Crooks use tainted Zoom apps to target users at home due to Coronavirus outbreak

Pierluigi Paganini April 02, 2020

Crooks target Android users working from home due to the Coronavirus outbreak with a Trojanized version of the popular video messaging app Zoom.

Security experts from Bitdefender have spotted tainted versions of the Android Zoom video-conferencing application that is targeting users working from home due to the Coronavirus outbreak.

Researchers detected re-packaged Zoom mobile applications that are distributed via third-party markets.

“The samples documented in this article spread outside of the Google Play Store and exclusively target users who sideload applications on their Droids.” reads the analysis published by Bitdefender.

“This piece of malware has components injected in the repackaged Zoom application,”

The attacks observed by the researchers only did not involved the official Google Play.

A close look at the tainted Zoom application reveals that its user interface is identical to the original app, experts pointed out that one of the re-packaged apps also uses the same package name as the original.

Upon execution, the malicious application downloads a payload from its C2 at tcp[:]//googleteamsupport[.]ddns.net:4444, which is a dynamic DNS service that allows a user with a dynamic IP address to map it to a subdomain. This means that the C2 could remain up and running even when the dynamic IP address changes.

Domain history shows that this subdomain was pointed at an IP address in Jordan (92.253.77.106) that also have resolved sweetman2020[.]no-ip[].biz, which was used as a C&C server for the Android remote access Trojan (RAT) known as SandoRAT/DroidJack.

Experts also spotted another tainted Zoom application that was employed in attacks aimed at Chinese users.

“Bitdefender researchers have also uncovered a tainted Zoom APK that specifically targets Chinese users. Once sideloaded, the application asks for phone, location and photo permissions on start.” continues the analysis.

A third Zoom re-packaged app discovered by Bitdefender, named ZOOM Cloud Meeting, is targeting Android users in the United States.

When opened, the application initially hides itself from the menu, then it starts a repeating alarm that randomly sends an intent to an Ad Service. This service subsequently starts an AdActivity that opens an ad.

The tainted app checks for a hardcoded string in assets, called ‘admin’, then asks for admin rights if the string is true. If not, it attempts to download another file when launched.

“As of the moment of writing, this sample has been seen in the wild in the United States.” concludes Bitdefender.

“The sample bundles functionality to ask for device admin permissions in English or Russian, based on the default language of the mobile phone. The malware also has the ability to start itself when the device is powered on.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment