‘Darkshades’ is a RAT (Remote Access Trojan) that targets Android devices. It enables criminals to steal contacts, track location accurately, exfiltrate live SMS/MMS, grab card credential, capture screenshot, encrypt files and initiate DDoS attacks.
Compared to other RAT families that are spread through Google Play apps, or third-party tools, the infection vector of this family of RATs does not have a stable infection strategy. Consequently, despite extensive functionality, Darkshades has kept a low profile: On Twitter it has been mentioned twice since 2017, and by the end of 2019 only two samples had been identified in the wild. Despite this, Avira found a sample in March 2020.
In this blog, Bogdan Anghelache, threat researcher of the Android Detection Team at Avira, takes a deep dive into recent Darkshades samples and analyzes how they infect Android devices.
The Darkshades samples were successfully run on all major versions of Android (including version 5 to 10). The samples behave differently depending on the version of Android:
- on Android 10, 9 and 8 – the samples don’t have a specific icon, just the Android default one
- on Android 7, 6 and 5 – the samples have specific icons, representing their title (for example, the ones that impersonate the calculator app have the iPhone calculator app icon)
- on Android 10 – the accessibility feature is not triggered every time
- on Android 7 – the app icon is deleted from the application menu view
Figure 1: left: no icon is present on Android 10; middle & right: the iOS calculator and “Privacy Guard” icons are present on Android 6
Behavior and C&C communication
After the application is installed, it appears under one of these names: “Privacy Guard”, “Calculator” or “System Update”.
The application doesn’t have a specific icon, just the default Android one. When opened, the application asks for a host of dangerous permissions:
- Access to contacts
- Making and managing phone calls
- Take pictures and record video
- Access to the filesystem and location
- Record audio
- Send and view SMS messages
These permission requests should raise a red flag for the user. The application doesn’t have any user interface or functionality to justify the need for those permissions.
After the permissions are granted, the application begins communicating with its Command and Control server (C&C). First it uploads to the [path]/receive_all.php endpoint the call logs and SMS data of the user.
Figure 2: the initial object sent is empty, because I used a clean emulator image
Then, it continuously uploads sensitive information on the server about the device: IP address and GPS location:
Figure 3: the object sent containing the timestamp, mail, bot ID (name), IP and manufacturer
Figure 4: the object sent with the location of the user (the one above is the default emulator location)
After each received SMS, the application will make a POST request to the [path]/receive_all.php endpoint and upload the call log and SMS data of the user:
Figure 5: the call logs and SMS data of the user are sent to the server
If accessibility access is granted, the application will send to the [path]/uploads/device_keystrokes.php endpoint every key pressed by the user when a text box is edited (including a browser search bar, text messages, notes etc)
Figure 6: the keys pressed by the user are sent to the server; above is the final result
Anti-Virus checks and card credential grabbing
After the first “run” of the data exfiltration services (contacts, text messages, keystrokes), the malware starts an interesting service called com.cosmos.darkshades.Anti.AntiService which has two main responsibilities:
- ensures that certain services are running, which are:
- runs a TimerTask every 10 milliseconds, which we’ll analyse in detail below
Analysis of the above services
Looking into those services, we found that TriggerService and MyService have the role to make sure that the other, more important services (AntiService, ConnectivityService and ServiceController) are always running.
ConnectivityService checks for internet access (the authors left behind some funny log messages like Log.d(“nOOooOo”, “internet”) when there is no internet access ), uploads to post_gps.php the live GPS coordinates of the device and starts TriggerService and ServiceController. Because of this recurrent service starting, it is safe to assume that the authors took great care that these four services always remain running.
ServiceController is more complex than that; as usual it checks for an internet connection but after that it creates nine directories and one file, which can be used as IOCs. After the creation of the directories and the file, it POSTs to DS_info.php the data which can be seen in Figure 2, and awaits commands from the C&C server (we will detail some of the commands later in this article).
Figure 7: the directories and file created by the malware
Analysis of the TimerTask
In broad terms, the second responsibility of the AntiService is to start the activity responsible for stealing the card credentials, com.cosmos.darkshades.Main.Ccg (most likely Ccg stands for Card credentials grabber).
In more detail, this service does a few other things: it makes sure that ServiceController is running and acts based on the content of two files, found on the external storage:
The first file, Anti.txt, contains values separated by commas. The values come as a command from the server “AntiG[value]”.
Two lists of string values are present in the AntiService, with hardcoded values:
- the first one represents a list of android package names associated with anti-virus products, including “com.kms.free”, “com.avira.android”, “com.eset.ems2.gp”, “com.symantec.mobilesecurity”, “com.drweb.pro”, “com.trendmicro.freetmms.gmobi”, “com.trendmicro.tmmspersonal.apac” and a few others
- the second one contains computer security related keywords like “security”, “antivirus”, “cleaner”, “mobilesecurity”, “malware”, “protect”. An interesting finding is that on the list are present these keywords “trendmicro” and “symantec”
Besides starting the card credentials grabber activity, the TimerTask gets the package name of the last used application and uses that value in three checks:
- if the package name is present in the anti-virus vendors list
- if the package name contains any of the keywords above
- if the package name is found in the injects.txt file
When at least one of the conditions above is true, the wifi settings screen will pop up, while the home screen will be replaced with the application’s main activity.
The content of second file, injects.txt, is also used as a trigger for certain operations and, if it contains this command “com.android.vending,Ccg”, the card credentials grabber activity is started.
Looking at the Ccg activity
This one is simple: a fake “Playstore Wallet” activity is shown to the user. The user is tricked into filling in the credentials of the credit card which are stored in a text file found in the external storage: Android/data/com.antiguard.cosmos/[Bot_ID]_CC.txt.
Figure 8: the Ccg activity initialization function: the content and title are set so that everything looks legit
Figure 9: the function above stores the credentials in a string builder and calls the “a” function with the details
Figure 10: this is the “a” function mentioned above: the card credentials are store in the “_CC.txt” text file
Figure 11: the background task that uploads the file to the server, along with unique details about the device
Analysis of the C&C commands
The malware has a big set of commands – 48 in total – which are hardcoded in an array. Below, we will analyze the most interesting.
NOTE: c.d ([string]) runs the command given, as super user
This command removes the PIN, password or pattern (if one of them is set) that protects the device from physical breach, when the screen is locked.
Figure 12: the PIN/password/pattern is removed by running the commands above (with root privileges)
Verifies if the app has root permissions. If true, moves the application (com.cosmos.darkshades) into the /system/app/Cosmos directory, gives it root permissions and deletes the app from the usual /data/app directory, thus making it harder to remove for the non-technical users.
Figure 13: the app is moved to “/system/app/Cosmos” and is being given root privileges; also the original app is deleted
Starts the audio recording process.
Zips all the content of the /Android/data/Nebula directory, which contains the text files with the information gathered until that point.
Figure 14: the function responsible for the zip, found after a few hops; the information is zipped and saved in an archive with the bot ID and the name in its name
This command gives the app superuser (root) access, which is equivalent to having complete control over the device.
After looking at the function below, we concluded that this variant has a functionality that is related to WhatsApp, although we didn’t find anything implemented.
Figure 15: the “Nebula” directory is again zipped, but this time the zip has “WhatsApp” in its name
This command starts a notification process on the user’s phone with the text given from the command and control center, along with lights and vibrations. Most likely this is a feature to scare the victim or bombard him/her with ads.
8. Ewii/Dwii and Eblue/Dblue:
Enables or disables the Wifi and/or bluetooth. Enabling bluetooth leaves the device vulnerable to bluetooth based attack such as BlueFrag.
First, we will talk about the encryption process: the app creates the Meteoroid directory in the external storage and then encrypts the file found at the path sent along with the command using the AES cypher and key found in the command.
The encrypted file will be found in the Meteoroid directory and will have this name: Dark_Shades_Encrypted_[random_number].
The command most likely looks something like this 3ncrypts, [path_to_file], [key]. We make this assumption because the command received from the server is split into three parts, as seen below:
Figure 16: the function that creates the “Meteoroid” directory and splits the command.; below is the a(new File(str3), split) function
Figure 17: the encryption function
After a file has been encrypted, a new file called _NEW_Encrypted_File_Name_ [same_random_number] will appear in the Meteoroid folder, with the following content:
“Dark Shades has encrypted a file.
File location & Name : ” [location_of_the_file] ”
Ending number with extension is the encrypted file (Eg: 4545.txt must be used to decrypt the file and not the entire file name).
Please use the exact file name & Password to decrypt this file.”);”
This makes the user think that the password has been kept in some file, but it’s not true, because the encryption/decryption key (being a symmetric cipher, AES uses the same key for encryption and decryption) is not kept anywhere in the filesystem. The decryption process is the same as the encryption process: the [random_number] that is found in the name of the encrypted file Dark_Shades_Encrypted_[random_number] is received in the d3crypt command, along with the decryption key. After being decrypted, the filename will be found in the Meteoroid directory having this name: [random_number].[original_extension].
These commands apply the above-mentioned encryption process to most of the files found in the external storage, based on their extension. All types of office documents (doc, DOC, docx, DOCX, TXT, txt, ppt, xls etc) are targeted, along with .mp3, .mp4, .wav, .jpg, .png, .C, .JAVA and many more types.
These commands all relate to telephone operations and their usage is as follows:
- Tsms: sends an SMS to the number and with the content present in the command
- Rcall: makes a call to the number found in the command
- delcon: deletes all the contacts in the contacts list
- DelCal: deletes the call logs
- gctcts: fetches all the contacts from the contacts list and saves them in a .vcf file found in /Android/data/Nebula/Contacts
Captures the screen using the screencap command and saves it in the/Android/data/nebula/Pictures directory.
Figure 18: the screen capturing function
Returns a shell handle to be used for future commands.
This command is the trigger for starting the Card credentials grabbing procedure.
This command initiates a Distributed Denial of Service (DDOS). The target and the duration of the attack are found in the command.
Figure 19: the command (str) is being split and, in the for loop, the attack (the b(str2), where str2 is, most likely, the target) is being started)
Below is the class responsible for the DDOS attack. The value of “User-Agent” property can be used in the firewall to potentially block this kind of attack: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”
Figure 20: the class responsible for the DDOS attack
The last noteworthy command is the one which creates a reverse shell to the attacker, thus allowing him complete control over the device.
Figure 21: the function which initializes the reverse connection
Figure 22: a snippet of code from the class that makes the reverse connection
We conclude that only two Darkshades variants exist. The one with the card credentials grabbing “feature” and the other without it. The code misses some implementation functions such as the WhatsApp functionality. The fact that this family has been active at the end of 2019 and the beginning of 2020, suggests we can be confident that this is a new family which will continue to make its appearance in the wild. We also expect some more variants with space related names such as: “Nebula”, “Meteoroid” and “com.cosmos.darkshades”.
We recommend users to be always careful about the source of the app they are installing. Additionally, pay great attention to the permissions that apps are requesting, and always use an anti-malware solution to protect their devices.
Indicators of Compromise (IoCs)
|Hashes (Avira detection name: ANDROID/SpyAgent.FOTY.Gen)|
|URLs (at the time of writing, all are down)|
|/sytem/app/Cosmos (at command)|
|/sdcard /Meteoroid (at command)|
|[externalStorage]/Meteoroid/Dark_Shades_Encrypted_[random_number] (at command)|
MITRE ATT&CK techniques
|T1476||Deliver Malicious App via Other Means||The app doesn’t impersonates a legitimate app nor is it distributed via an authorized app store|
|T1426||System Information Discovery||The app uniquely identifies the device via information from android.os.Build class|
|T1422||System Network Configuration Discovery||Gathers telephony information such as IMEI and phone number through the android.telephony.TelephonyManager class|
|T1433||Access Call Log||Gathers call log data after an SMS is received|
|T1432||Access Contact List||The app gathers the contact list and has the ability to also write to it|
|T1429||Capture Audio||Can collect audio recorded by the microphone if given the android.permission.RECORD_AUDIO permission|
|T1512||Capture Camera||Can take pictures and videos if given the android.permission.CAMERA permission|
|T1412||Capture SMS Messages||The app captures the SMS inbox after an SMS is received|
|T1430||Location Tracking||The app tracks the device’s physical location through use of standard operating system APIs|
|T1513||Screen Capture||Captures screenshots using the screen-cap|
|Exfiltration||T1437||Standard Application Layer Protocol||Sends all the information captured from the|
device using HTTP or HTTPS
|Commands & Control||T1437||Standard Application Layer Protocol||Gets a JSON object from the server,|
containing the command, besides other