By using open source intelligence (OSINT) data, our researchers were able to identify other apps with ties to Craftsart Cartoon Tools. (See ‘related samples’ below)
No counterparts were found in Apple's App Store.
Impact
At the time of discovery, the app had 100,000+ installs on Google Play.
One of the two related apps discovered by our researchers had 100,000+ installs on Google Play. This app has also since been removed from Google Play.
Functionality
![Login screen that reads: login to experience the full function of the application | Continue with Facebook [Facebook icon]](https://media.jamf.com/images/photos/6ct4sm40.jpeg?h=800&q=80&w=400)
Upon start, the app provides the user with a Facebook login prompt (pictured below) that states “login to experience the full function of the application," which leads the user to believe Facebook login is required for authentication.
Clicking on the “continue with Facebook” button redirects the user to what appears to be a legitimate Facebook login page.
After login, the app sends the user’s credentials in encrypted form to a command and control (C&C) server.
Related samples
The reported app seemed to be the only one on Google Play at the time of research, but there are several ties to other similar apps.
Apps communicating with same domains
Craftsart Cartoon Tools app communicates with two domains:
- www.dozenorms.club
- zatuu.info
Using OSINT sources our researchers were able to identify two other apps communicating with these domains. The fact these apps contain these domains in their code suggests they may also be dangerous. Though malicious functionality is not confirmed.
- com.fabiomancini.cartoonpainteffect (removed from Google Play)
- Claims to provide similar functionality as Craftsart Cartoon Tools.
- The app did not function at all, only showed a blank screen.
- com.xonasounds.relaxing (not present in Google Play)
- communicates with www.dozenorms.club
Apps with relation to malicious payload
The Craftsart Cartoon Tools app contains an encrypted payload. The payload after decryption is actually another APK that is responsible for sending stolen data to the C&C server.
Decrypted APK is 976f68632dbdce7f883c1edcd438060416db64fac7f26f5ad5c2211aa87d9853 and has package name com.craftstoon.cartoonphoto.ppk.
This malicious payload is signed by app signing certificate fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d.
The same certificate was used to sign another app with similar functionality com.georgebowman.cartooneffect.photoeditor. This app is not present in Google Play anymore, but from OSINT data, we can conclude that it once was.
Indicators of Compromise
Malicious app samples
- com.craftstoon.cartoonphoto
- com.fabiomancini.cartoonpainteffect
Communicates with www.dozenorms.club - com.xonasounds.relaxing
Communicates with www.dozenorms.club - com.georgebowman.cartooneffect.photoeditor
Signed by fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d - 976f68632dbdce7f883c1edcd438060416db64fac7f26f5ad5c2211aa87d9853
Malicious payload embedded in com.craftstoon.cartoonphoto
Malicious C&C samples
- dozenorms.club
Embedded and contacted by samples - zatuu.info
C&C for credentials exfiltration
Misc
Signing certificate of the embedded malicious payload: fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d
by Category:
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.