Update Feb 11, 2020: I hadn’t understood correctly confidence percentage. So, I updated the part regarding a False Positive… which is not a False Positive actually! + Quark authors kindly invited me to join the Quark community.
Disclaimer: I am not an author of Quark. I am not a “Quark Expert” either, so I might have missed a few tricks. …
This articles discusses a recent Android sample from January 2021. It was first scanned on the 11th, but according to its certificate probably released on the 7th. Similar samples were seen in December 2020. sha256:
It is immediately clear the sample is packed. When the sample is launched, a class
com.android.StubApplication is called. This loads another DEX, which is decrypted from assets file
The name of class
StubApplication reminds us of Tencent, Baidu or Qihoo packers, but not quite, because, in that case, the asset decryption is performed by a native library named
In this article, we unpacked a malicious version of the “Tous Anti Covid” application. We know the main entry point of the payload DEX is
Using the decrypted payload DEX we unpacked in the previous article, we quickly notice in that class there are several encrypted strings. In this article, we’ll see how to create a JEB script to decrypt the strings.
A few days ago, @H_Miser retweeted about a smishing attempt where malware authors were sending a link to a malicious app faking the official French Android app “Tous Anti Covid”.
I downloaded the malicious sample (
c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549) and we are going to unpack it using JEB and Dexcalibur. There are many other ways to do this: pure static analysis (with JEB or another decompiler), with Frida etc.
Quickly, we notice the sample is packed. Indeed, the package’s namespace is
tuna.obvious.trust, but the Android manifest references numerous activities and services with namespace
dad.calm.invest, which does not exist in the sample.
Cowrie is an open source SSH/Telnet honeypot. It is particularly suited for IoT (possibility to mimic various architectures + Mirai-like malware target SSH/Telnet). The project is documented here and you can find lots of articles on Internet which explain how to install it and quickly set it up (e.g here). But if you are after information to help you customize Cowrie to your needs, apart from the project’s documentation and GitHub issues/history, you are (mostly) going to be on your own. Let’s try and remedy — at least a bit — the situation 😉.
This is a part 2 of “Locating the Trojan inside an infected COVID-19 contact tracing app”. We are going to explain how the malware works.
In part 1, we explained a genuine COVID-19 contact tracing app was trojanized with a Java-based Meterpreter. The sources of what gets injected in the app can be found on GitHub. The most important part is located in
Payload.java (details: the main entry point is
MainActivity, which starts a
MainService, which instantiates
Payload). The Payload class does the following:
configBytes). We will detail the contents of the configuration later.
Update Sept 25, 2020: part 2 is available here.
An italian company, SoftMining, developed an Android COVID-19 contact tracing application “SM-COVID-19”. Unfortunately, malware authors repackaged the application to include a Java-based Meterpreter backdoor from Metasploit.
The samples were discovered in March 2020, and you can find several blog posts on them (here, here). For instance, this one mentions the samples are “repackaged application injected with metasploit”. Interesting! But where is that “metasploit” in the samples? That’s what we are going to discuss in this article.
When the victim launches the infected app on the smartphone, the legitimate COVID-19 application begins…
Update Aug 14: Fixed sha256 of sample (previous sha256 was another malicious covid-19 contact tracing app, but not exactly the one I analyzed in this article).
Update Aug 17: Added link to dummy server’s code.
Aarogya Setu is the Indian open source COVID-19 contact tracing app. Like many other COVID-19 tracing apps, it has many malicious copy-cats (see here). In this article, we are going to focus on one of the malicious apps (sha256:
885d07d1532dcce08ae8e0751793ec30ed0152eee3c1321e2d051b2f0e3fa3d7) and how it communicates with its CnC.
This malware was first seen by @malwrhunterteam in May 2020, distributed by phishing link http://prettysavantwholesale[.]com/Aarogya-Setu-v1.5.apk (no longer active)…
Update June 22, 2020: thanks to @ektoplasma_ for pointing out the crypto algorithm is not “home-made” but RC4.
The unpacked sample has sha256:
When it is started, the malware communicates with a remote C&C to report it has infected a phone’s victim (provides phone’s model, release, product name, country and phone number).
All communication to the C&C has the following form:
On May 1, 2020, a new version of Android BankBot (aka Anubis, Nautilus Bot) was spotted. The malware poses as an COVID-19 alert application.
We will try to reverse the sample (sha256:
9c7b234d0d46169dcefb9f5b22c5df134b1a120b67666c071feaf97a6078d1a1). Previous versions of BankBot have been disassembled here and here, but that was 2 years ago, and BankBot has changed (and improved) quite a lot.
Load the sample in your favorite Android disassembler tool (I personally use JEB — the tool is not free but very good, and there is a free demo). In the Android manifest, we quickly notice:
1. Names are obfuscated. That’s frequent with…
Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.