Category: Malware

Want to have a look at Android Skullkey?

I uploaded the Java code decompiled with JEB 1.4 here: skullkey_JEB_decomp_20131205.zip
The interesting bits are in com.hk515. Have fun!

Sample MD5 48c3903b3e91f4c5fbc65b640647f7d7 is available on Contagio.

This threat was initially reported by Kaspersky and seems to have gathered quite some amount of attention lately.

I’m attaching the sources decompiled by JEB 1.2 to this post, for analysts who’d like to take a look at it. One particularity of OBad: it’s been protected by a well-known commercial obfuscator (which was briefly mentioned here and there). This protector employs generalized string encryption and calls methods through reflection, which makes raw source code a bit difficult to read – the sources have not been refactored and marked-up, the usefulness of it all is very limited: you be warned.

Archive: obad_decomp.zip

Sample MD5: f7be25e4f19a3a82d2e206de8ac979c8

Edit (June 11)

Jurriaan Bremer was kind enough to provide oboy.dex, a version of OBad with encrypted strings replaced by their decoded versions. JEB handles the file okay, despite the multiple string duplicates (which is one of the reasons why it could not be loaded on a phone.) I’ve attached the decompiled sources for his version below. (I also disabled the try-catch support for improved clarity.)

Archive: oboy_decompiled.zip

This Android malware was referenced in a recent blog post (http://www.xchg.info/?p=46) and I thought analysts would be interested in checking out the decompiled bytecode.

Java files for live.photo.savanna and com.androways.advsystem: BadNewsA_Src.zip

Sample MD5: 98cfa989d78eb85b86c497ae5ce8ca19

The implementation of this Android malware is strong and clean. Nothing really innovative though.

Here’s a short summary:

• Masquerades as a German certificate installer app. The fake login/pin is used to uniquely identify the phone (on top of the phone number and IMEI.)
• Achieves SMS interception, most likely to break 2-factor authentication. There are 3 modes of operation: do nothing, intercept and proceed, intercept and cancel SMS broadcast.
• Multiple command-and-control servers. Two hard-coded domains are hxxp://app-smartsystem.(com|net)/sms/d_m009.php
• The C&C urls can be updated, either by contacting the existing the existing C&C, or via SMS sent by the master. Such SMS contain the string “&Sign28tepXXX”.
• The communication with the C&C is encrypted using AES-ECB, with the static key “0523850789a8cfed”. The server also base64-encodes its payloads. (The client does not.)
• The malware will try to start at boot time (BOOT_COMPLETED receiver), and also registers a 15-minute timer to query the server for updated C&C urls.

 

The APK was run through a name obfuscator. I’m attaching the sources decompiled using JEB 1.1, and with most of the refactoring/renaming/commenting work done. For JEB users, here is the JDB file. Enjoy.

Sample MD5: 1cf41bdc0fdd409774eb755031a6f49d

Let’s have a quick look at a variant of Android.Uracto, an app that steals (and potentially spams) contacts from Android devices. There is nothing particularly interesting about this piece of malware, but it’s the occasion to demonstrate some of JEB less-known and forthcoming abilities.

Upon startup, the app displays the following spinner, that translates to “Reading the articles…”:

The onCreate() method for the main activity displays the above spinner, and also starts a new Thread, that will create and run a Progress object. Here it is:

The run() method will call postMailList(). This method gets the ContentResolver for the app, and enumerates all entries having the “vnd.android.cursor.item/name” MIME type. According to the documentation, these entries represent “contacts’ proper names”.

A buffer representing the data1, data2, and data3 fields (respectively, Display Name, Given Name, and Family Name) is dynamically created.

[JEB specific]

Notice the optimizations that allowed the creation of that compact construct:

• for-loop optimization
• string concatenation
• aggressive variable substitution

Some of these optimizations are already present in 1.0.x, others will be included in the 1.1 versions.

[/JEB specific]

The final data (“contact1, contact2, …”) is dumped on the external memory storage, encoded and POST’ed to hxxp://jap2012.com/data/main.php.

Find the decompiled activity here: solution.newsandroid.MainviewActivity

Sample MD5: ba73e96caa95999321c1cdd766bdf58b

Let’s inaugurate this blog by looking at a fairly simple piece of Android malware, an SMS interceptor app whose prime targets are South Korean users.

The app impersonates a Starbucks coupon (스타벅스 쿠폰) app.

Let’s check the decompiled Java code.

When the user starts the app, it displays a fake error message, indicating that the server is out-of-service, and terminates. In the meantime, it has registered and started the malicious service com.catchspam.catchservice.

Notice that a preference variable “runYN” is set to “execute” (실행.) More on it later.

The malicious service does two things:
– First, it registers the cellphone number by POST’ing it to hxxp://it7980.com/Android_SMS/installing.php. (If the number is Korean and starts with the prefix +82, it receives “special treatment”.)
– Then, it registers a BroadcastReceiver meant to process incoming text messages.

The BroadcastReceiver com.catchspam.catchsms2 processes SMS_RECEIVED intents. The last PDU is processed and (supposedly) contains the text message.

In the following screenshot, notice that the author implemented a minimal C&C-like behavior:
– If the text reads “execute”, the runYN preference variable will also be set to “execute”.
– If the text matches the “magic passphrase”, that variable will be set to “pause”. (It roughly translates to: “Back and forth the same versus luck ♥ Lee ♥ ♥ Please call 1588-1588”.)
Later, runYN is checked and the interception procedure will bail if it is not set to “execute”. This allows the author to enable/disable the interception, either globally or for specific phone numbers.

The intent broadcast is cancelled to prevent other apps (and eventually, the user) from processing the SMS. Finally, the message is POST’ed to the author’s server. The data format is “mobile=<number>&revsms=<textmessage>”.

SMS stealers can be simple annoyance or steal personal data. In this case, it might be used to capture 2-factor authentication codes sent by online banking websites.

Download the sample here.