Forensics Weekly Summary for Week of July 15, 2016
By Jason Torikawa-Domingo on July 15, 2016
Pokémon Go
If you have been wondering the world trying to “Catch ‘em all”, hopefully you did not catch any viruses or malware. The Pokémon released their mobile device app called “Pokémon Go” last week to certain countries and are expecting to release it to the rest of world in the coming weeks. If the app was not available in your area or you choose to download apps from other sites straight to an SD card, you may have installed the malware infected app by accident. You would find out the application would not work as intended, but instead injected a Remote Access Trojan (RAT) onto your device in the background. When activated, the hacker has access to the devices text messages, web history, record audio, and even modify contact list and call logs. It appears that hackers wanted to capitalize on the craze and steal personal information.
Pokémon Go DroidJack
It appears that DroidJack is a downloadable application that can be used to take over personal android devices. While DroidJack is not free, it is a major problem in regards to security. This program has the power to easily create a malicious APK (Application Package) file, that would be installed on the device. It just so happens that security experts were able to locate and dissect a malicious APK that was disguised as the Pokémon Go app. Below are the comparisons of the legitimate and malware APK files:
Legit File:
>android.support
>bitter.jnibridge
>com
>crittercism.android
>dagger
>javax.inject
>org
>rx
>spacemadness.com.lunarconsole
Malicious File:
>a
>android.support
>b
>bitter.jnibridge
>com
>crittercism.android
>dagger
>javax.inject
>net.droidjack.server
>org
>rx
>spacemadness.com.lunarconsole
Outlined in red above, are the new directories that were added to the program that host the malicious files.
The net.droidjack.server directory contained the following code:
package net.droidjack.server;
public class br
{
protected static String a = “pokemon.no-ip.org”;
protected static int b = 1337;
protected static byte c = -1;
}
To be able to view APK files on your own, Android has applications on the Google Play store that users can download.
How else would you know if an application is legitimate?
Every file has a certain code that gets assigned to it called a hash. It looks like a string of numbers and letters and was generated by an algorithm. Should the file be altered the hash would be altered as well.
The legitimate hash for the original file:
8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67
The known malicious hash:
15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
*after updates, the hash will change also.
Conclusion
Upon further investigation, it was found that the app was configured to communicate with the pokemon.no-ip.org domain through TCP & UDP port 1337. The address resolved to an IP (88.233.178.130) in Turkey, which was not accepting any connections from infected devices at this time. There are numerous sites out there acting as mirrors (Data hosted on 3rd party sites) for the application. It is safer to not trust any mirror and wait till the application is available in your area.
Sources:
Note:
The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu