Personal computing discussed

Moderators: renee, Dposcorp

 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Android - MoneyPak Virus/Malware

Sun May 11, 2014 3:01 am

Interesting call from my dad a few nights ago, claiming to have the FBI virus on his tablet. Sure enough as soon as I turn it on, its been hit with the virus that locks us out of everything.

In my research I found a new useful tool for both Windows executable (.exe) and android programs (.apk)

http://www.anubis.iseclab.org

You can upload a suspicious file and it will be ran in a virtual environment, observed and report given to you within a few minutes (10 minutes or less in my case) on what exactly the program tried to do and was able to do.

Here is the report for a particular file I knew to be suspicious of on this Motorola Xoom tablet.

http://anubis.iseclab.org/?action=resul ... ormat=html

So as we can see, this file is clearly the culprit for the virus. It appears to unpack itself and uses Adobe Flash plugins (big surprise) to run its front end for MoneyPak. This further assures me that Flash plugins even on Android are insecure as hell and alternatives should be used to avoid this kind of infection in the future.

Since his tablet isn't setup to allow me root access I'm going to have to find a way to manually remove the files that are running the virus/malware. It also can't be scanned by Avast because windows recognizes the device as a "Portable Device" and wont assign it as a drive letter (MTP to PTP)

Hope this info helps someone and I'll let you know the resolution as soon as I have one (just started on this issue)
Last edited by Welch on Sun May 11, 2014 4:11 am, edited 1 time in total.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: Android - MoneyPak Virus

Sun May 11, 2014 3:12 am

How did he get the infected file in the first place? Non-Google market or sideloading?
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Android - MoneyPak Virus

Sun May 11, 2014 3:52 am

I'm looking into how it happened and where he got the file from. He currently is involved in some local politics (city council stuff) and there is a crazy guy who wonders around handing out flyers about conspiracies and some sort of investigations and other crazy randomness that literally makes zero sense. Anyhow, on the paper the guy has some sort of website and of course in order to research the crazy guy (as they are trying to get him out of the city) my dad went to the website *Head Smack Moment*. Supposedly very shortly after he was hit with MoneyPak. I'll let you know if I can verify that claim shortly.

*Update*

The website that supposedly was visited is below (cryptically written to protect people from clicking) Do not visit the site just in case it was the source, for reference and research only!

www.d/e/t/e/c/t/i/v/e/h/i/t/s.com 


Here is the report for the website according to Anubis. Nothing to me jumps out crazy, didn't notice the report saying anything about a file being downloaded or anything. The file name was plain "video.apk". My first thoughts from dealing with people getting infected in pron of course, especially with a file so simply named "Video". Still looking into the cause of it, will report back.

http://anubis.iseclab.org/?action=resul ... ormat=html
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
DreadCthulhu
Graphmaster Gerbil
Posts: 1022
Joined: Mon Apr 21, 2003 12:43 am
Location: R'lyeh

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 8:03 am

My advice for removing this would be to reboot the tablet the tablet in safe mode (Google "how to reboot in safe mode" for that exact model of tablet) and then try and uninstall the malicious .apk.
Violence is the last refuge of the incompetent. The competent use violence well before last resorts are necessary.

If violence isn't solving your problems, then you aren't using enough of it.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 8:26 am

Nothing is really wrong with that site (it doesn't try to load anything even on Android devices)... He probably went to some other site which automatically loaded it, or he did it himself by trying to load some "free app" which someone recommended. Just wipe/restore the tablet completely, disable the "unknown sources" option under "security" (it might not be there, I dunno which Android version he has), ask him to NEVER enable this and put some free antimalware app - there are plenty of good ones with negligible battery/performance impact, you can see their detection rates at http://www.av-test.org
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 1:04 pm

Safe mode is what I was trying to do last night. However it doe not want to cooperate with button presses and I can't shut down the tablet, only restart it with volume up and power button pressed together. From there I'm unable to get it into safe mode pressing the up and down volumes with power button as detailed online.

Yeah like I said I figured it came from somewhere else as the Anubis report showed nothing weird from the website, still odd people promoting the site so I wanted to be sure.

I'm thinking other sites were visited.... Video.apk LOL.

I want to avoid a factory wipe since this is the first android OS I've come across infected and see it as an opportunity to learn a few things. Plus not having to re-setup his tablet is a plus.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
NovusBogus
Graphmaster Gerbil
Posts: 1408
Joined: Sun Jan 06, 2013 12:37 am

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 4:08 pm

Does the site have ads? Crackpot websites are known for using sleazy third-rate ad services that don't police their content. My money's on him saying yes to "free stuff" on a different sort of site, though.
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 6:04 pm

NovusBogus wrote:
Does the site have ads? Crackpot websites are known for using sleazy third-rate ad services that don't police their content. My money's on him saying yes to "free stuff" on a different sort of site, though.

It should still need the "unknown sources" option to be enabled first before the question of "Would you like to install 'IAmGonnaPwnU.apk'?" to be asked for the user to click Yes for. Unless this is some custom ROM pre-rooted and/or allow unknown source enabled in the first place. For "stock" (both carrier or AOSP) ROMs the unknown sources option should be disabled by default.

What version is the OS on that device? Perhaps an old drive-by bug? But my money is on something got disabled, initiated by one of the people who have touched the device before.
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Android - MoneyPak Virus/Malware

Sun May 11, 2014 9:18 pm

This is a stock Motorola Xoom WiFi only model. It should be updated to its latest and last update of Android 4.1.2 IIRC.

I never changed his default "Other Sources" setting and I don't believe anyone else in their household would have a clue how to do it. Once I remove this malware I'll see if that setting is enabled or not. Would be interesting to see if its not enabled whether MoneyPak was able to circumvent this by using the Flash plugin that it relies on. I'd HIGHLY recommend anyone who has an older android device that natively supported Flash plugins to disable/uninstall or use an app like TitaniumBackup to freeze Adobe Flash. There are no more updates going out form the plugin as though it weren't insecure even when updated.

Any alternative ways to force the device into safe mode when you can't boot into it and tell it to reboot into safe mode. Note the holding buttons doesn't seem to work as all documentation leads me to believe the device has to be shut OFF not in a restart state. I was going to attempt to use adb or telenet to command it but its not rooted so its the chicken before the egg ordeal.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Android - MoneyPak Virus/Malware

Tue May 13, 2014 4:17 am

Well I'm stumped. I know what I need to do, but I don't see a way out of it.

So is there anyway to access the Data/Data folder on android with
A) The device not being rooted
B) Not using ADB (Debugging mode required to use ADB AFAIK)
C) Not requiring USB debugging mode to be enabled (Because I can't do anything in the OS) unless there is a way to enable it outside of the OS.

I'm blown the hell away at the lack of emergency hardware backup options that Motorola (and I'm sure other manufacturers) have considered for these devices. I figured perhaps there was a way to go into a special mode allowing me access to the root directory. Perhaps Fastboot would allow me to login to super user regardless of the USB debugging mode not being possible to be reached. This seems to be a re-occuring theme for people mostly who break their screen and then want to un-root a phone for warranty claims. They can't use their screen so they can't turn USB debugging mode on to flash to stock.

Did they really design this in such a way that its impossible to recover from a simple little ransomeware taking over your ability to modify even simpler software settings!? If I could get access to the root directory, or perhaps even root the Xoom without the need for USB debugging mode I'd be able to fix this issue by simply deleting the files in the flash plugin folder (or the entire folder itself), that is my end goal. All of this could have been avoided with a pretty standardized safe mode boot option. Way to paint people into a corner :P.

Any bright ideas would be greatly received.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: Android - MoneyPak Virus/Malware

Tue May 13, 2014 11:38 am

Assuming the malware did not overwrite the really critical system files/settings, how about backing up the apps (and some data) with Helium, a factory reset, and then restoring with Helium?
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Android - MoneyPak Virus/Malware

Tue May 13, 2014 12:19 pm

Welch wrote:
I'd HIGHLY recommend anyone who has an older android device that natively supported Flash plugins to disable/uninstall or use an app like TitaniumBackup to freeze Adobe Flash.

There are no real issues for using it (except the increased battery drain) - I've been using Flash on various Android devices for a long time and still do (because some sites still use it for some videos) and there is no need to disable it at all. It won't automatically let any malware to infect your Android device:

http://malware.dontneedcoffee.com/2014/ ... -your.html
"If you land on it with Android then you'll be redirected to a website that will push the download of the APK to the mobile without interaction. Note : no installation. User has to do an action. So it's Social Engineering."

Welch wrote:
Any bright ideas would be greatly received.

Try asking in an appropriate forums: http://forum.xda-developers.com/ ;-)
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
ApockofFork
Gerbil First Class
Posts: 167
Joined: Thu Nov 30, 2006 10:34 pm

Re: Android - MoneyPak Virus/Malware

Tue May 13, 2014 2:46 pm

Have you tried draining the battery (or removing it entirely for a bit) to force the tablet into the "off" state instead of the restart state which may let you boot into safe mode?
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Android - MoneyPak Virus/Malware

Fri May 16, 2014 3:51 pm

Yep JohnC, posted over there and of course I'm being told just to re-flash back to stock. While obviously its the "fastest" solution, I find it weak and almost impossible to believe that its possible to require someone to wipe the OS back to factory for something so trivial.... just plain stupid.

@ ApockofFork - Yep already did that, only to find out later that the version that has Safemode is the VZW version. Motorola made so many versions of the Xoom including a family edition and its unclear to even the guys on XDA which do and don't have safemode, also depends on hardware revision. This was one of the first batches of Xooms as it was bought within the first 2 weeks of release and confirmed to NOT have a safemode.

It looks like I'm going to be flashing this... sad stuff.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On