Security experts from Bitdefender have spotted tainted versions of the Android Zoom video-conferencing application that is targeting users working from home due to the Coronavirus outbreak.
Researchers detected re-packaged Zoom mobile applications that are distributed via third-party markets.
“The samples documented in this article spread outside of the Google Play Store and exclusively target users who
“This piece of malware has components injected
The attacks observed by the researchers only did not
A close look at the tainted Zoom application reveals that its user interface is identical to the original app, experts pointed out that one of the re-packaged apps
Upon execution, the malicious application downloads a payload from its C2 at tcp[:]//googleteamsupport[.]ddns.net:4444, which is a dynamic DNS service that allows a user with a dynamic IP address to map it to a
Domain history shows that this subdomain was pointed at an IP address in Jordan (220.127.116.11) that also have resolved sweetman2020[.]no-ip.biz, which was used as a C&C server for the Android remote access Trojan (RAT) known as SandoRAT/DroidJack.
Experts also spotted another tainted Zoom application that was employed in attacks aimed at Chinese users.
“Bitdefender researchers have also uncovered a tainted Zoom APK that specifically targets Chinese users. Once sideloaded, the application asks for phone, location and photo permissions on start.” continues the analysis.
A third Zoom re-packaged app discovered by Bitdefender, named ZOOM Cloud Meeting, is targeting Android users in the United States.
When opened, the application initially hides itself from the menu, then it starts a repeating alarm that randomly sends an intent to an Ad Service. This service subsequently starts an
The tainted app checks for a hardcoded string in assets, called ‘admin’, then asks for admin rights if the string is true. If not, it attempts to download another file when launched.
“As of the moment of writing, this sample has been seen in the wild in the United States.” concludes Bitdefender.
“The sample bundles functionality to ask for device admin permissions in English or Russian, based on the default language of the mobile phone. The malware also has the ability to start itself when the device is powered on.”