Posted: 5 Min ReadThreat Intelligence

Unofficial Telegram App Secretly Loads Infinite Malicious Sites

The MobonoGram 2019 app was downloaded more than 100,000 times before it was removed from Google Play

We recently found a malicious app named MobonoGram 2019 (detected as Android.Fakeyouwon) advertising itself as an unofficial version of the Telegram messaging app and claiming to provide even more features than both the official and other unofficial versions in the market. While the app does provide basic messaging functionality, we found it was also secretly running a few services on the device without the user’s consent, as well as loading and browsing an endless stream of malicious websites in the background.

Figure 1. The MobonoGram 2019 app's UI has a similar look and feel to the official Telegram
Figure 1. The MobonoGram 2019 app's UI has a similar look and feel to the official Telegram

The app was available to mobile users even in regions that have banned Telegram, such as Iran and Russia, and was also downloadable by U.S. users. It allowed users to toggle between English or the Persian language (Farsi). The app seemed to have used the open-source code of the legitimate Telegram app. Its developers appeared to have injected their malicious code into the app before publishing it on the Play store.

"Symantec finds unofficial Telegram app that secretly runs services, loads malicious sites in background https://symc.ly/2LWcxE6"

The app was available on Google Play for a time and downloaded more than 100,000 times before it was removed from the store. The developer, RamKal Developers, is believed to have published at least five updates for the app on the Play store before it was taken down.

The MobonoGram 2019 app was available on Google Play for a time and downloaded more than 100,000 times before it was removed from the store.

Persistence mechanism

From the malware's manifest file, we spotted a class named Autostart (android.support.translations.english.autostart) which implements a broadcast receiver. This receiver responds to three events on the device: whenever it is booted up, when an app is being installed, or when any app is being updated (BOOT_COMPLETED, PACKAGE_ADDED, PACKAGE_REPLACED, respectively).

Figure 2. The manifest file showing the broadcast receiver implemented by the Autostart class will react to three events on the device
Figure 2. The manifest file showing the broadcast receiver implemented by the Autostart class will react to three events on the device

When the broadcast receiver class receives the said events, the AddService class will be summoned, then initiates a few other services, namely AndroidAF, AndroidAL, AndroidPA, AndroidPC, AndroidSH—all without the user's knowledge.

To ensure the service would run persistently, the developer added two methods in the AddService class: Firstly, to start the service as a foreground service in AddService class. According to Android, a foreground service is rarely killed, even when memory is low. 

Figure 3. The AddService class starts AndroidAF, AndroidSH, AndroidAL classes as foreground services using the startForegroundService method
Figure 3. The AddService class starts AndroidAF, AndroidSH, AndroidAL classes as foreground services using the startForegroundService method

Secondly, in the event that the service is killed, the malware sets an alarm that initializes the AddService class to reboot itself 7,200,000 milliseconds, or two hours, after it was destroyed. With such tactics, the malware will be able to execute itself indefinitely.

With the services up and running, it starts to access a few designated servers, which will respond with JSON-formatted content consisting of three main parts: a URL (denoted as Link in the response), a user agent (denoted as Agent in the response), and three JavaScript codes (denoted as S1, S2, S3 in the response).

Figure 4. Sample response received after accessing the designated servers
Figure 4. Sample response received after accessing the designated servers

Infinite requests

With the given URL (see "Link" in Figure 4), the malware tries to access and load the page. A fraudulent user agent is also added to the URL's request header to disguise the source of the request. From our research, we believe that the user agent generated is at least semi-random, since no two same user agents are generated from querying the same server.

We found that the URL changes based on the geographical location of the device's IP address. For example, when we used an IP address originating from the U.S., a fraud website similar to Fakeyouwon was returned. When we used an IP address from Singapore, the server responded with a Fakeyouwon, pornography, or gaming website. We cannot say how many different URLs can be returned by the server—for all we know, what we've seen was only a drop in the bucket.

Figure 5. Sample Fakeyouwon websites returned from a device connected to a U.S. IP address (left) and a Singapore IP address (right)
Figure 5. Sample Fakeyouwon websites returned from a device connected to a U.S. IP address (left) and a Singapore IP address (right)

We have also seen the URL making a request to itself, causing an infinite loop of requests to the website. Such activity not only exhausts the device’s battery, but also leads to an unpleasant user experience and may even cause the device to crash. 

Figure 6. Packet trace shows the creative.strpjmp.com domain making a GET request to itself, creating an infinite number of requests
Figure 6. Packet trace shows the creative.strpjmp.com domain making a GET request to itself, creating an infinite number of requests

Three JavaScript codes

Looking at the three JavaScript codes, we initially believed that the app was originally designed to simulate clicking behind the scenes in order to generate ad revenues and increase web traffic (click fraud). However, the clicking events were not seen in action, even though all JavaScript codes were indeed loaded. Nonetheless, we cannot entirely dismiss the possibility of the malware being used for click fraud or some other malicious end.

From the source code, we can see that the contents of the JavaScript were indeed executed in the code, and they are entirely controlled by the server, which implies that the content can be easily changed as and when desired.

Figure 7. Source code showing the extraction of Link, Agent, and the three JavaScript codes
Figure 7. Source code showing the extraction of Link, Agent, and the three JavaScript codes

Upon obtaining the server's response, the code will first load the "Link" URL, followed by loading the "S1" JavaScript after 1,000 milliseconds (1 second), then the "S2" script after 15,000 milliseconds (15 seconds), and finally the "S3" script after 35,000 milliseconds (35 seconds).

Figure 8. Source code extracted from the malware showing all three JavaScript codes obtained from the server were executed
Figure 8. Source code extracted from the malware showing all three JavaScript codes obtained from the server were executed

Different apps, same behavior

During our research, we also came across another social messaging app named Whatsgram on the Play store. Not only does this app exhibit similar malicious behavior described in this blog, it was also published by the same developer (RamKal Developers). 

On many third-party Android app stores, we found four other apps that were published by a developer known as PhoenixAppsIR. These apps also contain similar malicious code that accesses malicious and/or phishing websites using the victim device unbeknownst to the user. We believe that either these two developers belong to one and the same organization, or the code was being copied from one to the other.

Prevalence

From January through May 2019, Symantec detected and blocked 1,235 infections related to the Android.Fakeyouwon malware family (Figure 9), with the highest number of infections located in the U.S., Iran, India, and the UAE (Figure 10).

Figure 9. Symantec has blocked 1,235 instances of Android.Fakeyouwon since January 2019
Figure 9. Symantec has blocked 1,235 instances of Android.Fakeyouwon since January 2019
Figure 10. The U.S., Iran, India, and the UAE were the top regions infected by the Android.Fakeyouwon family from January through May 2019
Figure 10. The U.S., Iran, India, and the UAE were the top regions infected by the Android.Fakeyouwon family from January through May 2019

Meanwhile, the highest number of devices infected by the particular Fakeyouwon variant described in this blog since January 2019 were located in Iran, the U.S., UAE, and Germany.

Figure 11. Iran, the U.S., UAE, and Germany were the regions most affected by this Fakeyouwon variant
Figure 11. Iran, the U.S., UAE, and Germany were the regions most affected by this Fakeyouwon variant

Mitigation

Such code structure is usually hard to spot via static code analysis, making it extremely easy for the attacker to sneak its way into Google Play. Additionally, these attacks can become really nasty quickly as it can load and execute any dynamic malicious contents that are sent by the server.

We advise users to take the following precautions:

  • Keep your software up to date.
  • Do not download apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by apps.
  • Install a suitable mobile security app, such as Norton or Symantec Endpoint Protection Mobile, to protect your device and data.
  • Make frequent backups of important data.

Protection

Symantec and Norton products detect the malicious app as Android.Fakeyouwon.

Indicators of Compromise

Table 1. Samples published by RamKal Developers
HashesPackage nameVersion
cdf792f1ef66d3790e06bc80971560a8c6e3500476ee9e3700e12bbb1ae88468 org.mobonogram.messenger 9.5.13 MTP
7844aa5c4706a333e71ccabbbafaace6d3311671761201f373bbb91f350e0c82 org.mobonogram.messenger 9.5.13 MTP
c3927fdddb69e291b23296c4de23e9c3c5e098e757ccbfe9005299aa427ae443 org.mobonogram.messenger 9.4.28 MTP
734363b849d289e23d385b8c1d3490f5a20f9a3baee890973fb645d4586cd6e4 org.mobonogram.messenger 9.4.28 MTP
4e00626249c7fbab4ed9e5f3db215b0dff970077777b871d1e78f8014fdf1d24 org.mobonogram.messenger 9.4.25 MTP
5eed7d3ecd9b438befc73dfd49e10f2511276f1ff7dc8af2f1f3a00df614ba6c org.mobonogram.messenger 9.4.20 MTP
fe7a46f299e92ea6e4cf2e662d20ef825e30c5d9ff226b426a2263a6c6bb4d79 com.massengers.whatsgram 9.4.25
Table 2. Samples published by PhoenixAppsIR
HashesPackage name
1e118357248ec8ed3098d1a0f74a2487b99d6ff629535e6990d5afe204e57306 com.recorder.sajjadappss.callrecordernew
28a0b453c1bb1a9cced3d34c9dc752cef41ed2c23d972abf2e5d1fb996595754 com.sajjadapps.photos.blendernew
99d3d25c99ce408406801a9ef376a3517a5c99aa81f4ca94e6e3277ceec1c40e com.sajjads.apps.ringtone.video.editor
e6bf383a5dd7796ff747419975a6589fda9bd6482c8449e4f92612bed5e64e12 com.hidegallerbysajjadnew
Table 3. Forged user agents*
User agents
'Agent':'Mozilla/5.0 (Linux; Android 6.0.1; SM-G532G Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.83 Mobile Safari/537.36'
'Agent':'Mozilla/5.0 (Linux; Android 7.0; SM-G570M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36'
'Agent':'Mozilla/5.0 (Linux; Android 5.1.1; Lenovo-A6020l36 Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36'
'Agent':'Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 Build/HUAWEIFIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36'
'Agent':'Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 Build/HUAWEIFIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36'
Table 4. Designated servers queried by MobonoGram 2019 apps
URLs
hxxp://2dl.pw/so/AndroidAF.php?vk=h20
hxxp://2dl.pw/so/AndroidSH.php?vk=h50
hxxp://2dl.pw/so/AndroidAL.php?vk=h23
Table 5. Suspicious/malicious domains accessed by these malicious apps*
Domains
hxxp://2dl.pw
hxxp://ps.popcash.net
hxxp://tsyndicate.com
hxxp://go.strpjmp.com
hxxp://creative.strpjmp.com
hxxp://stripchat.com
hxxps:/www.amarktflow.com
hxxp://festyy.com
hxxps://heroesofrpg.com

Note: *The list shown is by no means exhaustive.

About the Author

May Ying Tee

Software Engineer

May Ying is a member of Symantec’s Security Technology and Response team where she is focused on researching and developing mobile security technologies.

About the Author

Martin Zhang

Princ Software Engineer

Martin is a member of Symantec’s Security Technology and Response team who are focused on providing round-the-clock protection against current and future cyber threats.