Multidex trick to unpack Android/BianLian

What makes this sample difficult to unpack

The most common packing mechanism consists in loading a hidden DEX with DexClassLoader. The sample does not use DexClassLoader (nor PathClassLoader or InMemoryDexClassLoader). Therefore, we cannot unpack by creating a hook on DexClassLoader that dumps its first file argument.

Detecting it is packed

The main activity is com.pmmynubv.nommztx.MainActivity, which is not present in the wrapping APK but in the contained payload.

DroidLysis detects the sample is packed

Unpacking

Understanding the packing mechanism takes a little bit of time, because all strings are obfuscated (fortunately JEB decrypts nearly all of them) and DexClassLoader — typically to load a DEX — is not used.

This is where the unpacking actually begins! For clarity, I renamed the method “install_multidex”. Its original name was of course obfuscated to “a”. It is a bit difficult to spot so much happens through this simple call…
Obfuscated bot configuration strings. De-obfuscation occurs through i.a()
Isn’t that nice? JEB automatically decrypts strings when a simple algorithm is used. JEB doesn’t do all the work though, you still have to reverse engineer to understand the meaning: I manually renamed obfuscated name h.a to h.PAYLOAD_EXTENSION etc.
  1. com.brazzers.naughty.g.attachBaseContext(Context)
  2. com.brazzers.naughty.a.a(Context)
  3. com.brazzers.naughty.a.a(Context, File, File…)
  4. com.brazzers.naughty.b.a(Context, String…)
  5. com.brazzers.naughty.b.c()
  6. com.brazzers.naughty.b.a(ZipFile, ZipEntry…)
  7. com.brazzers.naughty.k.a(String, InputStream, OutputStream)

Automating the unpacking

I basically copied the malware’s unpacking code in com.brazzers.naughty.k.a, did a little adaptation, and finally worked out a Java program that automatically unpacks the malware (get the code here). Run the program in the directory where G9ugwFtIG1.jwi is available (./assets/7G8Uwty), and it will unpack and create a unpacked.zip which contains the payload DEX.

Static program to unpack the asset — java UnpackJwi
$ unzip -l unpacked.zip 
Archive: unpacked.zip
Length Date Time Name
--------- ---------- ----- ----
906456 2022-01-14 11:05 classes.dex
--------- -------
906456 1 file

So, how is the DEX loaded if not with DexClassLoader?

The malware uses the multidex scheme to load the payload as secondary DEX. This method has existed for a couple of years (e.g. Android/Rootnik using it in 2017), but I hadn’t seen it for a while. In 2022, it seems we have a new packer in the wild which uses this technique as the same packer is used here in a sample of Flubot.

  • MultiDexApplication is found in com.brazzers.naughty.g
  • MultiDex is within in com.brazzers.naughty.a
  • and MultiDexExtractor is com.brazzers.naughty.b
  1. Changes in file and folder names. The extracted DEX will be located in a directory named hf8U6UUIwiqaGgo instead of the standard secondary-dexes name, the extracted suffix will be .weg instead of .zip, and some other minor details like the lock file name is changed to T9etIiaI.uw87 instead of MultiDex.lock. The goal is obviously to complicate reverse engineering, but also to make the files less noticeable should they be spotted during extraction on the device.
  2. Deflating and decryption of the secondary DEXes. Compare the original code with the malware’s version below.
Original code from https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java (not malicious!)
Malware’s version. The input is deflated and decrypted.

More recent samples of January 14 (today)

Some newer samples of that malicious video application have been released today: see Twitter. I haven’t looked in all samples yet, but at least the first one, 01658_Video_Oynatıcı.apk (sha256: d105764cd5383acacd463517691a0a7578847a8174664fc2c1da5efd8a30719d) does not use the same packer. It uses the common DexClassLoader method, actually the same packing mechanism as this sample. Watch for the unpacked payload in a file named maXclr.json.

generic_x86_64:/data/data/com.friend.bronze/app_DynamicOptDex # ls
maXclr.json maXclr.json.prof

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

162 Followers

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.