Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Italian Job – Android malware masqueraded as Fake Tre Updater

Pierluigi Paganini December 04, 2017

The CSE CybSec Z-Lab Malware Lab analyzed a new strain of malware apparently developed to target the customers of the Italian telco operator “Tre”.

The malware researchers from ZLab analyzed a new strain of Android malware that appears as a fake 3MobileUpdater. The malware looks like a legitimate app used to retrieve the mobile system update, but it hides a powerful spyware which gathers user info from the smartphone.

In order to trick users, the malicious app pretends to be a software distributed by the Italian Telco company Tre H3G (see the app logo) to check and download smartphone updates.

Fake Tre Updater

Figure 1 – Fake Tre Updater – App logo and alert

When the user clicks on the “3 Mobile Updater”, the app shows the screen in the above picture, inviting the user to wait while the system configuration is updated.

In this way, the user will not remove the application waiting form the installation of the legitimate update, but in the background the malware is able to launch a service which periodically sends information and retrieves commands from a Command and Control available at the link “url[.]plus”.

The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.

Despite its capabilities, the app doesn’t appear well written. The DEBUG flag of the application is enabled, so many activities are logged on the Android logcat and are visible in a simple way.

The presence of the string “TEST” in many strings and some evident coding errors, along the absence  of obfuscation mechanism, suggest the malicious app is not written by skilled developers.

The fake Tre updater is probably a “beta” release or in a test phase, this means that the application is not yet widespread.

Finally, it is interesting to highlight the fact that the malware authors used the Italian language, both in the logcat messages and in the code. This circumstance along with the fact that attackers masqueraded the malware as a a fake Tre updater suggest the vxers are Italian.

According to our analysis the fake Tre updater was developed by an Italian firm, targets and motivations are still not clear.

This report could be the starting point for an investigation of Italian law enforcement, it also includes Yara rules that could be used to detect the threat.

You can download the full ZLAB Malware Analysis Report at the following URL:


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Android malware, Fake Tre Updater)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment