An apparently benign app distribution scheme which has all it takes to turn (very) ugly

This articles discusses a recent Android sample from January 2021. It was first scanned on the 11th, but according to its certificate probably released on the 7th. Similar samples were seen in December 2020. sha256:f699f9e50e8401943321d757a9c1bab367473f102c0abfb57367e9252aae7fde

Packer

It is immediately clear the sample is packed. When the sample is launched, a class com.android.StubApplication is called. This loads another DEX, which is decrypted from assets file qoh.

The name of class StubApplication reminds us of Tencent, Baidu or Qihoo packers, but not quite, because, in that case, the asset decryption is performed by a native library named libTmdsdk.so.

Note you can get the unpacked JAR’s full path without pain with Dexcalibur or House. And then, do an adb pull to retrieve the file.

The sample has only been compiled for ARMEABI-v7a. Consequently, to run or hook the sample, you’ll need to get an Android emulator for ARM.

Downloading plugins

The unpacked JAR consists of a manifest and a classes.dex file. We find the main activity which was referenced in the packer.

The sample next queries a first URL to get the IP address for a “version” server. The sample posts to the version server details of the phone (IMSI, MAC address, IMEI, model…) and receives a customized list of apps to download. Finally, the sample downloads the apps and loads them silently.

JSON answer from the version server. Slightly edited for readability.

An easy way to follow the queries is with a Frida hook on the URL class. I also hooked loadApk and getRealDex which are part of the dynamically loaded DEX from x.jar.

This mechanism is particularly dangerous because, even if at a given moment the downloaded apps are not malicious, there is no way to ascertain the same channel won’t be used later to push malicious ones. Or the first server could be hacked or hijacked to return the IP address of a malicious version server. Additionally, the plugin we downloaded (plugin_wxgjzq3050_1102a) is encrypted, and decrypted by getRealDex(). We have all the components for a stealthy install of malware.

Malicious or not?

Despite a very dangerous download & install mechanism, I am not entirely convinced this sample is really malicious. This is because, so far, in the end, the distributed apps seemed at most scam or adware. Some AV detect the sample as a “Penguin” trojan dropper. It does indeed drop an APK. There is only little information what the Penguin family is, but it seems we should find code that puts a window on top of all others. I wasn’t able to locate such code in this sample, so probably bad naming. So, I named it Riskware/Tenpack!Android. Until it grows up bad…

To summarize, plain malicious or not, Penguin or not, we need to keep an eye on such samples, because they can turn very bad one day. This is a sample you certainly don’t want on your smartphone 😏

— Cryptax

PS. Have you seen this packer? Or any other comment, please feel free to reply.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store