The Top 5 Malware Strains in Uganda (January to July 2023)

Executive Summary

This report reviews the top 5 malware in Ugandan cyberspace that the UG-CERT identified between January and July 2023. The report offers insights into the existing cyber threat landscape to aid individuals and organizations in understanding the impact and risks posed by these malware strains. The malware under review was selected based on its high occurrence in Ugandan cyberspace.

All the leading 5 malware targeted mobile devices since mobile devices usually have the same or more information as computers but lack sufficient security measures. Like any other computing device, mobile devices also have vulnerabilities that can be exploited to gain unauthorized access to their data. The Android mobile platform was the most targeted due to its large number of users, which makes it a lucrative target for cybercriminals. However, this does not mean the Android platform is less secure than other mobile platforms since there is malware for other platforms.

Most of the malware under review displays aggressive advertisements and installs applications on devices they reside on without user knowledge. This is because cybercriminals want to monetize their work by getting advertisement revenue. The aggressive advertising that these applications use is against Google Play policies since they are deceptive, and the advertising applications perform actions without the user’s consent. These applications can download and run other malicious software on compromised devices to further compromise the privacy and data of the end-user.

1.0 Introduction

This report aims to offer an understanding of the top 5 malware strains between January and July 2023 that pose a significant risk to digital ecosystems. By delving into the capabilities, attack vectors, and potential impact of these malware strains, we aim to equip stakeholders with the knowledge necessary to make informed decisions regarding their cybersecurity practices. As a CERT, we intend to educate stakeholders about cyber risks and vulnerabilities in addition to providing remediation steps. This will help the stakeholders improve their defenses against the constantly evolving threat landscape.

In the following sections, a review of each of the top 5 malware families is provided, highlighting their characteristics, potential impact, and recommended remediation strategies. By harnessing the knowledge and insights in this report, individuals and organizations can proactively adapt their security measures to safeguard their digital assets and maintain operational continuity in the face of the ever-evolving cyber threats.

2.0 Methodology

The malware was selected based on their high occurrence in the Ugandan cyberspace. Each malware was identified when its traffic to its command-and-control server to get commands for execution, was redirected to another destination (sinkhole) for further investigation and research. Contextual information such as the distribution, impact, and purpose of the malware were included in this report to understand the malware better.

3.0 Top Malware Strains

Malware is one of the most common and significant sources of security breaches and cyberattacks. It can compromise the confidentiality, integrity, and availability of data and systems, as well as facilitate further malicious activities by attackers. The top five malware in the Ugandan cyberspace were targeting mobile devices. The malware is AndroidBauts, Cooee, Mocean, Triada, and ArrkiiSDK.

3.1 AndroidBauts

AndroidBauts targets the Android operating system starting from version 4.1.1. This malware was primarily designed to aggressively display adverts on devices it has infected so that the developers earn advertisement revenue. AndroidBauts can install applications without user consent and extract device information such as GPS, IMSI, IMEI, MAC address, and other device specifications. This creates an opportunity for AndroidBauts to introduce malicious applications that could endanger the security and privacy of the end user’s device and data since it can install other applications on its own.

3.1.1 How you can get infected

  1. Installing applications that are integrated with AndroidBauts.
  2. Some applications on the Google Play store were infected with AndroidBauts which helped to distribute it until they were taken down.

3.1.2 Remediation

  1. Uninstall applications that were installed just before the device started operating abnormally
  2. Install an up-to-date antivirus software with updated malware databases to scan for this malware
  3. Factory reset the device as a last resort after failing to remove the infection.a)

3.2 Mocean

This Android adware displays unwanted advertisements and redirects users to advertising-related websites without their consent. Unlike some other forms of malware that focus on causing direct harm or stealing sensitive information, malware primarily aims to generate revenue for the attackers by delivering advertisements.

3.2.1 How you can get infected

  1. Installing applications from third-party sources.

3.2.2 Remediation

  1. Uninstall applications that were installed just before the device started operating abnormally
  2. Install an up-to-date antivirus software with updated malware databases to scan for this malware
  3. Factory reset the device as a last resort after failing to remove the infection.

3.3 Cooee

Some low-cost Android devices have this malware preinstalled as a launcher. A launcher is an application that displays installed applications. Unlike typical applications that can be uninstalled or removed through a factory reset, Cooee cannot be removed through conventional methods and requires an antimalware program running in safe mode on the device or a firmware upgrade.


Figure 1: A user in the Malwarebytes antimalware forum asking for help on how to remove Cooee.

This malicious software exhibits intrusive ads and installs and executes additional applications without user consent. The developers of Cooee generate income by displaying ads and receiving pay-per-install fees for other applications that Cooee installs.

3.3.1 How you can get infected

  1. Purchasing phones preinstalled with Cooee malware

3.3.2 Remediation

  1. Upgrade the device firmware to the latest version from the manufacturer without Cooee
  2. Install a different and trusted version of Android. This should only be done by advanced users since there is a risk of making the phone unusable.

3.4 Triada

Trojans with limited capabilities such as Leech, Ztorg, and Gorpo exploited vulnerabilities in outdated Android versions to obtain administrative privileges on devices without the user’s knowledge. These trojans then downloaded one of the most advanced mobile trojans, Triada, according to Kaspersky. Triada malware has additionally been delivered as a preinstalled application on low-cost Android devices and as a WhatsApp mod application that provided features not in the official WhatsApp application. Users who installed FM WhatsApp mod version 16.80.0 were infected with this malware.

Cybercriminals profited from Triada by signing up users to subscriptions without their knowledge and subsequently filtering out SMS transaction messages of these subscriptions. Triada furthermore collects information about the device such as installed applications, OS version, and other device specifications which are sent to a command-and-control server. Triada proceeds to download modules that run in memory only and substitute system files.

3.4.1 How you can get infected

  1. Installing modified applications infected with Triada
  2. Previously present Trojans on the device can download Triada
  3. Preinstalled through purchasing mobile devices from unknown sources or manufacturers

3.4.2 Remediation

  1. Uninstall applications that were installed just before the device started operating abnormally
  2. Install an up-to-date antivirus software with updated malware databases to scan for this malware
  3. Update the mobile device’s firmware and operating system to the latest version.
  4. Factory reset the device as a last resort after failing to remove the infection.

3.5 ArrkiiSDK

This is an Android advertising SDK (software development kit) that collects device information (i.e., IMEI, Mac address, advertising IDs, etc.), displays intrusive adverts, commits ad fraud, and installs applications without user consent. This SDK’s features violate the Google Privacy, Deception, and Device Abuse policy. An advertising SDK is a set of tools and resources that enables developers to integrate advertisements into their Android applications.

Figure 2: A website post promoting ArrkiiSDK to application developers.

Application developers earn revenue from the applications that they make by displaying adverts in them. The developers of ArrkiiSDK promised over $300 daily advertisement revenue for every 100,000 daily active users to application developers who integrated ArrkiiSDK into their applications. Through this process, application developers unknowingly integrated a malicious SDK into their applications.

3.5.1 How you can get infected

  1. Installing an infected application that is integrated with this SDK

3.5.2 Remediation

  1. Uninstalling the infected application if known
  2. Factory reset the device as a last resort after failing to remove the infection.
  3. Install up-to-date antivirus software with updated malware databases to scan for this malware
  4. Consider using a mobile device management (MDM) solution for corporate mobile devices.

4.0 Conclusion

This report shows the gravity of the identified malware and the need for proactive defense strategies. By remaining vigilant, implementing best practices, and fostering a culture of cybersecurity awareness, individuals and organizations can effectively reduce the risks posed by these and other emerging threats. The dedication to securing digital assets and maintaining operational resilience is a collective endeavor that requires continuous collaboration and adaptability.

5.0 References

André, T. (2019, March 8). Fraudulent Android Advertising SDK Installed In Over 15 Million Devices. (BitSight, Producer) From BitSight: https://www.bitsight.com/blog/fraudulent-android-advertising-sdk-installed-in-over-15-million-devices

André, T. (2020, April 28). Pre-installed Android Threats: Data Insights. From BitSight: https://www.bitsight.com/blog/pre-installed-android-threats-data-insights

Doctor Web. (2019, October 29). Android.Cooee.1. From Doctor Web: https://vms.drweb.com/virus/?i=7676528

Federal Office for Information Security. (n.d.). BSI – Current Botnet Profiles – AndroidBauts. From BSI: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Bauts/AndroidBauts.html

Federal Office for Information Security. (n.d.). BSI – Current Botnet Profiles – ArrkiiSDK. From BSI: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/ArrkiiSDK/ArrkiiSDK.html

Federal Office for Information Security. (n.d.). BSI – Current Botnet Profiles – Cooee. From BSI: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Cooee/Cooee.html

Federal Office for Information Security. (n.d.). BSI – Triada. From BSI: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Triada/triada_node.html

Goodin, D. (2019, June 6). TRIADA – Google confirms that advanced backdoor came preinstalled on Android devices. From Ars Technica: https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/

Google. (2023). Deceptive Behavior. From Play Console Help: https://support.google.com/googleplay/android-developer/answer/9888077?hl=en

Kaspersky. (2023, June 1). A matter of triangulation. From Kaspersky Daily: https://www.kaspersky.com/blog/triangulation-attack-on-ios/48353/

Kaspersky. (2023, August 30). Can You Get Viruses on Android? Every Android User is at Risk. From Kaspersky: https://www.kaspersky.com/resource-center/preemptive-safety/android-malware-risk

SecureList. (2021, April 9). Malicious code in APKPure app. (Kaspersky) From SecureList: https://securelist.com/apkpure-android-app-store-infected/101845/

SecureList. (2021, August 24). Triada Trojan in WhatsApp mod. From SecureList: https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

Sofia, L. (2016, September 15). AndroidBauts – Advertising with a bit more than expected. From BitSight: https://www.bitsight.com/blog/androidbauts-advertising-with-a-bit-more-than-expected

VirusTotal. (2023, April 10). VirusTotal – Domain – mocean.cc. From VirusTotal: https://www.virustotal.com/gui/domain/mocean.cc/

You may also like these

No Related Post