OSCORP—A New Android Malware

Blog

February 3, 2021

OSCORP—A New Android Malware

Oscorp a new android malware recently got identified by Italy’s CERTAGID experts. This malware hides in the APK(Android Application Package) and then attacks the user’s data. It tricks the user to grant access to the Android Accessibility Service.

How does it work?

A domain name “supportoapp.com” was identified by the experts. This domain is responsible for integrating the file “Client assistance.apk”.Once the “Customer Protection” application is installed, it urges the device used to activate the accessibility service.

The malware Oscorp uses the G2 (Geny2) service to make the user give access. Once it gets activated, it automatically activates some permissions. The malware continuously reopens the Settings every eight seconds with an intention to force the user to grant certain requested permissions.

List of Permissions

The list of permissions include:

CAMERA
CALL_PHONE
INTERNET
READ_SMS
READ_PHONE_STATE
DISABLE_KEYGUARD
RECEIVE_SMS
RECEIVE_MMS
SEND_SMS
RECORD_AUDIO
SYSTEM_ALERT_WINDOW
WRITE_EXTERNAL_STORAGE
WRITE_SMS
INJECT_EVENTS
PACKAGE_USAGE_STATS
READ_PRIVILEGED_PHONE_STATE
ACCESS_NETWORK_STATE
ACCESS_SUPERUSER
MODIFY_AUDIO_SETTINGS
READ_EXTERNAL_STORAGE
RECEIVE_BOOT_COMPLETED
REQUEST_DELETE_PACKAGES
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
REQUEST_INSTALL_PACKAGES
WAKE_LOCK

Threats

The malware can perform the following functions once the user enables the accessibility service:

Enabling keylogger functionality. This enables the attacker to steal sensitive information that is typed by the user.
Automatically obtain the permissions and capabilities required by the malware.
It has the ability to uninstall applications on the victim’s device.
It steals the system information like model number, operator, etc.
It can automatically make calls.
Send text messages without consent.
Theft of sensitive information including credentials and wallet addresses of cryptocurrency.
Stealing of PIN for Google’s 2FA(two-factor authentication).

To go unnoticed the malware blocks the most efficient and widely known antiviruses such as Avast, Avira, and ESET.

How to Defend?

The best one can do to defend is to turn off accessibility services when not needed. Downloading and installing applications from the Google Play Store helps. Downloading from APK files can be dangerous if the source is untrustworthy.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
ss	session	This cookie is set by the provider Eventbrite. This cookie is used for the functionality of website chat-box function.
TawkConnectionTime	session	This cookie is set by Tawk.to which is a live chat functionality. The cookie is used to remember users so that previous chats can be linked together to provide better and improved service.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_gat_gtag_UA_176388379_1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 10 days 14 hours 3 minutes	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
m	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp_woocommerce_session_437c50c7f831b10091cc0d12eb919351	2 days	No description

OSCORP—A New Android Malware

How does it work?

List of Permissions

Threats

How to Defend?

Leave a Reply Cancel reply

Request For A Free Demo Class