Super Clean Plus is a malicious Android application that was available on the Google Play Store and downloaded over 10,000 times. The app, which is free and claims to clean up your devices memory, boost speed, and clear out junk, is hiding malicious functionality in an executable DEX file. When the app is installed, the DEX file is decoded and executed, building a domain name belonging to an Amazon AWS, which is the C2 server associated with the malware. The app uses Facebook to sign into the AWS services in attempt to make the communications with the C2 server seem innocuous. A configuration file is retrieved from the server that contain premium SMS numbers, and SMS subscription details, which the infected device will start sending messages to automatically. When the configuration file is downloaded, a WebView is built within the app which loads and displays webpages, and can be used in a variety of attacks.
- Sophos provides technical analysis of Super Clean Plus, here.