Live reverse engineering of a trojanized medical app — Android/Joker

A tour inside Cordova…

public class MainActivity extends CordovaActivity {
@Override // org.apache.cordova.CordovaActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
loadUrl(this.launchUrl);
}
}
The app’s main entry point is in the assets: www/index.html

A dynamically loaded DEX!

import a.b.a.c;
import android.app.Application;
import b.a.b;

/* loaded from: classes.dex */
public class App extends Application {
@Override // android.app.Application
public void onCreate() {
super.onCreate();
new b(new c(this).getContext()).setGravity(100);
}
}

Frida hook

The payload DEX is /data/user/0/com.monotonous.healthydiat/app_/v1
Use of reflexion to load method yin() from the dynamically loaded class yin.Chao.

Reversing v1, the dynamically loaded DEX

  1. Method yin from class yin.Chao
  2. A service named NerService, inside com.monotonous.healthydiat, and mentioned by the app’s manifest. This service is implemented in the dynamically loaded DEX.
Dynamically loading a remote JAR. The JAR should be present inside the app’s directory, inside ./files/logs. If that file does not exist, it is downloaded from the remote HTTPs website and stored in logs.
Notice that onNotificationPosted() is only interested in notifications from SMS. The class implements a post() method which grabs the notification text, broadcasts it and cancels all other notifications.

Reversing the remote JAR canbye

Report SMS with keyword rch to remote server.
Four stages for this malware!
The cutt.ly URL actually resolves to xni.oss-eu-central-1.aliyuncs.com. The file is downloaded and stored as v1 and loaded. Then, the stage 3 is downloaded from canbye.oss-accelerate.aliyuncs.com, and stored locally as a file named logs. Stage 4 download is not shown here.

Malicious URLs

hxxps://xni.oss-eu-central-1.aliyuncs.com/0302/hindex
hxxps://canbye.oss-accelerate.aliyuncs.com/canbye

hxxps://www.canbye.com/canbye/v1
hxxps://www.canbye.com/canbye/v2
hxxps://www.canbye.com/canbye/op/probe?...
hxxps://www.canbye.com/canbye/op/up?..
hxxps://www.canbye.com/canbye/op/arly...
hxxps://www.canbye.com/canbye/op/crly...

IOC

  • 5613c51caf6bece9356f238f2906c54eaff08f9ce57979b48e8a113096064a46 (this is the APK)
  • 0058f2bfc383c164f4263bf0ed6e9252b20c795ace57ca7b686b6133d183bb42 (this is the payload DEX, named v1)
  • 2da5ad942435714f52204d6955f7ae941d959dc275df75acd6aa15bfe81e653b (this is canbye JAR, loaded by v1)
  • 949a16417b183d55f766fa507cc8c1699cd73ffc5da9856bb35b315b678ac1d8 fbhx1 (a 4th stage DEX)
  • a3f5b26ba8102a63d9864ab8099eed7519244df8bc6464f888c515c7e3575f4e fbhx2 (another possible 4th stage DEX)

--

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flutter Navigator.pushNamed Widget

Introduction to Jetpack Compose - 2

Jetpack Compose — Pulsating Effect

How to Use BlueStacks as an Android Studio Emulator

How to Use BlueStacks as an Android Studio Emulator

Flutter — BottomNavigationBar Guide

Android Shape Your Image: Circle, Rounded Square, or Cuts at the Corner of Image

Communicating Between Apps Using BroadCastReceivers

broadcasting

Flutter and Moor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

Gaining Unauthorized Camera Access via Safari UXSS — CVE-2021–30861, CVE-2021–30975

How I Reverse-Engineered one of the biggest GSM Operator’s application.

SSO: Why is it considered as a secure way for authentication and authorization

Multiple HTTP Redirects to Bypass SSRF Protections