A couple of days ago I noticed that the name of my LinkedIn mobile app has suddenly changed to a Chinese name that I cannot even read. I suspected a malware infection. So I uninstall the application to avoid any drama, though I later regretted doing so because I have avoided the opportunity to learn about the malware infection. I proceeded to the official Google PlayStore to reinstall the LinkedIn app again.
The app installed successfully, but after a while the app was reinfected again and the name changes to a Chinese name. I opened the installed LinkedIn app, but it prompted for an update, which is typical of a Downloader malware to enable it download another malicious module.
When I clicked the update button, it took me to a another website, which is an app store based in Chinese language. The url is not suspicous according to VirusTotal results.
This redirects me to the LinkedIn app page, and checking the url of the page on VirusTotal shows it is malicious, detected by one engine.
Checking the app settings on my mobile device shows that it is installed from Palm Store. Palm Store is another app store that comes preinstalled on the mobile device. But I know I didn’t install any app from Palm Store.
I checked the Chinese translation and found out it translated to LinkedIn
Mobile Security Framework
I pulled the docker version of the Mobile Security Framework. However I can only run a static analysis with this set up or the Virtual Machine set up. To carry out a dynamic analysis, I will need to install the Mobile Security Framework on a bare metal operating system.
Next I run the docker:
And I went to my browser to open the Mobile Security Framework:
Next I upload the malicious apk file to analyze it. I also got a benign LinkedIn apk file and I analyze it with the Mobile Security Framework.
One great thing about this tool is that it enable us to perform a comparison between files.
Comparison with the Benign LinkedIn Apk File
6.0.41 is the malicious app while the benign apk file is the 4.1.436. We can see the sizes are different and consequently the MD5 hash.
Next is the component category, we can also see the sharp difference between the malicious app and the benign app.
Next category is the permissions category, which is very important. These permissions are grouped into common permissions, and distinct permissions from each apk file. The malicious apk file has 8 distinct permissions which are all tagged as malicious.
Another important category is the Android API category. Here we can see the Malicious apk file has smuggled alot of APIs.
Overall I can conclude the apk is malicious and how it got into my phone I cannot say. But the suspected candidate is the Palm Store which comes preinstalled with the Infinix Hot 7 Pro phone. I cannot uninstall the Palm Store, but I disable it.
What do you have to say? Put it in the comment.