{"id":87249,"date":"2018-12-25T14:43:28","date_gmt":"2018-12-25T09:13:28","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87249"},"modified":"2023-09-25T17:54:33","modified_gmt":"2023-09-25T12:24:33","slug":"beware-pdf-attachments-launching-android-malware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-pdf-attachments-launching-android-malware\/","title":{"rendered":"Beware!! PDF Attachments Launching Android malware"},"content":{"rendered":"

As a normal user we receive multiple <\/span><\/span><\/span>emails <\/span><\/span><\/span>on a daily basis <\/span>with <\/span><\/span><\/span>PDF<\/span><\/span><\/span> as an attachment. Recently, at Quick-Heal <\/span><\/span><\/span>Security<\/span> Lab, we observed a malicious PDF file sent to users as an attachment <\/span><\/span><\/span>via a phishing mail<\/span>. <\/span><\/span><\/span>These PDF files look like a regular document but that\u2019s not the truth.<\/span> It looks locked out and blurred to misguide and make the user curious to open it. These kinds of malicious documents are designed to lure the user <\/span><\/span><\/span>into opening such documents<\/span>. This is <\/span><\/span><\/span>a <\/span><\/span><\/span>key entry point for the malware to the device. <\/span><\/span><\/span><\/p>\n

These types of PDF<\/span><\/span>s<\/span><\/span> try to get attention of <\/span><\/span>the <\/span><\/span>user to click on it by using various ways like \u201cTo open this document, update the adobe reader<\/em><\/strong>\u201d or \u201cTo unlock this document press below button<\/em><\/strong>\u201d. W<\/span><\/span>hen <\/span><\/span>the <\/span><\/span>user perform click<\/span><\/span> action on that document, then <\/span><\/span>it<\/span><\/span> downloads malicious APK <\/span><\/span>(Android executable)<\/span><\/span> file from <\/span><\/span>a <\/span><\/span>malicious link present in that PDF<\/span><\/span>, which will further download original Adobe <\/span><\/span>reader<\/span><\/span>. <\/span><\/span><\/span><\/p>\n

After analyzing one such PDF file, w<\/span><\/span>e found hyperlinks added in PDF, <\/span><\/span>the code<\/span><\/span> shown <\/span><\/span>below –<\/span><\/span><\/span><\/strong><\/p>\n

\"\"<\/p>\n

Actually, above links are associated with malicious APK, which is downloaded on user\u2019s device, currently URLs are not active.<\/span><\/span><\/span><\/p>\n

Below image shows the flow of this malicious activity –<\/strong> <\/span><\/span><\/p>\n

\"\"<\/p>\n

Analysis of downloaded malicious APK –
\n<\/span><\/span><\/strong><\/p>\n

It displays the below icon which is different from genuine Adobe reader as shown below –
\n<\/span><\/p>\n

\"\"<\/p>\n

This application uses many sensitive permissions like –<\/strong>
\n<\/span><\/p>\n

\"\"<\/p>\n

These important permissions like reading contacts, SMS, call logs contradict with functionality of Adobe.<\/span><\/p>\n

When user opens this application, it shows Adobe Acrobat installation screen. Actually, this malware carries original Adobe Acrobat APK with it and shows its installation screen to user. User gets an impression that he\/she is downloading the Adobe Reader\u2019s updates and<\/span> innocently clicks on “install updates<\/em><\/strong>” button.<\/span><\/span> After that malware hides its icon and start its malicious service in the background.<\/span><\/p>\n

\"\"<\/p>\n

If we check running applications then it shows both applications are in running state –<\/span><\/strong><\/p>\n

\"\"<\/p>\n

It contains the below code to install original Adobe Acrobat reader from resources-<\/span><\/strong><\/p>\n

\"\"<\/p>\n

Here <\/span>base.apk<\/b><\/span><\/em> is nothing but original Adobe reader APK file.<\/span><\/p>\n

Here, if phone is rooted then it executes below code –<\/span><\/strong><\/p>\n

\"\"<\/p>\n

And for non-rooted phone it executes below code –<\/span><\/strong><\/p>\n

\"\"<\/p>\n

This malware is nothing but spyware and spies on almost every activity on the user\u2019s phone. For this purpose it registers many intents like \u201cR<\/strong>eceive SMS<\/strong><\/em>\u201d, \u201cO<\/strong>utgoing call<\/strong><\/em>\u201d, \u201cA<\/strong>pplication install<\/strong><\/em>\u201d etc. to get notification about device state like new call<\/em><\/strong> or SMS<\/strong> received<\/strong><\/em> on user\u2019s phone.<\/span><\/p>\n

\"\"<\/p>\n

When new SMS notification is received on the phone, then it collects the SMS number and sends it to server.<\/span><\/p>\n

\"\"<\/p>\n

It also collects location-related data i.e. longitude and latitude.
\n<\/span><\/p>\n

\"\"<\/p>\n

When a new \u201cCall starts<\/em><\/strong>\u201d or \u201cM<\/em>issed call received<\/em><\/strong>\u201d it collects that number and sends it to the server.<\/span><\/p>\n

\"\"<\/p>\n

Apart from this, it also has the capability to read contacts, read browser bookmarks, key-logging, and kill background processes.<\/em><\/span><\/p>\n

Quick-Heal detection –<\/span><\/strong><\/p>\n

PDF file is detected by name – <\/span><\/em>Trojan. PDF.Agent.33376<\/b><\/span><\/em><\/p>\n

Dropped APK file is detected by name – <\/span><\/em>Android.Spy.GEN27587<\/b><\/span><\/em><\/p>\n

Conclusion-<\/span><\/strong><\/p>\n

Threat actors continuously try to find a new way to enter a user\u2019s device. <\/span><\/span>So, the most important requirement is to install a strong and comprehensive security solution that can protect both the data stored on devices and the information accessed on them. <\/span>Clicking on unknown\/suspicious links should also be avoided.<\/span><\/span><\/p>\n

Tips to stay safe from Android malware-<\/span><\/strong><\/p>\n