We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications. The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.

Figure 1. Swift Cleaner, the malicious app posing as an Android cleaning app

Using Kotlin to develop malwareGoogle announced Kotlin as a first-class language for writing Android apps in May 2017. Since Kotlin’s release, 17 percent of Android Studio projects started to use the programming language. Twitter, Pinterest, and Netflix are among the top apps that use Kotlin.

Kotlin is described as concise, drastically reducing the amount of boilerplate code; safe, because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line.

Its tooling support is also quite handy: Android Studio 3.0 provides tools for helping users with Kotlin. In addition, it can convert all Java files or code snippets on the fly when pasting Java code into a Kotlin file.

However, it's still unknown if the abovementioned features of Kotlin can make a difference when creating malware.

Figure 2. Package structure of the malicious app developed using Kotlin

Technical analysis

Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server.

Figure 3. Malicious app collects and sends victim’s device information via SMS

After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.

Figure 4. Left: C&C server sends task via network. Right: code snippet of the malware in process.

In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.

Figure 5. Malicious app uploading the finished task to the C&C Server

The malware can also upload the information of the user's service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.

Figure 6. The malicious app uploads the token that will be used to subscribe to a premium SMS service

Figure 7. The malicious app uploads the CAPTCHA image used to subscribe to a premium SMS service

CountermeasuresUsers should take advantage of mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed. Enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability. We have disclosed this security issue to Google, who verified that Google Play Protect has protections in place to protect users from this malware family.

Indicators of Compromise (IoCs):

SHA256 Package Name App Label 77D0C7DD4B3D87BE6D9DFB0A9C371B4D8EEADCCB8FDE41D942F1C35E5E3EC063 Com[.]pho[.]nec[.]sg[.]app[.]CleanApplication Swift Cleaner 5886316C0B54BBB7CE6978ACDB1AB4E2CF2B1494647B9D9AD014802E6BF5C7B8 com[.]pho[.]nec[.]pcs Swift Cleaner AEEF3FF7CC543BBACB6AB4DF8DA639B98BE8F3C225678A4D0935F467BC6D720E com[.]pho[.]nec[.]pcs Swift Cleaner 621092856E20E628A577DBE9248649EAE78D1AF611D9168635B22057C6C7552B com[.]pho[.]nec[.]pcs Swift Cleaner 329B9C5670ECDF25248E484E23C21BBC86F943D7573FF131C0DC71BC80812D1C com[.]pho[.]nec[.]pcs Swift Cleaner 2856F3D1282DDC6BCFE65B0C91A87D998EDCCB777387E3F998BC3B6F1D0B3342 com[.]pho[.]nec[.]pcs Swift Cleaner 4F649E0EA6A6F022E7A5701CECB5B7653D1334EB40918E52DB8F3DAACFB3B660 com[.]pho[.]nec[.]pcs Swift Cleaner AB2C4886A4E0681A55B29C653B506B66721A3F36A1B098AFA7F56DA6F89BF5DE com[.]pho[.]nec[.]pcs Swift Cleaner 7D3E61C2C58906E09D56121BE94601744E362E6F8C6B7BF87472B62B0CF8CE57 com[.]pho[.]nec[.]sg Swift Cleaner B4822EEB71C83E4AAB5DDFECFB58459E5C5E10D382A2364DA1C42621F58E119B com[.]pho[.]nec[.]sg Swift Cleaner

C&C servers: