13

Quite recently, our Android app has started crashing due to a NullPointerException in a package called com.walkfreestub. Currently there are absolutely no references to this online (we've tried all sorts of other searches related to the crash). Any information about this package or possible causes would be wonderful. Our best guess is that someone has decompiled our APK and modified the original code, in order to re-release it in an unofficial app store.

Notably, this happens most often in India and Nigeria, and frequently on the Xiaomi 2014818 device (but that might just be a common device in those countries). Versions are mostly Android 4.2 and 4.4, but also a few crashes on 5.1 and others.

Update:

There are now several forums online where users are complaining of malware related to com.walkfree and com.walkfreestub. See links here, here, and here. This unfortunately confirms our hypothesis that the APK has indeed been modified with malware in an unofficial app store.

Full stack trace:

java.lang.NullPointerException: replacement == null
    at java.lang.String.replace(String.java:1348)
    at com.walkfreestub.trace.ReferrerTrack.checkTrackUrl(ReferrerTrack.java:158)
    at com.walkfreestub.internal.PushServiceProxy.startDownloadApp(PushServiceProxy.java:454)
    at com.walkfreestub.internal.PushServiceProxy.notifyToDownload(PushServiceProxy.java:239)
    at com.walkfreestub.internal.PushServiceProxy.notifyMessage(PushServiceProxy.java:274)
    at com.walkfreestub.internal.PushServiceProxy.onMessageLoaded(PushServiceProxy.java:342)
    at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:375)
    at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:1)
    at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:60)
    at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:1)
    at com.walkfreestub.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
    at android.os.Handler.handleCallback(Handler.java:730)
    at android.os.Handler.dispatchMessage(Handler.java:92)
    at android.os.Looper.loop(Looper.java:137)
    at android.app.ActivityThread.main(ActivityThread.java:5136)
    at java.lang.reflect.Method.invokeNative(Native Method)
    at java.lang.reflect.Method.invoke(Method.java:525)
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:740)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:556)
    at dalvik.system.NativeStart.main(Native Method)
Community
  • 1
  • 1
Kevin Cooper
  • 5,018
  • 4
  • 37
  • 51
  • Looks like some of the classes here https://android.googlesource.com/platform/frameworks/volley/+/master/src/main/java/com/android/volley just cloned and moved namespace – weston Aug 18 '15 at 19:04
  • The `.internal.` classes are called because they are registered `...volley.Response.Listener`s so they are absent from that repo. – weston Aug 18 '15 at 19:09
  • Thanks @weston. We do use Volley in our app, which is probably why this crash is happening. We would like to figure out where this cloned package is coming from so we can determine what to do about it. – Kevin Cooper Aug 18 '15 at 22:04
  • @kevin does this happen only on rooted devices? – Guy Aug 19 '15 at 08:29
  • @Guy unfortunately we don't know whether these crashing devices are rooted or not. – Kevin Cooper Aug 19 '15 at 18:01
  • @Kevin I've emailed you through linked in - LMK if you want to go on chat so we can share our finiding and try to hunt this down. – Guy Aug 20 '15 at 10:11
  • 3
    We also see this exception in one of our apps. The app version which produces this exception is signed with a different certificate. I suspect someone disassembles the app, adds this walkfreestub code and builds it again, and then distributes it outside of Google Play. – uwe Aug 20 '15 at 12:35
  • I have the same problem. – Eduardo Mauro Aug 21 '15 at 20:24
  • Our best theory now is like the one @uwe has mentioned above. – Guy Aug 23 '15 at 06:27
  • I think @uwe is on the right track. Googling "com.walkfree" yields a couple of results suggesting it's malware: [1](https://forums.malwarebytes.org/index.php?/topic/171034-suspicious-686944448apk-from-mobogenie-allegedly-pou-app/) [2](https://groups.google.com/forum/#!topic/android-security-discuss/YH80_qADG5E) – Snild Dolkow Aug 24 '15 at 16:52
  • 1
    Thank you for the links @SnildDolkow! I searched myself and found a few more. Added links to description. – Kevin Cooper Aug 24 '15 at 17:55
  • I have other reports with different stack traces. Example, one of them starts with: java.lang.ExceptionInInitializerError at com.walkfreestub.internal.action.WalkActionScanner.resumeDownloadTask(WalkActionScanner.java:178) – Eduardo Mauro Aug 28 '15 at 10:31

3 Answers3

4

Packages such as com.walkfree and com.walkfreestub appear to come from a trojan injected into decompiled APKs, distributed through unofficial app stores. The trojan appears to download more unwanted apps in the background, and likely performs other dubious activities. If you come across one of these malicious APKs, please submit it to anti-virus sites such as Malwarebytes!

See similar posts here, here, and here for more information.

Community
  • 1
  • 1
Kevin Cooper
  • 5,018
  • 4
  • 37
  • 51
2

I would suggest to detect com.walkfreestub.* classes using reflection and notify your user. Most likely, this injections is implemented with automated script so they wouldn't search manually for your detection code.

I mean something like described here checking whether a package is existent or not

You check that com.walkfreestub.* is present in classpath and notify user that application was compromised by malware and users should be aware of it.

Alternatively, you may try to check APK signature.

Community
  • 1
  • 1
Oleksandr
  • 3,761
  • 8
  • 50
  • 80
  • It's unfortunate the app was compromised, but now the responsibility falls on us to ensure our users remain safe. Excellent advice @Olexandr. – Kevin Cooper Apr 11 '16 at 21:13
0

For me this happened on a Nokia device. I do not use Volley. All HTTP calls are made using OkHttp

The device is apparently rooted and running Android 4.1.2. Here is the stacktrace:

java.lang.NullPointerException
   at com.xckevin.download.DownloadManager.addDownloadTask(DownloadManager.java:111)
   at com.walkfreestub.internal.download.DownloadControllerForService.download(DownloadControllerForService.java:230)
   at com.walkfreestub.internal.download.DownloadControllerForService.download(DownloadControllerForService.java:201)
   at com.walkfreestub.internal.PushServiceProxy.startDownloadApp(PushServiceProxy.java:435)
   at com.walkfreestub.internal.PushServiceProxy.onActionLoaded(PushServiceProxy.java:525)
   at com.walkfreestub.internal.action.WalkActionRequest$2.onResponse(WalkActionRequest.java:188)
   at com.walkfreestub.internal.action.WalkActionRequest$2.onResponse(WalkActionRequest.java:1)
   at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:60)
   at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:1)
   at com.walkfreestub.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
   at android.os.Handler.handleCallback(Handler.java:615)
   at android.os.Handler.dispatchMessage(Handler.java:92)
   at android.os.Looper.loop(Looper.java:137)
   at android.app.ActivityThread.main(ActivityThread.java:4807)
   at java.lang.reflect.Method.invokeNative(Method.java)
   at java.lang.reflect.Method.invoke(Method.java:511)
   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:792)
   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:559)
   at dalvik.system.NativeStart.main(NativeStart.java)

It looks like a crash from a 3rd party library which extends Volley. https://github.com/Houny/Downloader

esoxjem
  • 153
  • 1
  • 9