I’ve divided this list into what works for both android and iPhone devices, and apps that are exclusively for either iPhone or android. After hours of testing, here are the ones I like. I’ve scoured the internet and downloaded a bunch of microscopes and magnifying glass apps to test and see which ones are the best and deliver what they promise and more.
It downloads and shows ads related configuration from the domain – hxxp:///obj/ad-pattern/renderer/ thoughts The 7 best microscope apps for android and iPhone users This malicious app copies the icon and name of Zoom app well, but immediately upon execution we are shown advertisements instead of the Zoom login screen: The code contains encoded parts which are added to keep the malicious components hidden from automated scanner tools and to make it difficult for security researchers to analyze the code. A new receiver – us. – and service – us. – are present as shown below:Ĭode comparison of the two apps show the distinct additions: On comparing this xml file of the malicious app against the clean Zoom app we see a distinct addition in the malicious counterpart. However, reviewing the AndroidManifest.xml file gives clues about the malicious additions. On installation and execution this app looks similar to the legitimate Zoom application. Take pictures from the front/back camera.On a high level DroidJack has the following capabilities: DroidJack infested apps are common and we have written blogs in more depth about such fake apps in the past. These apps do not contain any Zoom related assets (icons and other UI elements) as we have seen in other such fake apps. We saw few instances where the Android Remote Administration Tool (RAT) DroidJack embedded apps were named as Zoom. hp://c./apk/cr.html (Hard-coded in the sample we analyzed).
This link was not accessed during our analysis, however there are multiple suspicious links and malicious apk files associated with this domain:īelow are few suspicious links listed by VirusTotal for this domain:
This library file contains the following link: We saw this library file on the device (post app installation) in a hidden folder: This malware contains a library file in the assets folder: The malware communicates with the following domains that have malicious indicators:ĭevice specific information that is exfiltrated during network communication includes:
This appears to be an app that is repackaged to look like the ‘Zoom’ app, but there are no other similarities: The login screen when translated says “Mobile Cloud Office”. Later we see a login screen, but its not for Zoom.
Case IĪfter installation and execution the first thing we see are full screen advertisements: We examine a few such cases in this blog. SonicWall Capture Labs threats research team has observed malicious Android apps that use the name, user interface (UI) elements and parts of code of the legitimate Zoom app to infect unsuspecting users. We recently blogged about a malicious cryptominer that disguises itself as Zoom app. The video-conferencing app Zoom has enjoyed a surge in demand the last few months and this has caught the attention of malware writers. As a result, work from home related tools have seen an uptick in demand and usage. There has been a sharp rise in people working from home as a precautionary measure towards lowering the spread of Covid-19.