- Why Cleafy
- ResourcesgDocumentsInsightsCleafy LabsEventsWebinarResources
- Get in touch
At the end of January 2021, a new Android malware started appearing and it was dubbed as Oscorp . During February 2021, a new version of Oscorp was detected by Cleafy systems and after a couple of hours a first incident related to this threat was reported to us.
Thanks to the data retrieved plus an in-depth technical analysis of the distributed Oscorp samples we were able to reconstruct the detailed chain of events and share all the methodologies used by a specific TA for conducting bank frauds via ATO (Account Takeover fraud).
The following list include some of the high-level indicators we extracted in our recent analysis:
The following image shows the timeline of captured events describing how this TA managed to retrieve valid banking credentials via smishing and successfully deliver Oscorp to the victim device for performing an ATO fraud scenario directly from its infected device:
Moving to the malware internals, we were able to extract multiple features of Oscorp which are mainly achieved by abusing the Android Accessibility services, a well-known technique used by the other families as well (e.g. Anubis, Cerberus/Alien, TeaBot ,etc..).
The following snippet of code contains all the remote commands found in the Oscorp source code:
All the commands are encrypted through an AES routine, a well-known technique used by malware authors for slowing down analysts.
The complete list of commands found in Oscorp is available on Appendix 1.
After an apparent stop of the initial activities, during May/June 2021, new Oscorp samples have been found in the wild, with some minor changes; at the same time, on multiple hacking forums, a new Android botnet known as UBEL started being promoted.
By analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple TAs.
After a couple of weeks, we also noticed that the multiple UBEL clients started accusing them of scamming, as it appeared not to work on some specific Android devices, contrary to what the TA claimed initially.
One of those clients, after some debate, released some videos as proof of its claims without properly anonymize them, exposing a valid C2 addresses, as shown:
Another interesting links between Oscorp and UBEL, is the “bot id” string format, which consist in an initial “RZ-” substring followed by some random alphanumeric characters, as shown in another demo video posted online:
Also, on those newer Oscorp samples (linked to UBEL) we were able to identify different API endpoints and different AES keys compared to the initial waves spotted at the very first of 2021, which will be described in the next section.
The following image shows a snippet of the AndroidManifest file:
In the following table we included the most interesting permissions requested by Oscorp for getting access to restricted parts of the Android system (e.g. READ_SMS, SEND_SMS) or other legitimate applications (e.g. BIND_ACCESSIBILITY_SERVICE):
Oscorp implements a couple of techniques to slow down static analysis, such as:
Moreover, strings obfuscation appears to be introduced only on certain samples of Oscorp, sharing the same routine used by Cabassous (Flubot), another Android banking malware.
We assume that Oscorp integrated WebRTC for achieving a real-time interaction with the compromised device combined with the abuse of Android Accessibility Services bypassing the need of a “new device enrollment” to perform an Account Take over scenario (ATO).
In fact, the authors named this feature as ‘Reverse VNC’ (or RPM) on their C2 web-panel since a reverse connection is necessary for bypassing NAT or firewall restrictions and live interaction with the device can be achieved via Android Accessibility Services.
The main goal for this TA by using this feature, is to avoid a “new device enrollment”, thus drastically reducing the possibility of being flagged ‘as suspicious’ since device’s fingerprinting indicators are well-known from the bank’s perspective.
When the malicious application has been downloaded on the device, it tries to be installed as an “Android Service”, which is an application component that can perform long-running operations in the background.
This feature is abused by the Oscorp to silently hide itself from the user, once installed, also preventing detection, and ensuring its persistence.
During some campaigns spotted early in 2021, they switched the name of the malicious application from “Android System” to “Protezione Clienti” app (Figure 15):
After the installation as “Android Service”, Oscorp will request the following permissions, which are mandatory to perform its malicious behavior:
Once the requested permissions have been accepted, the malicious application will remove its icon from the device, and it immediately starts communicating with its C2 server in the background.
Network communications performed by Oscorp to its C2 server are encrypted with the AES algorithm and at the very first it tries to send all overall information of the newly infected device, such as vendor, public IP address, list of the installed apps, SMS messages, action performed by the user, etc.
The next figure is an example of a communication intercepted between Oscorp and its C2 server where the list of all the installed application was sent:
Oscorp can also abuse the Android Accessibility Services to capture and retrieve whatever is on the screen of the device, for example:
The following figure shows how a new SMS received will be intercepted by Oscorp and send back to the designed C2 server:
Below is the summary list of all the bot commands found on Oscorp:
“The Overlay attack is a well-known technique implemented on modern Android banking trojans (e.g. Anubis, Cerberus/Alien) which consist of a malicious application somehow able to perform actions on behalf of the victim. This usually takes the form of an imitation app or a WebView launched “on-top” of a legitimate application (such as a banking app).”
During our analysis we were able to extract more than 150 targeted applications.
The complete list of the geographical distribution of banks and other app targeted by Oscorp targeted apps is available in the Appendix 4.
All the injections payloads which consist mainly of HTML, CSS and JS files, will be downloaded from the C2 server in a specific directory called
When this feature is requested remotely by the TA, if the victim opens one of the targeted applications, it will get the injection payload shown in a WebView launched ‘on top’ of the legitimate application.
In addition, analyzing one of the web-panel used by this TA, it is also possible to reconstruct this distinction among the different categories of targeted applications, such as:
Stock injection path
In addition, The Android Banking Trojan Oscorp/Ubel is already classified and blacklisted in our Threat Intelligence data with the following tags:
 Name:“secureapp.apk” MD5: daba8377d281c48c1c91e2fa7f703511