I found a Trojan on Play Store available for download almost for a year. Its malicious functionality was hidden inside “Simple Call Recorder” application published by “FreshApps Group”. The main purpose was to download an additional app and trick the user into installing it as Flash Player Update. Simple Call Recorder was uploaded on Google Play in November 30, 2017 and when I reported this app to Google Security team, the app had over 5,000 installs.

Figure 1. Simple Call Recorder from Google Play

Functionality

After install and launch, Simple Call Recorder decrypts additional binary file carried in assets and dynamically loads it. This behavior is typical for the most Android threats these days. This Trojanized app contains call recording functionality and malicious code responsible for downloading and installing additional app. This functionality is not an integral part of the call recorder, it’s added by attacker. Its main purpose is to make user install downloaded app that impersonates Flash player update.

Figure 2. Functionality responsible for downloading app

Figure 3. Functionality responsible for prompting user to install app

There is one downside, I could not retrieve the app through the link that is hard-coded into the APK. It is likely that the app has already been removed from the server after being available for download for over 11 months. At the time of writing, the attacker’s server was still up but his registered domain will soon expire unless extended.

Figure 4. Domain WHOIS record

Call recorder functionality

The call recording functionality inside this Trojan was uploaded on Google Play in 2016 in two different apps. However, these two apps didn’t contain malicious functionality. Most likely, the attacker found one of these apps on an alternative sources – maybe even open source code on GitHub – and stole the call recording functionality. Then he implemented the malicious code and uploaded it on the Play Store.

Figure 5. The first uploaded app using same code

Figure 6. The second uploaded app using same code

Package names containing the same call recording functionality.



Based on a comment from one of the user that installed this app, link that redirected to another app was still working, at least until February 23, 2018. Based on code analysis, there is no other functionality that could be responsible for that network traffic.



Figure 7. User comment under app

Conclusion

Simple Call Recorder lasted on the Google Play almost for a year, which is really a long time before being removed, if we consider that the app contained flashplayer_update.apk string inside. Even though I could not retrieve the downloaded application, this functionality is still – based on Google Play policy explicitly prohibited.

Figure 8. Google Play developer policy

From my experience, if an Android application mimics or downloads Flash Player – in this case not even from Adobe servers – it is a warning signal for users, because the app is most likely to be malicious.

IoC

Package name Hash com.simple.callrecorder 0CC4E5E45B4CC1C51FD67A3C4588CDB4 phkjwkrvz.jar 0DED00744CE18189A9E6036358B87BF6

Domain adsmserver.club

If you would like to stay up-to-date with the latest Android threats, follow me on Twitter.