First, we will talk about the encryption process: the app creates the Meteoroid directory in the external storage and then encrypts the file found at the path sent along with the command using the AES cypher and key found in the command.
The encrypted file will be found in the Meteoroid directory and will have this name: Dark_Shades_Encrypted_[random_number].
The command most likely looks something like this 3ncrypts, [path_to_file], [key]. We make this assumption because the command received from the server is split into three parts, as seen below:
Figure 16: the function that creates the “Meteoroid” directory and splits the command.; below is the a(new File(str3), split) function
Figure 17: the encryption function
After a file has been encrypted, a new file called _NEW_Encrypted_File_Name_ [same_random_number] will appear in the Meteoroid folder, with the following content:
“Dark Shades has encrypted a file.
File location & Name : ” [location_of_the_file] ”
Ending number with extension is the encrypted file (Eg: 4545.txt must be used to decrypt the file and not the entire file name).
Please use the exact file name & Password to decrypt this file.”);”
This makes the user think that the password has been kept in some file, but it’s not true, because the encryption/decryption key (being a symmetric cipher, AES uses the same key for encryption and decryption) is not kept anywhere in the filesystem. The decryption process is the same as the encryption process: the [random_number] that is found in the name of the encrypted file Dark_Shades_Encrypted_[random_number] is received in the d3crypt command, along with the decryption key. After being decrypted, the filename will be found in the Meteoroid directory having this name: [random_number].[original_extension].
These commands apply the above-mentioned encryption process to most of the files found in the external storage, based on their extension. All types of office documents (doc, DOC, docx, DOCX, TXT, txt, ppt, xls etc) are targeted, along with .mp3, .mp4, .wav, .jpg, .png, .C, .JAVA and many more types.
These commands all relate to telephone operations and their usage is as follows:
Captures the screen using the screencap command and saves it in the/Android/data/nebula/Pictures directory.
Figure 18: the screen capturing function
Returns a shell handle to be used for future commands.
This command is the trigger for starting the Card credentials grabbing procedure.
This command initiates a Distributed Denial of Service (DDOS). The target and the duration of the attack are found in the command.
Figure 19: the command (str) is being split and, in the for loop, the attack (the b(str2), where str2 is, most likely, the target) is being started)
Below is the class responsible for the DDOS attack. The value of “User-Agent” property can be used in the firewall to potentially block this kind of attack: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”
Figure 20: the class responsible for the DDOS attack
The last noteworthy command is the one which creates a reverse shell to the attacker, thus allowing him complete control over the device.
Figure 21: the function which initializes the reverse connection
Figure 22: a snippet of code from the class that makes the reverse connection
We conclude that only two Darkshades variants exist. The one with the card credentials grabbing “feature” and the other without it. The code misses some implementation functions such as the WhatsApp functionality. The fact that this family has been active at the end of 2019 and the beginning of 2020, suggests we can be confident that this is a new family which will continue to make its appearance in the wild. We also expect some more variants with space related names such as: “Nebula”, “Meteoroid” and “com.cosmos.darkshades”.
We recommend users to be always careful about the source of the app they are installing. Additionally, pay great attention to the permissions that apps are requesting, and always use an anti-malware solution to protect their devices.
|Hashes (Avira detection name: ANDROID/SpyAgent.FOTY.Gen)|
|URLs (at the time of writing, all are down)|
|/sytem/app/Cosmos (at command)|
|/sdcard /Meteoroid (at command)|
|[externalStorage]/Meteoroid/Dark_Shades_Encrypted_[random_number] (at command)|
MITRE ATT&CK techniques
|T1476||Deliver Malicious App via Other Means||The app doesn’t impersonates a legitimate app nor is it distributed via an authorized app store|
|T1426||System Information Discovery||The app uniquely identifies the device via information from android.os.Build class|
|T1422||System Network Configuration Discovery||Gathers telephony information such as IMEI and phone number through the android.telephony.TelephonyManager class|
|T1433||Access Call Log||Gathers call log data after an SMS is received|
|T1432||Access Contact List||The app gathers the contact list and has the ability to also write to it|
|T1429||Capture Audio||Can collect audio recorded by the microphone if given the android.permission.RECORD_AUDIO permission|
|T1512||Capture Camera||Can take pictures and videos if given the android.permission.CAMERA permission|
|T1412||Capture SMS Messages||The app captures the SMS inbox after an SMS is received|
|T1430||Location Tracking||The app tracks the device’s physical location through use of standard operating system APIs|
|T1513||Screen Capture||Captures screenshots using the screen-cap|
|Exfiltration||T1437||Standard Application Layer Protocol||Sends all the information captured from the|
device using HTTP or HTTPS
|Commands & Control||T1437||Standard Application Layer Protocol||Gets a JSON object from the server,|
containing the command, besides other