Anatomy of an Android Malware Dropper – EFF

Recently at EFF’s Threat Lab, we’ve been focusing a lot on the Android malware ecosystem and providing tools for its analysis. We’ve noticed lot of samples of Android malware in the tor-hydra family have surfaced, masquerading as banking apps to lure unsuspecting customers into installing them. In this post, we will take an example of one such sample and analyze it using open-source tools available to anyone.

At a Glance

The sample we’ll be looking at was first seen on March 1st, 2022. This particular malware presents itself as the banking app for BAWAG, a prominent financial institution in Austria. Upon first run, the app prompts the user to give “accessibility services” permission to the app. The accessibility services permission grants an app broad access to read the screen and mimic user interaction. Upon granting the permission, the app backgrounds itself. Any attempt by the user to uninstall the app is prevented by the app interrupting and closing the uninstall dialogues. Attempting to open the app again also fails—nothing happens.

App UX

Analyzing the Android Package APK

AndroidManifest.xml

The Android app manifest file contains a list of permissions, activities, and services that an app provides. If an activity is not listed in the app manifest, the app can’t launch that activity. Using an Android static analysis tool like jadx or apktool we can take a look at the manifest XML. The malware app’s manifest asks for a wide range of permissions, including the ability to read and send SMS messages (a common way for malware to propagate), request installation and deletion of packages, read contacts, initiate calls, and request the aforementioned accessibility service. In addition, a number of classes are referenced which are not defined anywhere in our jadx-reversed code:

  • com.ombththz.ufqsuqx.bot.components.commands.NLService
  • com.ombththz.ufqsuqx.bot.components.injects.system.InjAccessibilityService
  • com.ombththz.ufqsuqx.bot.components.locker.LockerActivity
  • com.ombththz.ufqsuqx.bot.components.locker.LockerActivity$DummyActivity
  • com.ombththz.ufqsuqx.bot.components.screencast.ScreencastService
  • com.ombththz.ufqsuqx.bot.components.screencast.ScreencastStartActivity
  • com.ombththz.ufqsuqx.bot.components.screencast.UnlockActivity
  • com.ombththz.ufqsuqx.bot.components.socks5.Socks5ProxyService
  • com.ombththz.ufqsuqx.bot.HelperAdmin$MyHomeReceiver
  • com.ombththz.ufqsuqx.bot.PermissionsActivity
  • com.ombththz.ufqsuqx.bot.receivers.MainReceiver
  • com.ombththz.ufqsuqx.bot.sms.ComposeSmsActivity
  • com.ombththz.ufqsuqx.bot.sms.HeadlessSmsSendService
  • com.ombththz.ufqsuqx.bot.sms.MmsReceiver
  • com.ombththz.ufqsuqx.bot.sms.SmsReceiver
  • com.ombththz.ufqsuqx.core.injects_core.Screen
  • com.ombththz.ufqsuqx.core.injects_core.Worker
  • com.ombththz.ufqsuqx.core.PeriodicJobReceiver
  • com.ombththz.ufqsuqx.core.PeriodicJobService
  • com.ombththz.ufqsuqx.MainActivity
  • info.pluggabletransports.dispatch.service.DispatchReceiver
  • info.pluggabletransports.dispatch.service.DispatchService
  • info.pluggabletransports.dispatch.service.DispatchVPN
  • org.torproject.android.service.OrbotService

The fact that the manifest references activities, services and receivers it wants to be run without defining them is the first indication that we are dealing with an “Android dropper.”

Unpacking Android Droppers

An Android dropper is malware which obfuscates its behavior by hiding its payload and only decoding and loading the code it needs at runtime. As Ahmet Bilal Can explains, this makes it harder for AV and security researchers to detect the malware by including “reflection, obfuscation, code-flow flattening and trash codes to make [the] unpacking process stealthy.” While stealthy, the steps the malware takes to hide itself can still be detected and subverted with a little help from the dynamic instrumentation toolkit Frida. Frida is able to inject itself into the control-flow of a running app, introducing its own code. This can be helpful to detect typical methods malware uses to disguise itself and load the underlying payload. In this case, we can use a short script to detect that Java classes are being loaded dynamically:

var classLoader = Java.use('java.lang.ClassLoader');
var loadClass = classLoader.loadClass.overload('java.lang.String', 'boolean');

loadClass.implementation = function(str, bool){
 console.log("== Detected ClassLoader usage ==");
 console.log("Args: ", str, bool);
 return this.loadClass(str, bool)
}

Running this code, we get

$ frida -U -f com.ombththz.ufqsuqx -l class-loader-usage.js --no-pause ____ / _ | Frida 15.1.16 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/
Spawned `com.ombththz.ufqsuqx`. Resuming main thread! [Android Emulator 5554::com.ombththz.ufqsuqx]-> == Detected ClassLoader usage ==
Args: com.honey.miletes.k false
== Detected ClassLoader usage ==
Args: android.support.v4.content.FileProvider false
== Detected ClassLoader usage ==
Args: com.ombththz.ufqsuqx.App false
== Detected ClassLoader usage ==
Args: com.ombththz.ufqsuqx.MainActivity false
== Detected ClassLoader usage ==
Args: com.ombththz.ufqsuqx.core.injects_core.Worker false
== Detected ClassLoader usage ==
Args: com.ombththz.ufqsuqx.bot.PermissionsActivity false
== Detected ClassLoader usage ==
Args: org.torproject.android.service.OrbotService false

Our missing classes are indeed being loaded dynamically!

Previous iterations of tor-hydra malware dynamically loaded a dex file (an Android Dalvik executable file), which could be seen with adb logcat, and used the syscall unlink to delete that file, which would be seen in an strace call. For this app, we can use the command

monkey -p com.ombththz.ufqsuqx -c android.intent.category.LAUNCHER 1 && set `ps -A | grep com.ombththz.ufqsuqx` && strace -p $2

to see the syscalls in real time. We did not observe unlink being used in this sample, so this iteration was doing something different. Java provides a method in java.io.File called delete, which will not trigger the unlink syscall. Using this script, we can detect when that method is used, alert us of the file it attempted to delete, and make it a non-operation:

var file = Java.use("java.io.File")

file.delete.implementation = function(a){ 
 console.log("=> Detected and bypassed Java file deletion: ", this.getAbsolutePath());
 return true;
} 

The first few files deleted are of interest:

=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf/tmp-base.apk.gjGyTF88583765359401054429.88g
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf/dfGgIgyj.HTgj
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf/base.apk.gjGyTF81.88g
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/tyfkjfUjju/HjIgfhjyqutIhjf
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/shared_prefs/multidex.version.xml.bak
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/shared_prefs/pref_name_setting.xml.bak
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/files
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/shared_prefs/prefs30.xml.bak
=> Detected and bypassed Java file deletion: /data/user/0/com.ombththz.ufqsuqx/files/all_tor.zip

Once we issue an adb pull to download the base.apk.gjGyTF81.88g file from the device, we can use jadx again to determine that this includes the missing class definitions referenced in the manifest.

Investigating the Unpacked Payload

Looking into these files, there is a string obfuscation method that appears thousands of times throughout the code, unaltered from instance to instance:

private static String $(int i, int i2, int i3) {
 char[] cArr = new char[i2 - i];
 for (int i4 = 0; i4 < i2 - i; i4++) {
 cArr[i4] = (char) ($[i + i4] ^ i3);
 }
 return new String(cArr);
}

Wherever we see a call which looks like $(166, 217, 28670) in the code, it refers to this function and uses the $ variable in the same scope to return a string. We can use a Java sandbox like this one to define the locally-scoped $ variable, the $ method, and print out the decoded string.

In sources/com/ombththz/ufqsuqx/bot/network/TorConnectionHelper.java we see a method which looks like a promising lead called loadAdminUrl. Decoding the $(556, 664, 4277) call, we get a base64-encoded onion address:

http://loa5ta2rso7xahp7lubajje6txt366hr3ovjgthzmdy7gav23xdqwnid.onion/api/mirrors

This address is available over the Tor network, and contains a base64-encoded URL which references the command and control (C&C) server, the server from which the malware operator issues commands. The author of this post reached out to the Tor Project on March 7th informing them of this C&C server. On app bootstrap, the Tor network is connected to by code lifted from Orbot in order to discover the C&C server, and then the Tor connection is promptly dropped. When first doing this investigation, the domain referenced yuuzzlllaa.xyz, but this has since changed to zhgggga.in. We can see a login page for the C&C server administrator when accessed:

C&C Login Page

One of the main features of the Tor network is censorship-resistance. If you can access the Tor network, you can access information and websites that cannot easily be taken down because of the way the network is architected. This is a good thing for dissidents in censorship regimes or whistleblowers trying to get privileged information to reporters: the services they rely on will be available even if their adversaries don’t want them to be. This is a double-sided coin, though—in this case malware is also able to direct victims’ devices to C&C servers in a way that can’t be taken down. There is no way to have one without the other and keep the integrity of the network intact. In this case, the clearnet domain yuuzzlllaa.xyz was presumably taken down after being reported and then the malware operator spun up another domain at zhgggga.in without much interruption of the malware command and control. In these cases, reporting malicious C&C domains seems like a game of whack-a-mole: as soon as you take one down, the next pops up.

In the file com/ombththz/ufqsuqx/bot/DexTools.java we see an interesting method, run(), which loads a stage-2 payload from the admin C&C url path /payload. This is a dex file which can be decoded by jadx to an app ID of com.fbdevs.payload. Unfortunately for the sake of our analysis, this file contains mostly uninteresting and non-malicious code.

Looking at the om/ombththz/ufqsuqx/bot/components/ path, many of the components seem to be inherited directly from the Android BianLian malware, an excellent analysis of which can be found here. One of the components not included in this previous iteration is under the socks5 path, which opens a proxy server to a specified host in order to receive commands and launch attacks. All the components are activated and controlled by the C&C server through a Firebase Cloud Messaging (FCM) connection, allowing messages targeting specific devices.

Fighting Back Against Malware

Despite relatively state-of-the-art techniques employed to thwart analysis, a few powerful publicly accessible open-source tools were used to interrupt the control flow and reverse engineer this sample. More complex malware will detect hardware profiles and be able to determine that it is being run in an emulator, and change its behavior to further hide its core functionality. Still others will deploy malicious code in deeper stage payloads in an attempt to further bury its true behavior. However, this sample shows how a few simple steps can be taken to peel those layers back to eventually discover the control flow of a new class of malware. Moving forward, other samples in this class can be analyzed in much the same way to track changes in the ecosystem and how malware developers are responding to attempts to mitigate their effectiveness.

Analyzing malware and tracing its evolution is important for fighting back against it. Not only does it result in better signatures for anti-virus software to use and protect users, it helps us understand what protections are necessary on the operating-system level and guides platform security recommendations. Sometimes, it can lead to C&C servers being shut down and the targets of the botnets gaining some much-needed reprieve. And lastly, it gives users insight into what software is running on their devices so they can take control back.

Source of this news: https://www.eff.org/deeplinks/2022/04/anatomy-android-malware-dropper

Related posts:

With iCloud Plus, Apple’s privacy promise is paired with an upsell - The Verge
Apple has spent considerable time championing itself as a protector of user privacy. Its CEO Tim Cook has repeatedly stated that privacy is “a fundamental human right,” the company has based multiple...
Can prior human seasonal coronavirus antibody response patterns predict SARS-CoV-2 inhibition? - New...
To date, the ongoing novel coronavirus disease 2019 (COVID-19) – caused by the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) – has led to over 192.17 million confirmed cases and over 4...
Trend Electronics : Notice of Adjourned 30th AJM - Marketscreener.com
Trend Electronics Limited NOTICE OF THE ADJOURNED 30TH ANNUAL GENERAL MEETING The Hon'ble National Company Law Tribunal ("NCLT"), Mumbai Bench, vide its order dated September 25, 2018 ("Or...
Windows 11 deep dive: Checking out the new Settings app - XDA Developers
After over six years of Windows 10, we’re getting a major Windows update with Windows 11. There is a lot that’s new with the new operating system and as it begins rolling out, we’re here to show you ...
How to open and use Windows 11 Settings to tweak your PC - TWCN Tech News
Windows 11 is here now! If you have installed Windows 11 on your computer and are feeling overwhelmed by it, then don’t you worry – This easy-to-understand tutorial will help you sort everything! Win...
mIRC 7.67 - Neowin
mIRC is a full featured Internet Relay Chat client for Windows that can be used to communicate, share, play or work with others on IRC networks around the world, either in multi-user group conferenc...
Choc by WATFAQ TECHNOLOGIES PTY LTD - AppAdvice
A flexible proxy utility- Local HTTP/HTTPS/SOCKS proxy server - Multiple proxy protocol support- Built-in DNS server supports DoH/DoT upstream and fake IP.- Rules based off domains, GEOIP, IPCIDR or ...
+1-888-652-8714 Fix Gmail Error 502 Easily | | laconiadailysun. com - The Laconia Daily Sun
[embedded content] There is no single cause of the Gmail 502 olvido. It can be caused by multiple disorders and the issues we provide under. A problem in the Gmail computer may prevent ...
How to Find My Proxy Server Address - Techstory
A proxy server provides a valuable boost to your internet security and privacy. Most people use a proxy server to hide their actual IP address and safeguard their location. If you’re using a proxy fo...
The Importance of Rotating IP Addresses in Ecommerce Sites - hackernoon.com
The Importance of Rotating IP Addresses in Ecommerce Sites is to be explained. It is a common practice in the world to use proxies to collect data from the internet. The practice is often used to he...
10 Techno-Cool Cars - IEEE Spectrum
The auto industry is quick to entertain new ideas but slower to implement them. Although Robert Bosch perfected diesel fuel injection in the 1920s, it was decades before the technology made it into t...
N-vidia deflates God of A huge PC and Half-Life regarding Remastered rumors, says leaked data was 's...
Rumors of a Half-Life second remaster and a God relating to War PC port moving spreading on Monday wedding and reception contents of an Nvidia applications leaked. Don't get too restless, though:...
Adelaide password management software firm injured by supply chain approach - iTWire
Australian company Click Ateliers has warned users of enterprise password manager Passwordstate that a supply chain ravage may have led to their customers' password records being took in. The c...
Apple and Google Respond to Covid-19 Contact Tracing Concerns - WIRED
"It's definitely possible that some evil advertiser could use this to augment their data sets," Green says. "But, gosh, it really requires a lot of evil. And it seems to me like a small case."Keeping...
How can i Access Blocked Websites almost everywhere and for Free - BollyInside
This lesson is about the How to Find out Blocked Websites anywhere for Free. We will try our best so that you will understand this guide. I hope you enjoy this blog How to Access Blocked Online...
What Is a Network Policy Server? | Purpose of an NPS Server - Server Watch
For network access and policy management capabilities, Microsoft’s RADIUS server and proxy tool is the Network Policy Server (NPS). NPS offers authentication, authorization, and accounting (AAA), ena...
Dallas Invents: 129 Patents Granted for Week of March 22 - dallasinnovates.com
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
An ‘internet civil war’ has erupted in Russia - Aljazeera.com
When Evgeny first heard that Russia’s communications censor Roskomnadzor was going to block the popular messenger app Telegram, it brought to mind a Soviet-era slogan. The Communist Party said: “It m...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30