Android/Phoenix authors, claims, sample identification and trends

@cryptax
3 min readFeb 8, 2024

--

The Android/Phoenix botnet (see reverse engineering post here) was advertised underground in May 2023, and on GitHub and Telegram. The GitHub account is closed, but the Telegram channel is still active in 2024. The botnet panel is demonstrated in a video.

The github repository is closed now

Several developers

Notice the creators take of themselves in plural terms: “we”. It seems indeed plausible that there are more than one. For instance, the implementation pays lots of attention to logging, thus debugging, which gets more and more necessary when there are several developers.

public void Log(String tag, String s1) {
if(this.consts.DebugConsole) {
Log.e(tag, s1);
}
}

public void RemoteLog(Context context0, String s) {
this.SettingsToAdd(context0, this.consts.LogSMS, s + this.consts.string_endLog);
}

Another hint comes from the botnet’s expensive price: 5000 $ per month. This is higher than other botnets: UB3L 1500 $, Magnus 1000 $, Grim 500 $, Ermac 3000–5000 $… and make sense if each developer wants his/her cut.

Phoenix botnet prices, as advertised on January 4, 2024

Malware marketing and reality

In our every day’s life, we are sadly inundated with advertisements and assertions that may lack substantiation or accuracy. Malware authors have adopted similar tactics to promote their malicious software, leveraging enticing features and presentations.

Phoenix features, as claimed by its authors, on Jan 4 2024

While I have been able to confirm some of the claimed features, some others did not appear in the sample I analyze. In particular, HVNC (“Hidden VNC”) does not really “bypass bank/crypto apps”. It simply consists in a different way of spying the victim: “VNC” sends a screenshot of each new view (the implementation uses a OnImageAvailableListener to only post information when a new image is displayed), “HVNC” sends a tree of JSON objects describing the active view.

This function, traverseNode, is recursive. It is used to populate a tree of JSON objects which contain elements of each node (size, text, content description, clickable or not etc). When HVNC is started, the malware sends via the websocket a tree of JSON objects from the node which triggered the last event.

Said differently, “VNC” offers a visual way to spy on the victim, image by image. “HVNC” provides a textual way.

Features seen in the sample I analyzed

For malware analysts: how to identify Phoenix

Phoenix is pretty simple to identify in the malware, with its specific “phoenix_0401” tag. The presence of 2 URLs, one for the admin panel, and another one for the web socket is special to the malware’s communication protocol.

this.nameFileSettings = "settings";
this.tag = "phoenix_0401";
this.str_urlAdminPanel = "http://135.181.11.14:4000";
this.ws_url = "135.181.11.14:8000";
this.FakeAPP = Boolean.valueOf(true);
this.ssl = Boolean.valueOf(false);
this.key = "podEID53t29v";
...
public String strEncRC4(String s, String s1) {
return Base64.encodeToString(utils.bytesToHexString(
new ClassRC4(s1.getBytes()).encrypt(s.getBytes())).getBytes(), 0)
.replace("\n", "");
}

The use of RC4 and Base64 to encrypt victim data will give a final confirmation.

Trend in 2024: more Accessibility abuse, and better…

Once again, the malware abuses the Accessibility API for its malicious tasks. From recent samples I have been reversing in 2024, there seems to be a trend: malicious accessibility code has improved in clarity and in uses. Nowadays, as malware authors master the Accessibility API better, they do not fear to use it a lot: record screen gestures and mimic them, click on precise coordinates of the screen etc. While those techniques existed before, they weren’t used as widely in a single sample. The code is clearer too. For example, in BianLian samples I analyzed 3 years ago, the code was sometimes messy, trying several tactics to get to the appropriate menu (e.g disable Play Protect). In recent malware, the code goes is more efficient and goes straight to the point.

— the Crypto Girl

--

--

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.