Android Malware - Malware Analysis Lab

14 minute read

Technical Analysis of generic Android Malware

Overview (AI generated from video):


Android malware reverse engineering reveals a Trojan dropper disguised as a game center app, using proxies to run legitimate applications and show ads.


00:45 โšก๏ธ The Android package is masquerading as a game center app.
02:15 ๐Ÿ” The Android manifest reveals suspicious permissions and package names.
05:30 ๐Ÿ“‚ A dynamically loaded class is detected, indicating malicious behavior.
08:10 ๐Ÿ“ฒ The malware proxies legitimate apps and prompts users to download them.
10:20 ๐ŸŒ URLs associated with popular websites are targeted, including adult content.
12:45 ๐Ÿ”’ The malware encrypts and decrypts files to hide its true nature.
15:00 ๐Ÿ“ฅ The malware shows ads, collects device information, and can update its configuration.

Key Insights

๐Ÿ’ก The Android manifest is a crucial resource for understanding an applicationโ€™s permissions and activities.
๐Ÿ’ก Dynamic class loading is a common technique used by malware to hide its behavior and evade detection.
๐Ÿ’ก Proxies and URL manipulation are used to deceive users and potentially engage in malicious activities.
๐Ÿ’ก The encryption and decryption of files help the malware evade detection and protect its malicious payload.
๐Ÿ’ก The malwareโ€™s ability to show ads and collect device information indicates a profit-driven motive.
๐Ÿ’ก Targeting popular apps and websites increases the malwareโ€™s chances of spreading and infecting more devices.
๐Ÿ’ก Regular configuration updates allow the malware to adapt its behavior and evade detection.

Transcript (AI generated from video):

00:00:00	so I've found this sample on malware bizar there's a threat type of just unknown at the moment a fair amount of vendors say yeah it's detected some say it's benign and it was uploaded by this user Venom strike downloaded from this particular URL let's dive into this and see what we're looking at so I've gone ahead and downloaded the binary virus total says yeah it's a it's an Android Trojan dropper or it's got hidden ads is it ad wear is something a little bit more menacing so what we can do is use a
00:00:34	tool such as jdx specifically jdx in order to get some more information about what this particular binary is doing so I'm just going to go ahead and open up my sample and now we've got a lot more information on the left hand side under the resources there is something that we should really be looking at whenever we open up a Android package such as this an APK file and uh that is the Android manifest and the reason is because this details so much about the application such as the permissions that it is
00:01:05	requesting the particular activities associated with it now an activity in the Android world is pretty much a way of interacting with an application so basically activating parts of that particular application and tied to that is also something known as a hug activity let's start looking at this particular sample we can see that it is requesting permissions such as access to the internet receive Network information being able to make it full screen over your particular mobile device uh being able to get your ad ID a little bit
00:01:44	interesting being able to get your external storage send notifications wake up your machine you'll also notice that the package down here is known as com. draw. me. game center now if you actually look at at this package in the Google Play Center it has nothing to do with the sample that we're looking at here so it looks like it's probably masquerading as this another sign that maybe this is a little bit suspicious we have an Android label of the app name here uh we've got this particular icon associated with this Android name
00:02:22	associated with this application as a whole is defined under jb. fv. bre now if we actually begin to look at jb. there is a Breck here so this is essentially what's going to be triggered when the application is launched a little bit further on there's this allow clear user data false that allow clear user data is supposed to be essentially specifying that you can't clear the user data associated with this application however there is something a little bit intricate in that this is supposed to only apply to applications
00:03:00	that are are installed on your device so in this particular case this permission may be completely ignored there's also Android allow backup so this is when you back up your device does this application get backed up with it and because this is set to false it's a little bit suspicious once again almost looks like it's trying to hide on the device the base application and then under that there are providers for particular essentially uh functions so these providers are essentially like functions
00:03:29	there is these activities that are set to also exclude from recents so they're trying not to be shown under your recently used applications or activities I guess when you try to swap applications on your Android device and it shows all of the applications that were previously open this is going to hide it from that as well there is these activities that are defined under different classes of the Android name and you'll notice that there are classes such as o FV but then there's this XV fbp and on the
00:04:04	left hand side we actually can't see that as one of the classes the same applies to why FSR all of these classes don't actually exist in what we are examining here which tells us there's a good chance that a dynamically loaded class is going to occur runtime continuing to go down there are these intent filters okay so these are all associated with a path prefix of slopen which is essentially tied to an intent which which can be broadly defined as an action to be performed on this particular uh device so opening say a
00:04:40	file if we begin to look down this is the particular definition of an activity there is another definition of an activity here as the JB o FV St WWB once again this class does not exist but it's got this icon so this icore book it's basically got this label of book readers and what this is saying is when you try to open up a let's say a file and it's essentially prompts you what application do you want to to open this with the same as Windows would do when you go right click open with what it's going to
00:05:14	be saying to the user is book reader and but what that's actually defining is this activity associated with these particular classes so this OE FV RB is the name and the activity that will be run essentially when you open it is this St WWB so once again classes that we can't see and we can't get a better idea of what they're doing the same thing applies here another thing defined this is a presentation a text viewer an Excel viewer all these different files it is masquerading as to essentially say I am
00:05:55	the application that you should open this particular particular file with but there's also stuff as we go down for example Snapchat so if it's associated with Snapchat something that would open with Snapchat it will prompt once again I am Snapchat I'm the legitimate application you should open this with and there's also other prefixes so these are associated with essentially trying to go to the Snapchat website once again proxying through this particular Android application all very interesting things
00:06:30	things and this goes on for a while so there's Zoom Twitter telegram WhatsApp Instagram Facebook Chrome browser so targeting specific websites associated with the Chrome browser and the Incognito browser um this is this is more adult material by the looks of things it looks like uh it's trying to determine if when you're using an incognito browser you're accessing any of these kind of adult related websites so when we're actually looking at the class that runs when we run this application this brecks class extends
00:07:07	the application class and it's what's going to run so you can see it's creating a new instance of OBP class and is essentially then doing the run method associated with it when we essentially create this there is this jks SF class that is then running a method of qiv AJ now you'll notice this isn't within the package jb. FV anymore this is actually within this PTM package so if we follow this this is what's going to begin to occur as soon as the applications run after it gets this path list it's actually
00:07:46	specifying this as the object that it's looking at and if we begin to look more into that we are actually getting this Dex object from the assets of the particular application that we looking at it's this 20f 13937 that's sitting in the resources or the assets associated with what we're analyzing and that is then being written to a file called 73d 21490 dodex if we were to extract the files and so we actually look into this and we look at the assets there is in fact this 20f 13937 which is a Dex application now a
00:08:31	DEX application in itself should have the same as a zip archives header so it should be PK onwards but if we look at this in a heximal editor it looks like it's just gibberish and that's because there's some sort of exor encryption going on so we've got that there and if we look down there is this pseudo random number that's being generated for the bites it's being read and an exor operation is occurring against that array based on the particular random string that we generated I'm going to use the code itself to give me what I
00:09:06	want so if we open up vs code I can now copy components of that particular Java class like I've done here and essentially continue that operation to get that class that's going to be reflectively loaded into memory so there is this file output stream I've defined and a lot of the code is similar here SL differences in some of it so what I'm going to do is I'm going to write it to a file called 73d 21490 dodex but I'm going to need to get uh place the 20f file within our downloads directory so I'm just going to go ahead and copy
00:09:45	this out so I've now got this Dex file there and what I'm going to do is just simply run the code this goes ahead and compiles it and does it and now you can see that we have this other Dex file it's the exact same size the different difference is that it has been decrypted if we look at it in a hex editor you can now see it's called classes.dex which rings a bell to what we saw earlier and it's got the PK header associated with it so what we could actually do is use something like seven zip to extract
00:10:18	these files and then look at it and we've got a classes.dex file here so let's try to open this up in jdx now there is one error that's been reported but all in all we've got a lot more information of Interest remember this was trying to execute this St WWB class that we didn't have before and now we can see where that's actually been defined a lot more information now associated with this and we can begin to piece together what we saw before okay so basically it looks like it's detecting whether you have some sort of
00:10:53	package to open up these applications and if you do after essentially proxying it through this it will open up with your legitimate application so it will function in a similar way to if you just open it with your default application of Tik Tok Instagram WhatsApp so to you it's kind of supposed to be transparent in that it's created these proxies in order to run the legitimate application or prompt you to download it from Google Play however something that's of interest is when we begin to look at the
00:11:29	Android classes that are defined so remember that these Android names and activities are things that could happen so interacting with them in some way shape or form and there is this oyf that has been defined and you can see that we've actually been able to decompile that particular class so you can see on resume notification comes up saying permission is required for the application to work correctly and then it is prompting a user to give it more permissions if we look at open browser that triggers here this begins to look a
00:12:07	little bit more suspicious so it will open up your browser but it will be specifying a URL of this whoh and registering this user ID that is defined basically it's sending an identifier by the looks of things to this particular who push URL now that's a little bit interesting to me but there's actually a little bit more because this is going to have something that is to do with runnable there is a particular intent that this registers so an intent can be used to launch an activity so this is going to
00:12:49	be what's running those activities I'm no expert in Android malware analysis but this is kind of my understanding of how this all functions now if we begin to go back and look at what happens when this is running there is flags that are assigned to it and there is this start activity with the intent now if we look at what activity has been started uh it's an instance of this o YF class so this is to do with on creation um it's got an another inent intent registered here that is the zedy class as opposed
00:13:25	to that particular one so if we look at the zy class there is now reference to looking at whether the screen is off if that's the action um that's being occurred and it's talking about intent at show so this could actually be indicating that it is trying to show an advertisement to the end user we can actually see that it's it it's tried to get particular user agent um from your settings or from this web view particular class get application contacts get settings so I'm I'm assuming that this application can have
00:14:12	configured user agent within it perhaps uh but what's funny here is that if it fails it's just going to set the user agent to Oops I did it again so uh probably an indicator to look out for on your network devices to see if you've got this whatever it is content action ad show equals it's going to be checking if particular things a set this is a bit interesting once again you've got oops equals 1 so this is actually going to be sent in a request somewhere to a URL build versions or manufacturer or models if it can't get
00:14:52	that information uh it just uses oops equals 1 yeah it looks like it's uh this particular information tied down here as well this client. config format advert key so once again showing ads or dropping Dex files or classes on this particular phone that has installed this so very interesting when this particular thing gets destroyed it is removing the callbacks the runnable callbacks that it has used config exception always interesting seeing these messages being sent or or logged I should say validation exception config response
00:15:30	network is empty config is dumb config is updated so it looks like maybe you can push down new configuration to this but this is where get interesting again you can see there is Dex elements this is in the clear now it's no longer obfuscated and there is this particular uh reflection being done as well into memory so there's a good chance that there is another class with more particular information that's occurring here uh you can see Dex is load so if we're looking through it there is this interesting class this Square up. leak
00:16:08	Canary and this is configuration associated with this particular application so you can see the application ID is is set as com. draw. near me. Game Center build type is release debug false flavor managers managers of what exactly the version the version name the asset name so this is what we saw before and the Dex name and then even that string that's being used to generate the random key another build config under the nextg here as well so this is doing a similar thing you've got advert with a base 64
00:16:52	encoded string possibly here as well as the domain that is the one.on best there's a few more of these under the com com class as well so maybe they've got a number of Affiliates and they basically will allow deploying of Dex classes and advertisements to particular devices perhaps but let me know what you think let me know what you thought about that analysis like I said I'm not an expert in Android Mal analysis by any stretch with me but this is going to give you a bit of an idea on how to get more information from a
00:17:27	particular Android package file