Validating machine

After the analysis, we can see that the code implements Ads auto-clicking and Ads auto-subscription features; the implementation uses a 1×1 pixels Web View and employs the add Javascript Interface(“android”) to register a bridge between Java and the Javascript code executed by the loaded URL.The code relies on configuration downloaded from an URL which is not alive anymore: kmd.phaishey.com/ft/ and uses the IMSI of the phone to fetch the correct configuration file (e.g. Looking at the list of interesting files distributed by the CDN, we noticed the 404_and the 47001_0files.Zimperium’s core machine learning engine, z9, has a proven track record of detecting zero-day exploits.

Checking the behavioural information extracted by Cogito we noticed that those samples are really aggressive on Ad displaying.

In fact, fullscreen Ads are displayed each time: One of the two applications also contained really suspicious code to auto-click Ads issued by Facebook.

All the files are hosted on the same Amazon S3 bucket: Unluckily, some interesting files and folders are not accessible (e.g.

program, tmp), but all of the folders related to the file are accessible and we had a way to collect all the packages relying on the CDN for the privacy link.

Comparing the and files byte by byte, it’s easy to see that only the first 2048 bytes of the file are encoded.

To be precise, a single-byte XOR encoding with key = 0x FF is applied to the first 2048 bytes of

After decoding, we can see that is equal to and the content is just a single file.

The code is slightly obfuscated with meaningless class/field names and encoded strings.

During the analysis we checked the configuration URL to understand why it was down and we noticed that Kaspersky Lab managed to find a piece of code connecting to the same domain (but different sub-domain): c.phaishey.com/ft/.

Tags: , ,