Generic Characteristics

Snaptube, a video downloading app for Android, has been caught making millions of suspicious transactions without the knowledge of its users. The app has been delivering invisible ads, generating non-human clicks and purchases, then reporting them as real views, clicks and conversions to the advertising networks that serve them. The ads are hidden from users as they do not appear on-screen.

Secure-D has detected and blocked more than 70m suspicious transaction requests originating from 4.4m unique devices in just six months.

If not blocked, those 70m transaction requests would have triggered the purchase of premium digital services, potentially costing users up to $91 million in unwanted premium charges. Most of the suspicious activity, which is still on-going, originated from devices in Egypt, Brazil, Sri Lanka, South Africa, and Malaysia.

Snaptube allows users to download videos and audios from popular video and music streaming sites, and even social networking apps. It has been developed by China-based Mobiuspace, founded in 2016, a company that has secured series B financing from Chinese VCs.

There are several Mobiuspace apps available in Google Play under different developer accounts:

Snaptube is available from third-party app stores like Uptodown.com, Aptoide.com, and UC 9Apps and according to its developer claims 40m users.

Threat Behavior

The extremely huge volumes of suspicious transactions originating in multiple countries coming from the same Android application caught the attention of Secured-D researchers. The Secure-D team examined two Android devices with the Snaptube app already installed. The devices were a Samsung SM-J120F and a Huawei WS-LX1. Researchers observed verification SMS messages being sent to the infected devices, following attempts to initiate purchase of a new mobile services subscription where no user action had taken place.

 

Using the unwanted subscription confirmation messages as a starting point, Secured-D investigated further the infected devices for traces of the user requests that prompted the unwanted subscription purchases.

The infected devices were placed in a secure sandbox environment to detect and record all network traffic. Static and behavioral analysis showed that Snaptube was communicating with a command and control (C&C) server in order to identify subscription services, then attempting to subscribe the end-user to those services. The returned data is encrypted and compressed using the gzip algorithm.

 

The Snaptube application on the infected devices was found to contain SDK frameworks with obfuscated hardcoded strings related to advertising services.

The suspicious SDKs found identified by researchers included the following:

  • mgo
  • mobi
  • ‘ o’

The SDK ‘o’ would communicate periodically with the C&C server to retrieve advertisement offers. These offers were retrieved as JSON Objects. Some objects contained the offer’s URL, along with JavaScript code that could be triggered to perform automated clicks.

 

Analysis of HTTP traffic logs in the infected devices showed that all three of the unwanted subscription attempts Secure-D researchers noted were initiated by the ‘o’ SDK. This observation was based on the following:

1.The root hosts from which the chain of redirections that led to the unwanted subscription started were fetched as offer URLs from the C&C server. Subsequently, an HTTP GET Request to the url initiated the following chain of redirections:

  • zkmobi.com → api.bdisl.com
  • bdisl.com → atracking-auto.appflood.com
  • atracking-auto.appflood.com → go-rilla.offerstrack.net
  • [go-rilla.offerstrack.net → ourbestcontent.com
  • ourbestcontent.com → za.reycreo.com
  • reycreo.com → 196.11.240.222
  • 11.240.222 → 196.11.240.222

Finally, the successful subscription was captured in the following url:

http://za.reycreo.com/thankyoumtnza.html?result=0&resultDescription=The+user+has+been+successfully+subscribed+to+the+service.+Expect+a+datasync+for+the+same.&MSISDN=27656620520&transactionId=011000003721908081234256256776

 

 

Another example of landing page loaded by the app in the background and completely invisible to the user:

 

2.The JavaScript code fetched with the offer URLs could execute successful subscription sign-ups when applied to the subscription service’s landing page.

The traffic which led to the unwanted subscriptions originated from the Snaptube application. Evidence for this included the following:

  • The SDK ‘o’ was observed downloading additional JavaScript code used to perform automated clicks. The code was contained in a JavaScript file named global_d201805241555.js, and downloaded from the server cdn.zkmobi.com.
  • The ‘o’ SDK contained code that injects JavaScript snippets performing automated clicks to the WebViews where advertised services are loaded
  • The JavaScript code used to perform automated clicks was found in the shared_prefs folder of the Snaptube application in an XML file used by the ‘o’ SDK.
  • The devices were not otherwise compromised, meaning there was no other application exhibiting adverse or overly-privileged behaviour. The likelihood of malware (i.e. code unrelated to Snaptube) acting on behalf of other applications was minimal.

 

Links to previous breaches

Interestingly, the Mango SKD (com.mgo) found in the Snaptube app examined by Secured-D was also discovered in a previous investigation of mobile app Vidmate. Secure-D researchers also encountered a common traffic pattern and similar URLs and domains being involved as those reported with Vidmate. What is worth mentioning is that the suspicious activity emanating from Snaptube stopped soon after the publication of a media report about the Vidmate compromise.

snaptube_vidmate behavior

Finally, the malicious SDKs found in both Vidmate and 4Shared were seen communicating with zkmobi.com – just as the ‘o’ SDK in Snaptube would do.

Consequences on the Users

The compromised Snaptube application analysed by Secured-D could have enrolled end-users in unwanted mobile subscription services that cost money and consume mobile data, adding charges that eat into pre-paid airtime. In many emerging markets, using pre-paid airtime is the only way to pay for digital services.

Cure

Compromised mobile apps and mobile ad fraud remains a rising issue that affects everyone. To avoid falling victim to unwanted purchases or lose pre-paid credit, Android users, in particular, should check their phones to see if they have any suspicious apps installed. If so, they should uninstall them immediately and review any new mobile airtime charges for possible fraud.

Third-party app stores often apply less scrutiny for adverse code and odd behaviour in listed applications, but even apps from official sources like Google Play can be compromised. Before any installation, users should check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.