Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is com.walkfreestub? (causing crashes on Android)

Quite recently, our Android app has started crashing due to a NullPointerException in a package called com.walkfreestub. Currently there are absolutely no references to this online (we've tried all sorts of other searches related to the crash). Any information about this package or possible causes would be wonderful. Our best guess is that someone has decompiled our APK and modified the original code, in order to re-release it in an unofficial app store.

Notably, this happens most often in India and Nigeria, and frequently on the Xiaomi 2014818 device (but that might just be a common device in those countries). Versions are mostly Android 4.2 and 4.4, but also a few crashes on 5.1 and others.

Update:

There are now several forums online where users are complaining of malware related to com.walkfree and com.walkfreestub. See links here, here, and here. This unfortunately confirms our hypothesis that the APK has indeed been modified with malware in an unofficial app store.

Full stack trace:

java.lang.NullPointerException: replacement == null
    at java.lang.String.replace(String.java:1348)
    at com.walkfreestub.trace.ReferrerTrack.checkTrackUrl(ReferrerTrack.java:158)
    at com.walkfreestub.internal.PushServiceProxy.startDownloadApp(PushServiceProxy.java:454)
    at com.walkfreestub.internal.PushServiceProxy.notifyToDownload(PushServiceProxy.java:239)
    at com.walkfreestub.internal.PushServiceProxy.notifyMessage(PushServiceProxy.java:274)
    at com.walkfreestub.internal.PushServiceProxy.onMessageLoaded(PushServiceProxy.java:342)
    at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:375)
    at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:1)
    at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:60)
    at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:1)
    at com.walkfreestub.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
    at android.os.Handler.handleCallback(Handler.java:730)
    at android.os.Handler.dispatchMessage(Handler.java:92)
    at android.os.Looper.loop(Looper.java:137)
    at android.app.ActivityThread.main(ActivityThread.java:5136)
    at java.lang.reflect.Method.invokeNative(Native Method)
    at java.lang.reflect.Method.invoke(Method.java:525)
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:740)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:556)
    at dalvik.system.NativeStart.main(Native Method)
like image 585
Kevin Cooper Avatar asked Aug 18 '15 18:08

Kevin Cooper


2 Answers

Packages such as com.walkfree and com.walkfreestub appear to come from a trojan injected into decompiled APKs, distributed through unofficial app stores. The trojan appears to download more unwanted apps in the background, and likely performs other dubious activities. If you come across one of these malicious APKs, please submit it to anti-virus sites such as Malwarebytes!

See similar posts here, here, and here for more information.

like image 194
Kevin Cooper Avatar answered Oct 20 '22 21:10

Kevin Cooper


I would suggest to detect com.walkfreestub.* classes using reflection and notify your user. Most likely, this injections is implemented with automated script so they wouldn't search manually for your detection code.

I mean something like described here checking whether a package is existent or not

You check that com.walkfreestub.* is present in classpath and notify user that application was compromised by malware and users should be aware of it.

Alternatively, you may try to check APK signature.

like image 23
Oleksandr Avatar answered Oct 20 '22 19:10

Oleksandr