. Below is an example of an infected device as seen from an attacker’s C&C. The remoteIP is the proxy’s IP, and the socksIP is the C&C server’s IP. The C&C contains some information about the device including its OS version, battery status, and GPS coordinates. In this case, the device is located in the US on T-Mobile.
The botnet is controlled by many C&C servers, each managing a few hundred devices. The malware’s primary objective is to hijack a device and then use it to simulate clicks on advertisements in websites to accumulate profit. The malware needs this proxy to bypass ad-nets’ anti-fraud mechanisms by using distributed IPs.
Some user reviews of the app also claim it sends premium SMS messages, as seen in the screen capture below. This botnet could be used for various malicious purposes, such as DDoS attacks, spamming and delivering malware.
Vikings are a Persistent Horde
The malware uses several techniques to remain on the device. First, Viking Horde installs several components with system-related names, so that they are hard to locate and uninstall.
If the device is rooted, two more mechanisms are set in place:
The app_exec component monitors the main application’s existence. If the user uninstalled the main application, app_exec decrypts a component called com.android.security and silently installs it. This component will be hidden, and run after boot. This component is a copy of itself and has the same capabilities.
The watchdog component installs the app_exec component updates. If app_exec is removed, the watchdog will reinstall it from the update folder.
Apparently, some users even noticed this activity:
Bonus component for rooted devices
Perhaps the most dangerous functionality is the update mechanism. The update mechanism is split between app_exec and watchdog components. app_exec downloads the new binary from the server and stores it to /data directory with the app_exec_update name.
Watchdog periodically checks if an update file exists and replaces app_exec with this file. This means that upon the server’s command, Viking Horde downloads a new binary. The watchdog component will replace the application with it. This allows downloading and executing any remote code on the device.
Android Go puts reliable smartphones in budget pockets
Nokia, Vodacom and Huawei have all launched entry-level smartphones running the Android Go edition, and all deliver a smooth experience, writes BRYAN TURNER.
Three new and notable Android Go smartphones have recently hit the market, namely the Nokia 1, the Vodafone Smart Kicka 4 and the Huawei Y3 (2018). These phones run one of the most basic versions of Android while still delivering a fairly smooth user experience.
Historically, consumers purchasing smartphones in the budget bracket would have a hit-and-miss experience with processing speed, smoothness of user interface, and app stability. The Google-supported Android Go edition operating system optimises the user experience by stripping out non-important visual effects to speed up the phone. Thish allows for more memory to be used by apps.
Google also ensures that all smartphones running Android Go will receive feature and security updates as they are released by Google. This is a major selling point for these smartphones, as users of this smartphone will always be running the latest software, with virtually no manufacturer bloatware.
Vodafone Smart Kicka 4
At the lowest entry-level, the Vodafone Smart Kicka 4 performs well as a communicator for emails and WhatsApp messages. The 4” screen represents a step up for entry-level Android phones, which were previously standardised at 3.5”.
The display is bright and very responsive, while the limited screen real estate leaves the navigation keys off the screen as touch buttons. It uses 3G connectivity, which might seem like an outdated technology, but is good enough to stream SD videos and music. Vodacom has also thrown in some data gifts if the smartphone is activated before the end of September 2018.
Its camera functionalities might be a slight let down for the aspirant Instagrammer, with a 2MP rear flash camera and a 0.3MP selfie snapper. Speed wise, the keyboard pops up quickly, which is a huge improvement from the Smart Kicka 3. However, this phone will not play well with graphics-intensive games.
Next up is the Nokia 1, which adds a much better 5MP camera, improved battery life and a bigger 4.5” screen. It supports LTE, which allows this smartphone to download and upload at the speed of flagships. It also sports the Nokia brand name, which many consumers trust.
Although the front camera is 2MP, the quality is extremely grainy, even with good lighting. This disqualifies this smartphone for the social media selfie snapper, but the 5MP rear camera will work for the landscape and portrait photographer.
The screen also redeems this smartphone, providing a display which represents colours truly and has great viewing angles. Xpress-on back covers allows the use of interchangeable, multi-coloured back covers, which has proven to be a successful sales point for mid-range smartphones in the past.
Huawei Y3 (2018)
The most capable of the Android Go edition competitors, the Huawei Y3 (2018) packs an even bigger screen at 5”, as well as an improved 8MP rear camera and HD video recording. The screen is the brightest and most vibrant of the three smartphones, but seems to be calibrated to show colours a little more saturated than they actually are.
Nevertheless, the camera outperforms the other smartphones with good colour replication and great selfie capabilities via the 2MP front camera – far superior to the Nokia 1 despite the same spec. LTE also comes standard with this smartphone and Vodacom throws in 4G/LTE data goodies until the end of September 2018. The battery, however, is not removable and may only be replaced by a warranty technician.
Comparing the 3
All three smartphones have removable back covers, which provide access to the battery, SIM card and SD card slots. The smartphones have Micro USB ports on the bottom with headphone jacks on the top. The built-in speakers all performed well, with the Y3 (2018) housing an exceptionally loud built-in speaker.
Although all at different price points, all three phones remain similar in performance and speed. The differentiators are apparent in the components, like camera quality and screen quality. It would be fair to rank the quality of the camera and battery life by respective market prices. The Vodafone Smart Kicka 4 performed well, for its R399 retail price. The Nokia 1, on the other hand, lags quite a bit in features when compared to the Huawei Y3 (2018), bwith oth retailing at R999.
SA gets digital archive
As the world entered the centenary of Nelson Mandela’s birth on Mandela Day, 18 July 2018, South Africa celebrated the launch of a digital living archive.
The southafrica.co.za site carries content about the country’s collective heritage in South Africa’s eleven official languages.
Designed as a nation building, educational and brand promotion web based tool, the free-to-view platform features award-winning photographic and written content by leading South African photographers, authors, academics and photojournalists.
The emphasis is on quality, credible, factual content that celebrates a collective heritage in terms of the following: Cultural Heritage; Natural Heritage; Education; History; Agriculture; Industry; Mining; and Travel.
At the same time as reflecting on the nation’s history, southafrica.co.za celebrates South Africa’s natural, cultural and economic assets so that the youth can learn about their nation in their home language.
Southafrica.co.za Founder and CEO Hans Gerrizen conceptualised southafrica.co.za as a means for youth and communities from outlying areas to benefit from the digital age in terms of the web tool’s empowering educational component.
“We can only stand to deepen our collective experience of democracy and become a more forward planning nation if we know facts about our nation’s past and present in everyone’s home language,” he says.
Southafrica.co.za, with sister company Siyabona Africa, is the organiser and sponsor of the Mandela: 100 Moments photographic exhibition that runs until 30 September at Cape Town’s V&A Waterfront-based Nelson Mandela Gateway to Robben Island. The 3-month exhibition, which runs daily from 08h00 until 15h00, is showcasing one hundred iconic Nelson Mandela images taken by veteran South African photojournalist and self-taught lensman Peter Magubane.