Confucius cyber-gang shifts social engineering strategy for Android malware

News by Doug Olenick

The Confucius cyber-gang has altered its social engineering tactics, replacing a malicious chat app with two additional offerings in its on-going attempt to push Android malware onto its victims' devices.

The Confucius cyber-gang has altered its social engineering tactics, replacing a malicious chat app with two additional offerings in its on-going attempt to push Android malware onto its victims' devices.  

The group, according to Trend Micro, is still targeting Pakastanis but has created two new offerings, one that shows photos of naked women and another that promises to help the potential victim find a romantic partner. Previously, Confucius just used a chat app that also looked to attract lonely hearts, before downloading a slew of malware to their phone.

The first app is named Fuddi Duniya and links directly to the fake website homepage. In order to allay any fears, the site tells the user it is bypassing Google's official app store because it does not allow apps that show nudity. Once the target is convinced to download the app, the phone is hit with the same malware Confucius used previously, which records audio and steals SMS accounts, contacts and certain file types from specific directories. There is also a new addition: the malware can now retrieve the device's last known location and uses Google Firebase to upload the stolen content.

The second app is similar to the original chat app in that it has a romance component, but added a bit of believability by connecting to a malicious chat app that was located in Google Play, which has since been removed. This app was loaded with malicious .NET code and had the ability to download a secondary malware package.

The first stage simply grabs the device's username, antivirus type, IP address and operating system version. It then attempts to connect to a command-and-control server and if the Confucius folks so desire they can send a second payload.

“We obtained a second-stage payload (Detected as TROJ_DELF.XXWZ), which is a filestealer based on the Delphi programming language similar to the 'svctrls' malware,” Trend said, adding this function is similar to the backdoors such as sctrls and sip_telephone.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events