delivine gardine hectori

0 views

Skip to first unread message

Fatima Teem

unread,

Aug 2, 2024, 1:08:01 AM8/2/24

to donsdiperdeasb

Typically, these messages are designed to lure unsuspecting contacts of the infected user into downloading the malware and allowing it to execute and run on their own devices. This in turn then spreads the reach of the malware, which will then continue to use WhatsApp for distribution and propagation.

The malware will lure the user into accepting multiple permissions that the malware then uses to its advantage. The malware, on installation, requires specific permissions to be enabled before it can conduct its malicious activities. The malware will display instructions to manually enable them when launched if they are not already present on the newly infected device.

The malware will intercept all incoming notifications relating to WhatsApp, and attempt to reply to incoming messages itself with a phishing link to entice the sender into downloading the malware so the distribution/propagation cycle can continue.

As the alert below shows, this may reduce battery life on the device but is abused by the malware as a further persistence mechanism to prevent it from being killed, even if it remains largely idle for extended periods of time:

The malware will now attempt to reach out to its C2 at hxxps://netflixwatch[.]site/settings[.]php. (NOTE: this C2 has since gone offline after the Google Play store was alerted that this was a fake app and the app was removed from the store.)

The malware will attempt its distributed propagation by listening to all notifications related to WhatsApp. If a message is received via the INBOX, the malware will attempt to generate a reply and send that response containing the malicious applications download page:

After the device receives a WhatsApp notification and that message has been intercepted by the malware, it will attempt to craft a reply. The malware will utilize information it received from its C2 before sending the reply. This response typically lures a user into clicking the phishing link.

At the time of writing, known files relating to this malware are not currently hosted on the Google Play store; however, they were initially hosted on the APK distribution platform before removal.

The Google Play store is the official digital distribution service run by Google to host Android APK files. Though the service is well maintained by Google and has strict security protocols in place, this does not mean the Google Play store is impenetrable, as malware can very occasionally bypass controls and reside there.

Android malware can hide in a number of places. Typically, Android malware can be hosted and distributed via third-party hosting websites relating to Android applications, as these tend to have less reputable and efficient security checking.

The malware will attempt to cancel all incoming WhatsApp notifications to hide its actions from the user. The malware will then automatically craft a response to the sender of the message and 'reply' with a brief message and a link to download the malware.

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.