An apparently benign app distribution scheme which has all it takes to turn (very) ugly

Packer

Loads a DEX, and instantiates an object of class “com.android.qoh”, then invokes method “ywraafdeerq”. Strangely, I was unable to locate that method in the dynamic DEX.
Native decryption library. Method a() returns the path for the payload DEX. Method b() decrypts the asset “qoh” in a JAR file.
Disassembly of the native library — from Radare2. A function named “readAssert” (typo as in code) reads an asset file and outputs data to x.jar
Dexcalibur hook logs show DexClassLoader is called on fullpathname/x.jar.
With House, if you enumerate class loaders (see Enumeration tab), you get the path of the unpacked asset

Downloading plugins

The main activity instantiates an object of class “go”. This is where the rest happens.
Two remote servers are involved. The first one makes the IP address of the second configurable.
{"code":"1",
"errmsg":"3050",
"host":{"versioncode":"0",
"url":"hXXp://tuiapk.b0.upaiyun.com/dwon/jjlibao130.apk",
"content":"..."},
"mod":{"versioncode":"0",
"url":"hXXp://nwapp.netwayapp.com/update/plugin_wxgjzq3050_1102a",
"md5":"edd7617265ca16e1770b4666fad35c2f",
"content":"..."}}
(frida-env) axelle@boostix $ frida -U -l ./dynhook.js -f com.lt7qmgb699f.mnf6viyhwlt
____
/ _ | Frida 14.2.8 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Spawning `com.lt7qmgb699f.mnf6viyhwlt`...
[*] Hooking dynamic class / method
Spawned `com.lt7qmgb699f.mnf6viyhwlt`. Use %resume to let the main thread start executing!
[Android Emulator 5554::com.lt7qmgb699f.mnf6viyhwlt]-> %resume
[Android Emulator 5554::com.lt7qmgb699f.mnf6viyhwlt]-> [+] DexClassLoader constructor hook: dexpath=/data/user/0/com.lt7qmgb699f.mnf6viyhwlt/app_c/x/x.jar
[*] hooking go...
[*] hooking loadApk...
[*] hooking getRealDex...
URL: hXXp://nwapi.oss-cn-hangzhou.aliyuncs.com/api.txt?679480192
URL: hXXp://nwapi.oss-cn-hangzhou.aliyuncs.com/api.txt?679480192
URL: hXXp://118.190.122.47/netway/android/gamehack2/?act=checkver&referer=3050&v=235&gameid=quan&imei=null&imsi=310260000000000&model=sdk_phone_armv7&android_id=d83ee8a01efeda0f&mac=02:00:00:00:00:00&sysver=7.0&uid=null
URL: hXXp://118.190.122.47/netway/android/gamehack2/?act=checkver&referer=3050&v=235&gameid=quan&imei=null&imsi=310260000000000&model=sdk_phone_armv7&android_id=d83ee8a01efeda0f&mac=02:00:00:00:00:00&sysver=7.0&uid=null
[+] downloadFile: url=hXXp://nwapp.netwayapp.com/update/plugin_wxgjzq3050_1102a dir=/storage/emulated/0/Android/data/com.lt7qmgb699f.mnf6viyhwlt/files/nwplugin/ localname=
URL: hXXp://nwapp.netwayapp.com/update/plugin_wxgjzq3050_1102a
URL: hXXp://nwapp.netwayapp.com/update/plugin_wxgjzq3050_1102a
[+] getRealDex: srcdex=/storage/emulated/0/Android/data/com.lt7qmgb699f.mnf6viyhwlt/files/nwplugin/plugin_wxgjzq3050_1102a
[+] getRealDex returns dex=/data/user/0/com.lt7qmgb699f.mnf6viyhwlt/app_sex/win.apk
[+] loadApk: dex=/storage/emulated/0/Android/data/com.lt7qmgb699f.mnf6viyhwlt/files/nwplugin/plugin_wxgjzq3050_1102a
[+] getRealDex: srcdex=/storage/emulated/0/Android/data/com.lt7qmgb699f.mnf6viyhwlt/files/nwplugin/plugin_wxgjzq3050_1102a
[+] getRealDex returns dex=/data/user/0/com.lt7qmgb699f.mnf6viyhwlt/app_sex/win.apk
[+] DexClassLoader constructor hook: dexpath=/data/user/0/com.lt7qmgb699f.mnf6viyhwlt/app_sex/win.apk
This is some very lame obfuscation found in the downloaded plugin. A bit strange to use something so simple, when the rest of the distribution of the package is complex…

Malicious or not?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store