From time to time we have the opportunity to sinkhole domains that have an high volume of traffic and are part of a mobile device botnet. In the beginning of July we registered a domain that we found to be part of the AndroidBauts family with over 550,000 devices for a 24h period, affecting mostly India and Indonesia from a total of 216 countries. The piece of software that triggers this traffic was present in four (already removed) Google Play Store applications.
Regarding entity sectors, we noticed many relevant sectors reaching our sinkhole, mostly Education and Energy/Resources. For the purpose of this research we removed Telecommunications and Technology because are obvious sectors that we already should see on a mobile botnet.
AndroidBauts is an Adware that exfiltrates the IMEI, IMSI, GPS Location, as well other device information and allows the installation of third party apps and shortcuts on the device. After some data analysis, we found interesting waves of devices contacting at specific times. This is interesting because, unlike a desktop/laptop family, it’s installed on mobile devices that mostly should be turned on all the time, thus not making beginning of the day waves like we see on other malware families.
When searching for the sinkholed domain in VirusTotal we got about 55 samples that contain this domain in their strings. We then started an automated decompilation process so we could analyse the source code of the samples. After some digging we started to notice the string snowfox in almost all samples on the same file that has the hardcoded sinkholed domain, in fact they all share the same kind of code and strings, more particularly the strings snowfox and SFoxSDK.
This is an indicator that this code is in fact part of a SDK, justifying why it is similar across all samples. It’s interesting that a google search returns no relevant results when searching for the word SFoxSDK.
The following table is an enumeration (by decrescent number of hits) of all commands seen on this family and a summary of relevant information included in the POST data.
For the purpose of this research we choose to analyse the update_phoneinfo and ad_action calls which seems to provide actions that shouldn’t be possible through an advertising SDK, or by that seems reasonable from the industry point of view and user privacy.
The number of hits we see on update_phoneinfo is way lower when compared with calls like ping, and most of the time there’s no content submitted.
The call ad_action is executed each time the user clicks on an ad delivered through the snowfox SDK. On the following chart we observe that most of the time the POST is delivered without content, the same behaviour we observed on update_phoneinfo.
The interesting bit is the existence of specific commands that allow (but are not limited to) the downloads of APKs and installation of shortcuts on the device, which may lead to a potential compromise of the device, depending on the owner's intentions. The following JSON is an example of the payload we get on the ad_action call on the sinkhole side:
On the app side we have the following code, that at the end triggers POST data like we see above.
This code runs the package if it’s installed or downloads it through the PackageInstall.install() method that has the following code:
The installPresent method subsequently calls postActionLog that originates the traffic seen on ad_action payload like we referred earlier.
The installation of such apps may impose a risk to the device owners and companies. It is important that users are educated to avoid unknown applications on Play Store and unofficial Android markets. Snowfox is a potentially unwanted application (PUA) that allows the owners to install foreign applications that can potentiate data exfiltration and a full compromise of the device.