Mobile
First Kotlin-Developed Malicious App Spotted
We spotted a malicious app that appears to be the first developed using Kotlin—an open-source programming language for multiplatform applications. Samples from Google Play were disgused as Swift Cleaner, a tool that optimizes Android devices.
Save to Folio
We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications. The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.
Figure 1. Swift Cleaner, the malicious app posing as an Android cleaning app
Using Kotlin to develop malwareGoogle announced Kotlin as a first-class language for writing Android apps in May 2017. Since Kotlin’s release, 17 percent of Android Studio projects started to use the programming language. Twitter, Pinterest, and Netflix are among the top apps that use Kotlin.
Kotlin is described as concise, drastically reducing the amount of boilerplate code; safe, because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line.
Its tooling support is also quite handy: Android Studio 3.0 provides tools for helping users with Kotlin. In addition, it can convert all Java files or code snippets on the fly when pasting Java code into a Kotlin file.
However, it's still unknown if the abovementioned features of Kotlin can make a difference when creating malware.
Figure 2. Package structure of the malicious app developed using Kotlin
Technical analysis
Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server.
Figure 3. Malicious app collects and sends victim’s device information via SMS
After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.
Figure 4. Left: C&C server sends task via network. Right: code snippet of the malware in process.
In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.
Figure 5. Malicious app uploading the finished task to the C&C Server
The malware can also upload the information of the user's service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.
Figure 6. The malicious app uploads the token that will be used to subscribe to a premium SMS service
Figure 7. The malicious app uploads the CAPTCHA image used to subscribe to a premium SMS service
CountermeasuresUsers should take advantage of mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed. Enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability. We have disclosed this security issue to Google, who verified that Google Play Protect has protections in place to protect users from this malware family.
Indicators of Compromise (IoCs):
| SHA256 | Package Name | App Label |
| 77D0C7DD4B3D87BE6D9DFB0A9C371B4D8EEADCCB8FDE41D942F1C35E5E3EC063 | Com[.]pho[.]nec[.]sg[.]app[.]CleanApplication | Swift Cleaner |
| 5886316C0B54BBB7CE6978ACDB1AB4E2CF2B1494647B9D9AD014802E6BF5C7B8 | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| AEEF3FF7CC543BBACB6AB4DF8DA639B98BE8F3C225678A4D0935F467BC6D720E | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| 621092856E20E628A577DBE9248649EAE78D1AF611D9168635B22057C6C7552B | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| 329B9C5670ECDF25248E484E23C21BBC86F943D7573FF131C0DC71BC80812D1C | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| 2856F3D1282DDC6BCFE65B0C91A87D998EDCCB777387E3F998BC3B6F1D0B3342 | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| 4F649E0EA6A6F022E7A5701CECB5B7653D1334EB40918E52DB8F3DAACFB3B660 | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| AB2C4886A4E0681A55B29C653B506B66721A3F36A1B098AFA7F56DA6F89BF5DE | com[.]pho[.]nec[.]pcs | Swift Cleaner |
| 7D3E61C2C58906E09D56121BE94601744E362E6F8C6B7BF87472B62B0CF8CE57 | com[.]pho[.]nec[.]sg | Swift Cleaner |
| B4822EEB71C83E4AAB5DDFECFB58459E5C5E10D382A2364DA1C42621F58E119B | com[.]pho[.]nec[.]sg | Swift Cleaner |
C&C servers:
| hxxp://adx[.]gmpmobi[.]com |
| hxxp://52[.]76[.]80[.]41 |