Investigating Android malware with Pithus

“My” sample is the first one, at the top. A similar sample is “Aarogya Setu”. Most probably, my malicious sample is an Android/SpyNote.
Quite typical: C10 is a receiver. It probably receives SMS_RECEIVED intents. Then, it reads the SMS (createFromPdu) and also retrieves the sender’s phone number (getDisplayOriginatingAddress).
Screen capture will be stored in /sdcard/rootSU.png.
Records audio — handled by class C11.
Actually, in this case, APKiD is wrong. This is not for Anti VM, but the information is being leaked by the malware
Android manifest shows the intent for receiver C10.
The main activity is C7. In this particular case, the malware is simple and contains only malicious code, so C7 is malicious.
DroidLysis detects several other suspicious behaviours!
Option -d in Quark lets me know C3 implements code to hide the app’s icon.
quark -C options creates a clickable radar chart. In this case, all 3 samples overlap exactly, which is why you only see the top color (green) here. You can disable the sample by clicking on its label and inspect underneath.
DroidLysis detects the sample uses android/support/v7. Actually, this is nearly in every app, so it is *really* useful to rule this out from behaviour alarms!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store