One of the most successful techniques by malware authors is to masquerade behind a legitimate world-famous app. Please meet a small APK with a file size of about 65 KB – less than the average photo – a banking Trojan which can cause substantial financial and loss of private data to the user with an untrained and unsuspecting eye.
Jumpin’ Jack Flash
The first things that capture everyone’s attention after the APK is launched are the “Flash Player” name of the application and its icon. It’s a simple, but very effective phishing method that can trick (in many cases) the common user. To uncover the phish behind the brand name, a good practice is to look at this app’s required permissions as this can give you a pertinent first impression on the app’s actual nature.
The first required permissions are related to SMS messages and phone calls. These are typically abused by malware creators to generate revenue by sending SMS messages to premium-rate numbers or calling different hotlines. Let’s not forget about another interesting aspect – privacy. This permission also enables your entire contact list to be harvested and all your SMS messages can be read.
Some additional permissions are exposed after clicking the Next button. The “disable your screen lock” permission is suspect, especially considering the name of the APK. Ask yourself this question: Why does a Flash installation need to automatically bypass the security lock, directly call phone numbers, or send SMS messages? There are other suspect permissions including “run at startup”, “draw over other apps” or “prevent tablet from sleeping”, plus others. By now, at least an eyebrow should be raised.
As soon as installation finishes and the app is launched, its first action is to require administrator privileges. The described operations – monitor screen-lock attempts, screen lock, and setting lock-screen password expiration – are self-explanatory and are mainly used in ransomware and scareware campaigns. This is a good indication that the file is malware.
After installation is complete, we can see that a shortcut has been added to the launcher. But, when clicking on it nothing visible happens; the application runs and remain hidden in the background. There is no graphical interface at all and the user may think this is ok for a Flash Player, after all it’s only supposed to be used on websites with Flash.
Analyzing the code:
The next malware hints are inside the decoded XML file, the application’s package name (com.fdigsji8e8df98tgw9b.xssvesioeniw) and main activity’s name (com.fdigsji8e8df98tgw9b.Maindfjke_ufo34on3) are randomized. We can also see that the names of the declared services are also randomized, and there are the background tasks which are running without any user interaction.
Let’s translate the classes.dex file from Dalvik VM to JAR and look a little bit into the decompiled Java code.
We can see that the call logs and contact lists from the phone are being collected in JSON format alongside with all details, like number, date, duration and type of the call. Also, the IMEI of the phone and its corresponding bot_ID (which is recognized by the malware’s Command & Control server) is added at a later time.
We can see SMS messages are being collected in the same manner:
A local database that stores commands from the C&C server is created, and from the fields we can see that the default SMS app’s name has been saved, hinting that the application may intend to change it.
Next we can see what commands are received from the C&C server and the actions performed:
The JSON file is base 64 encoded and a connection to the C&C server is attempted. If the response is false, then the thread is put to a 5000ms period of sleep.
If after the sleeping period the following POST command also has a failed connection, then a new URL server is tried.
Here is a short list of the C&C servers which the app tries to reach:
There’s more malicious behavior:
– an overlay is used to create a fake login screen which is displayed on top of most applications. The goal is to trick the user into inserting their credentials into the screen where they subsequently uploaded to the C&C server;
– the ringer mode is automatically set to silent by android.intent.action.CALL executing USSD codes, helping the malware cover its tracks:
– Finds extra C&C servers from Twitter with hash entries in its resources.arsc file.
But don’t worry, if you have Avira Antivirus for Android installed on your device, Avira already detects this threat as ANDROID/BankBot.ZTB.Gen.