New Android MoqHao Malware Executes Automatically on Installation

The Roaming Mantis threat group distributes a well-known Android malware family called “MoqHao.” This malware family has been previously reported to be targeting Asian countries such as Korea and Japan. Though the distribution method remains the same, the new variants use a very dangerous technique.



Typically, the MoqHao malware requires user interaction to install and launch the app. However, the new variant of this malware does not require any execution.



Android is currently protected with Google Play Protect, which is the default app scanner that warns users or blocks applications that contain malicious behavior.






Document

@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;

}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{

color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;

}

.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;

}
.container button a{
color: white;
}
hr{
/ display: none; /
}

Protect Your Network From Data Breach


Perimeter’s 81 Malware Protection for Network Based Threats
Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser.

.

Request Free Demo

Android MoqHao Malware



As part of the distribution, the threat actors send a malicious phishing SMS message to the users, which will contain a malicious shortened link. The device downloads the malicious application once the user clicks on the link. 



This new variant has several different behaviors when compared to the previous variants of this malware, as it launches automatically after installation without user interaction.



Differences between typical MoqHao and Modern MoqHao (Source: McAfee) Android security checks an installed application and the specific value used by that application, which must be unique. The threat actors are abusing this particular feature to auto-executing the application without user interaction.





Moreover, the threat actors also use social engineering techniques to set this malicious app as a default SMS app. Further investigations also revealed that the malware has been extended with targets, including countries like South Korea, France, Germany, and India.



Fake messages to target different countries (Source: McAfee) Furthermore, this variant connects with a C2 server through WebSocket. This new malware has been added with several other commands for checking SIM state, sending SMS messages to other contacts and C2 servers, setting Sound/Vibrate/Silent mode, and various other purposes.



Command  Description  getSmsKW  Send whole contacts to the C2 server  sendSms  Send SMS messages to someone  setWifi  Enable/disable Wifi  gcont  Set Vibrate/Silent mode according to the SDK version  lock  Store Boolean value in “lock” key in SharedPreferences  bc  Check SIM state  setForward  Store String value in “fs” key in SharedPreferences  getForward  Get String value in “fs” key in SharedPreferences  hasPkg  Check the specific package installed on the device  setRingerMode  Set Sound/Vibrate/Silent mode  setRecEnable  Emulate the Home button click  reqState  Send device information (Network, Power, MAC, Permission) to C2 server  showHome  Call a specific number with a Silent mode  getnpki  Send Korean Public Certificate (NPKI) to C2 server  http  Send HTTP requests  call  Get the list of installed packages  get_apps  Send all photos to the C2 server  ping  Check C2 server status  getPhoneState  Get unique information such as IMEI, SIM number, Android ID, and serial number  get_photo  Send all photos to C2 server  McAfee provides comprehensive information about the malware, including details on its source code, techniques used to deploy it, targets that have been affected by it, and other important insights.



Indicators of Compromise



SHA256  Application Name  Package Name  2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528  chrome  gb.pi.xcxr.xd  61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e  chrome  malmkb.zdbd.ivakf.lrhrgf  b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b  chrome  vfqhqd.msk.xux.njs  bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a  chrome  hohoj.vlcwu.lm.ext  e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136  chrome  enech.hg.rrfy.wrlpp  f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42  chrome  gqjoyp.cixq.zbh.llr  Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter .
The post New Android MoqHao Malware Executes Automatically on Installation appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .