Clicker functionality can also be implemented so advertisement traffic is required because of the device that is infected showing an individual advertisement when you look at the screen.
Certain headers that are user-agent delivered from C&C to execute ad-fraud.
Figure 11. Certain User-Agent
The ID for the advertisement system is updated through the C&C Server:
Figure 12. ID utilized to monetize the advertisements
Typically, the apps that operate ads incorporate a number of ad community SDKs (usually distributed as JAR libraries) involved with it to precisely request the advertisement content location that is gathering unit kind and sometimes even some individual information. Nevertheless, this spyware will not integrate any SDK packages into the origin rule to get into the advertisements. Android/LeifAccess can load advertisements with the ad-network that is proper via direct links for advertising presses or advertising Impressions (IMPR) that the C&C host pre-builds and delivers to it in JSON structure. Which means that the contaminated unit will be able to request A address using the complete parameters necessary to simulate the best click originating from a person pressing an advertising into the context of the best application, evading the SDK integration that also contributes to help keep a fairly tiny quality.
The JSON structure that is adware includes
Additionally, this malware can show genuine advertisements in complete display from the context of any software after unlocking the product if it gets the correct commands, or predicated on a frequency that is certain by the C&C. Also, it may show an overlay symbol redirecting to adverts being a floating overlay.
Arbitrary shortcuts may be produced within the house display on the basis of the parameters received:
To get accessibility solutions or even to request the deactivation of an OS security option which has had perhaps maybe perhaps not been provided yet, the malware has the capacity to introduce toast communications to attempt to persuade victims to execute actions that are certain.
Below is a list of fake notifications, including name and content, in JSON structure used by the spyware within the вЂњdialogвЂќ feature which will be performed as a toast notification in the periods associated with parameter вЂњnotifi_interвЂќ (28800000 milliseconds, which equals 8 hours).
Figure 13. Listing of dialogs utilized as fake notifications
The вЂdeactivateвЂ™ and string that compatible partners sign in isвЂactivate internationalized to complement aided by the OS language:
Unpacking and Execution
In order to avoid detection, or being a вЂdefense evasionвЂ™ strategy, the original installed application is simply a wrapper that, as soon as performed, can decrypt a container from the asset file from course вЂassets/fields.cssвЂ™ that will be dynamically packed making use of representation in to the primary application. System API calls strings may also be obfuscated using a customized base64 execution.
Figure 14. Summary of the spyware unpacking
Reversing the decrypted container file calls for deobfuscation of this strings employed by Android/LeifAccess.A that are all custom encoded:
Figure 15. Deobfuscated strings using function et.a
Command and Control Server:
The control and command servers will also be useful for malware distribution and payload updates. The domain names include terms that will make individuals think they participate in an advertisement that is legitimate or a Content distribution Network (CDN):
Distribution and Telemetry
The examples can be found in the C&C hosted as direct APK links but additionally can be distributed in social media marketing or as a malvertising campaign that attempts to persuade users to set up a crucial protection up-date. This variant label is SystemSecurityUpdates while the package title starts with вЂcom.services.xxxxвЂ™, pretending to be a operational system improvement.
Variations of Android/LeifAccess.A had been discovered distributed and hosted through the Discord game chat platform. Some malicious APK variations had been for sale in the URL that is following scheme