Android/Phoenix authors, claims, sample identification and trends
The Android/Phoenix botnet (see reverse engineering post here) was advertised underground in May 2023, and on GitHub and Telegram. The GitHub account is closed, but the Telegram channel is still active in 2024. The botnet panel is demonstrated in a video.
Several developers
Notice the creators take of themselves in plural terms: “we”. It seems indeed plausible that there are more than one. For instance, the implementation pays lots of attention to logging, thus debugging, which gets more and more necessary when there are several developers.
public void Log(String tag, String s1) {
if(this.consts.DebugConsole) {
Log.e(tag, s1);
}
}
public void RemoteLog(Context context0, String s) {
this.SettingsToAdd(context0, this.consts.LogSMS, s + this.consts.string_endLog);
}Another hint comes from the botnet’s expensive price: 5000 $ per month. This is higher than other botnets: UB3L 1500 $, Magnus 1000 $, Grim 500 $, Ermac 3000–5000 $… and make sense if each developer wants his/her cut.
Malware marketing and reality
In our every day’s life, we are sadly inundated with advertisements and assertions that may lack substantiation or accuracy. Malware authors have adopted similar tactics to promote their malicious software, leveraging enticing features and presentations.
While I have been able to confirm some of the claimed features, some others did not appear in the sample I analyze. In particular, HVNC (“Hidden VNC”) does not really “bypass bank/crypto apps”. It simply consists in a different way of spying the victim: “VNC” sends a screenshot of each new view (the implementation uses a OnImageAvailableListener to only post information when a new image is displayed), “HVNC” sends a tree of JSON objects describing the active view.
Said differently, “VNC” offers a visual way to spy on the victim, image by image. “HVNC” provides a textual way.
For malware analysts: how to identify Phoenix
Phoenix is pretty simple to identify in the malware, with its specific “phoenix_0401” tag. The presence of 2 URLs, one for the admin panel, and another one for the web socket is special to the malware’s communication protocol.
this.nameFileSettings = "settings";
this.tag = "phoenix_0401";
this.str_urlAdminPanel = "http://135.181.11.14:4000";
this.ws_url = "135.181.11.14:8000";
this.FakeAPP = Boolean.valueOf(true);
this.ssl = Boolean.valueOf(false);
this.key = "podEID53t29v";
...
public String strEncRC4(String s, String s1) {
return Base64.encodeToString(utils.bytesToHexString(
new ClassRC4(s1.getBytes()).encrypt(s.getBytes())).getBytes(), 0)
.replace("\n", "");
}The use of RC4 and Base64 to encrypt victim data will give a final confirmation.
Trend in 2024: more Accessibility abuse, and better…
Once again, the malware abuses the Accessibility API for its malicious tasks. From recent samples I have been reversing in 2024, there seems to be a trend: malicious accessibility code has improved in clarity and in uses. Nowadays, as malware authors master the Accessibility API better, they do not fear to use it a lot: record screen gestures and mimic them, click on precise coordinates of the screen etc. While those techniques existed before, they weren’t used as widely in a single sample. The code is clearer too. For example, in BianLian samples I analyzed 3 years ago, the code was sometimes messy, trying several tactics to get to the appropriate menu (e.g disable Play Protect). In recent malware, the code goes is more efficient and goes straight to the point.
— the Crypto Girl
