Live reverse engineering of a trojanized medical app — Android/Joker

public class MainActivity extends CordovaActivity {
@Override // org.apache.cordova.CordovaActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
loadUrl(this.launchUrl);
}
}
The app’s main entry point is in the assets: www/index.html
import a.b.a.c;
import android.app.Application;
import b.a.b;

/* loaded from: classes.dex */
public class App extends Application {
@Override // android.app.Application
public void onCreate() {
super.onCreate();
new b(new c(this).getContext()).setGravity(100);
}
}
The payload DEX is /data/user/0/com.monotonous.healthydiat/app_/v1
Use of reflexion to load method yin() from the dynamically loaded class yin.Chao.
Dynamically loading a remote JAR. The JAR should be present inside the app’s directory, inside ./files/logs. If that file does not exist, it is downloaded from the remote HTTPs website and stored in logs.
Notice that onNotificationPosted() is only interested in notifications from SMS. The class implements a post() method which grabs the notification text, broadcasts it and cancels all other notifications.
Report SMS with keyword rch to remote server.
Four stages for this malware!
The cutt.ly URL actually resolves to xni.oss-eu-central-1.aliyuncs.com. The file is downloaded and stored as v1 and loaded. Then, the stage 3 is downloaded from canbye.oss-accelerate.aliyuncs.com, and stored locally as a file named logs. Stage 4 download is not shown here.
hxxps://xni.oss-eu-central-1.aliyuncs.com/0302/hindex
hxxps://canbye.oss-accelerate.aliyuncs.com/canbye

hxxps://www.canbye.com/canbye/v1
hxxps://www.canbye.com/canbye/v2
hxxps://www.canbye.com/canbye/op/probe?...
hxxps://www.canbye.com/canbye/op/up?..
hxxps://www.canbye.com/canbye/op/arly...
hxxps://www.canbye.com/canbye/op/crly...

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store