trojan.android.agent.ddovzd outbreak from chinese fake pokemon games

Title reference: http://www.escapistmagazine.com/forums/read/7.351547-Counterfeit-Pokemon-Game-Tops-App-Charts
luckly that case is NOT a virus.
Unfortunately, we have three new one which is actually worked (and free) because these are just chinese online game style pokemon (wouldn’t want to say it look like they just create a game and put pokemon character in because the chinese playing these game don’t like) which is likely malware!!!
Here, I am not going to critize that it is illegal (because they make profit by in game events using Nintendo property), but to show the malware activity of some samples.

  1. Pokemon main edition (original name:宠物小精灵官方版)
    downloaded from: h**p://t.cn/RhcDRSe
    see: https://www.virustotal.com/en/file/0901f06e86ca19cf36c6ed343c0bd36c52c97ca47b161c69f02e1ac2515465dc/analysis/1411999420/

I still keep a clean copy for comparision: https://www.virustotal.com/zh-tw/file/9ad2e014389e32287c27ad71c6b20037eb6777a7b77f51b5025ad869342a5403/analysis/
but they decide to inject adware (I don’t think you are interested because this is a free game) https://www.virustotal.com/zh-tw/file/3e782625fd099892b386d8fe106f5e097ec612a2f554a486ef287e3a3d05be2e/analysis/1412004019/ downloaded from h**p://sj.img4399.com/game_list/404/com.duole.koudai.m4399/koudai.m4399.v50765.apk

  1. Go!Pikachu (original name:去吧!皮卡丘)
    see: https://www.virustotal.com/zh-tw/file/cc602d8b6f03b5d0047b2e84bdabc8e7570e5b48a7779c651edca16e398202bf/analysis/
    same source, updated? https://www.virustotal.com/zh-tw/file/fbf961ddf062d196f3ee068a313ca19602ca4f74416ff7d0634c144273afa86f/analysis/1412004647/

Different sample: h**p://api.m.duoku.com:8090/charged/charged/download?url=http%3A%2F%2Fdl.m.duoku.com%2Fgame%2F67000%2F67427%2F20140709111941_13005.apk via http://tieba.baidu.com/p/3209623544
different detection https://www.virustotal.com/zh-tw/file/34333883063012d4ad8ca13bc6881bdf5622978678fa276b487b2b55c085c1d0/analysis/1412005687/
This were injected into the game in an update. I still have the clean old version file, see https://www.virustotal.com/zh-tw/file/1db241f0ad35ce86b063a610cd357f78b6cb7bdd3fc8aa60ee28b690280ac392/analysis/

  1. Pocket Monster: Pokemon 3D (original name: 口袋妖怪:神奇宝贝·3D)
    downloaded from: h**p://sj.img4399.com/game_list/340/com.trenddna.sy4399/trenddna.sy4399.v51045.apk
    see: https://www.virustotal.com/zh-tw/file/2fd6f978e84cf39a6aaef1e8786faba8d322073ae2d04e7d84cf272b0f41c259/analysis/1412006321/

I found another file of the same game without trojan virus
source: h**p://www.appgame.com/archives/315073.html
see: https://www.virustotal.com/zh-tw/file/13cc9c4cba71898f80ca053d2c8389bfe330bbddb08142080cd8352c29660aad/analysis/1412007812/

No apk file mentioned above is currently detected by avast.

PS: look like 4399 android market want even more trojan virus on their site because game #3 is a very new one. Luckly the whole 4399 is blocked by avast!

This is what Sucuri flags: http://sitecheck.sucuri.net/results/a.4399.cn
Likely candidate for malware: http://lavasoft.com/mylavasoft/malware-descriptions/blog/GenVariantFakeAlert9600956e5276
See: https://www.virustotal.com/nl/url/7c9a5c558466a59aac86d90df74804be3df395187198ce5a09e022bfab6b3e54/analysis/
See: http://quttera.com/detailed_report/a.4399.cn
Script given as benign here: http://jsunpack.jeek.org/?report=4a00ae84764046c3b50d15981761cc1ecc7a7881
Above link for security analyzers only, open up with NoScript active and inside a VM.
Code is going here: http://tracenews.5054399.com/trace.js?addd="+a+"%26uddd="+escape(u)+"%26tddd="+t result = var a=0;
according to http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.4399.com%2Fjss%2Ftrace_news.js%3F20140929151802&useragentheader=&acceptheader=

Now analyze results: http://jsunpack.jeek.org/?report=1d15761681eb2c3063ebd6edbb93e8529de2493c

And we worked the circle to land at these results: https://www.virustotal.com/nl/domain/tracenews.5054399.com/information/
IP 115.182.52.231 in Shanghai status code 405 kicking up: https://www.virustotal.com/nl/file/38690490086ab92afc0bbc587316091aa628de204f8650f4b233e4080b9a19a8/analysis/

pol

Hi rickyyeung and other malcode analysts,

So be aware when on this site: 4399安卓游戏排行榜为您提供安卓游戏下载,安卓游戏免费下载,好玩的安卓游戏,安卓游戏推荐,安卓手机游戏,更多安卓游戏尽在4399手机游戏。
aka 4399 Andrews Andrews game list to provide you with game downloads, android games free download, fun Android game, Android game recommendation, Android mobile phone games, and more games all in 4399 Duo Anzhuo mobile games.

See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.4399.com&useragent=Fetch+useragent&accept_encoding=
code going to //try{new Image().src = “htxp://adtrace.5054399.com/skin.js?from=”+index4399skin;}catch(ex){}

Authenticode signature block
File version 1, 0, 2, 1031
Description 360???
Signature verification The digital signature of the object did not verify.

Is there a link on page to a trojan downloader, see: http://www.threatexpert.com/report.aspx?md5=da2c389b15b5e8439fad1285dc40bdb5 because, htxp://w.cnzz.com/c.php?id=30039538, was blocked by an extension in my browser.

polonus

htxp://w.cnzz.com/c.php?id=30039538, was blocked by an extension in my browser.
flagged in zulu as adware/spyware. I scanned some url under hxxp://www.4399.com/ and that was the result.

I don’t know why the cnzz website traffic pluggin is easily blocked by ad blocker as reported in their own forum. Must be a bug in their code ???

So be aware when on this site: 4399安卓游戏排行榜为您提供安卓游戏下载,安卓游戏免费下载,好玩的安卓游戏,安卓游戏推荐,安卓手机游戏,更多安卓游戏尽在4399手机游戏。 aka 4399 Andrews Andrews game list to provide you with game downloads, android games free download, fun Android game, Android game recommendation, Android mobile phone games, and more games all in 4399 Duo Anzhuo mobile games.
Not only the site component, but the game apk files is not trustworthily. I already provide a few game file from 4399 in the first post.

I somewhat break the “whitelist” on 4399 by qihoo360 in virustotal using a possible program bug. If you use one html file, they won’t detect anything, But if you use a compressed file of 2 or more html file, they detect the script trojan (Win32/trojan.script.fa2). And I will still rely on this fact to judge if a chinese website contain malware or not.