Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over the past month have indicated the presence of unwanted features.

After analyzing the app, we saw that the developer added an advertising library to it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.

Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.

Technical details about Necro.n

When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.

Next, the configuration file with the name “comparison” is decrypted.

Once we decrypt it, we obtain the following configuration with the addresses of the attackers’ servers.

{
  "hs": {
    "server": "https://abc.abcdserver[.]com:8888",
    "default": "https://bcd.abcdserver[.]com:9240",
    "dataevent": "http://cba.abcdserver[.]com:8888",
    "PluginServer": "https://bcd.abcdserver[.]com:9240"
  },
….
}

Dropper downloads an additional module from these URLs:

And then it executes its code:

The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.

IOCs

MD5

  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b
  • 96db624fa2532d14dd43c7ad3124c385
  • d07846903cb78babac78f0dd789d262e
  • a02811248a0d316a1f99d07e60aa808e
  • 74709014aa553b92fe079cf8941d64f6
  • f8b8fd44952ca199d292570ff6da5e8f
  • 9eff49dc969eea829e984bad34b7225c
  • 5bf2d280557e426e90c086fb89dc401f
  • e7705517e9e469921652ad33f87d7c22
  • dbb53ee8229cf4e8ae569a443bcd59d3
  • 3d37fbbffc45b7ca11e20ed06cc2f0f6
  • ec11fb61eababc7586e1874c92f7629e
  • b5c7b67e9650bf819b70d2c0a5ca7c63
  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b

C&C

  • https://abc.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240
  • http://cba.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240

Source: Secure List

RELATED ARTICLESMORE FROM AUTHOR