There’s an app for that. Remember that marketing line? Well, it’s basically true. There’s an app for just about everything, including tracking your food consumption and calories. Daily Food Diary is an app that does exactly that and more. According to Pradeo, Daily Food Diary made it through Play Protect security by deeply obfuscating its malicious code.
Mainly, the app steals users’ contact lists, prevents users from killing it, and seems related to the Joker Malware. Daily Food Diary had already been downloaded over 10,000 times before it was removed from the Play Store.
Daily Food Diary pretends to be a legitimate app to take pictures of your meals and set mealtime alerts. It features a very minimal design and a few basic functionalities with no real purpose. The only real purpose was to steal users’ data.
When users launch it, they are immediately sent to the device settings to enable the app to automatically run at startup (foreground service permission). Besides, the app is set to always run in the background (wake lock permission). When users are on the app interface, attempts to exit are overridden to make it difficult to close it.
Daily Food Diary repeatedly asks for permissions to access the contact list, and when it gets it, it directly exfiltrates contacts’ information to unknown external storage. It also requests to manage phone calls, to potentially refuse incoming calls that would temporarily prevent the app from running in the background.
To hide its true intentions, Daily Food Diary malicious code is hidden in an encrypted file called 0OO00l111l1l. Other files contain the native library that can decrypt the malicious code so it can execute (libshellx-super.2019.so), the encryption key (tosversion), and additional resources (o0oooOO0ooOo.dat).
Besides, to stay undetected from dynamic analysis, the app does not perform its malicious behaviors when running in an emulator.Pradeo
Users are encouraged to delete this app immediately from their devices.
Last Updated on February 3, 2021.