A native packer for Android/MoqHao

Comparing sample of 2021 (sha256: aad80d2ad20fe318f19b6197b76937bf7177dbb1746b7849dd7f05aab84e6724 ) with sample of 2019 (analyzed here)
This is the part of the malicious payload that processes (malicious) Pinterest accounts to retrieve information on the CnC. For each targeted bank, the malware searches for the corresponding package on the smartphone, displays a given Pinterest URL and “hint” message. See this tweet of @bl4ckh0l3z.

Decrypting the payload

Payload decryption process

Preparing dynamic class

A DexClassLoader object is instantiated by function nd(). This consists in (1) calling FindClass, (2) searching for a constructor, and (3) using the constructor to create a new object.
  • Object cr(Class class): calls create() for the given class (com.Loader). This actually instantiates a Loader object.
  • Object lrd(int arg0, Object arg1, String classname, String arg3): call loadClass() on the given class name and return the loaded class object.
  • String g(int arg0): returns a different string depending on the argument. Beware, JEB currently decompiles it incorrectly: you must read the assembly.
If the integer is 0, the routine returns “dalvik.system.DexClassLoader”, for 1 it returns “com.Loader”, for 2 “()Ljava/lang/Object;” and for 3 “java.util.zip.InflaterInputStream”

Executing the payload

Silly kvActivity does nothing more than starting BnActivity.
Hiding an application icon consists in calling setComponentEnabledSetting method (name is truncated on the image above) on the PackageManager class, with special flags PackageManager.COMPONENT_ENABLED_STATE_DISABLED and PackageManager.DONT_KILL_APP. This is a well known trick to run an app while hiding its application icon.
This is onStartCommand() of WqService. This method is automatically called by Android when the WqService starts. a_set_alarm calls native function a.snc() to set an alarm. I don’t actually know what it uses this alarm for.
List of native functions, and their description, in libgdx.so

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

WhatsApp Group Chat Analysis using Python | Data Analysis and Data Visualization

Classified and Unclassified subnet in Azure VNET

Puzzling with Regular Expression😕

VMworld 2017, a CTO’s perspective

A Day in the life of an Aspiring Software Developer

Shell Scripting — Beginner’s guide

Two Days GCP Workshop Summary by World Record holder Mr Vimal Daga Sir

My First Week At Lambda School

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

How to ensure security in your website?

How to ensure security in your website? by Mashu Ajmera

We’re releasing an API for PAD

How to Design and Build A Low Power Consumption Face Tracking Video Camera