As a normal user we receive multiple emails on a daily basis with PDF as an attachment. Recently, at Quick-Heal Security Lab, we observed a malicious PDF file sent to users as an attachment via a phishing mail. These PDF files look like a regular document but that’s not the truth. It looks locked out and blurred to misguide and make the user curious to open it. These kinds of malicious documents are designed to lure the user into opening such documents. This is a key entry point for the malware to the device.
These types of PDFs try to get attention of the user to click on it by using various ways like “To open this document, update the adobe reader” or “To unlock this document press below button”. When the user perform click action on that document, then it downloads malicious APK (Android executable) file from a malicious link present in that PDF, which will further download original Adobe reader.
After analyzing one such PDF file, we found hyperlinks added in PDF, the code shown below –
Actually, above links are associated with malicious APK, which is downloaded on user’s device, currently URLs are not active.
Below image shows the flow of this malicious activity –
Analysis of downloaded malicious APK –
It displays the below icon which is different from genuine Adobe reader as shown below –
This application uses many sensitive permissions like –
These important permissions like reading contacts, SMS, call logs contradict with functionality of Adobe.
When user opens this application, it shows Adobe Acrobat installation screen. Actually, this malware carries original Adobe Acrobat APK with it and shows its installation screen to user. User gets an impression that he/she is downloading the Adobe Reader’s updates and innocently clicks on “install updates” button. After that malware hides its icon and start its malicious service in the background.
If we check running applications then it shows both applications are in running state –
It contains the below code to install original Adobe Acrobat reader from resources-
Here base.apk is nothing but original Adobe reader APK file.
Here, if phone is rooted then it executes below code –
And for non-rooted phone it executes below code –
This malware is nothing but spyware and spies on almost every activity on the user’s phone. For this purpose it registers many intents like “Receive SMS”, “Outgoing call”, “Application install” etc. to get notification about device state like new call or SMS received on user’s phone.
When new SMS notification is received on the phone, then it collects the SMS number and sends it to server.
It also collects location-related data i.e. longitude and latitude.
When a new “Call starts” or “Missed call received” it collects that number and sends it to the server.
Apart from this, it also has the capability to read contacts, read browser bookmarks, key-logging, and kill background processes.
Quick-Heal detection –
PDF file is detected by name – Trojan. PDF.Agent.33376
Dropped APK file is detected by name – Android.Spy.GEN27587
Threat actors continuously try to find a new way to enter a user’s device. So, the most important requirement is to install a strong and comprehensive security solution that can protect both the data stored on devices and the information accessed on them. Clicking on unknown/suspicious links should also be avoided.
Tips to stay safe from Android malware-
Subject Matter Experts:
Prachi Sudame, Prakash Galande | Quick Heal Security Labs