Reversing “V-Alert COVID-19” Android/BankBot

DroidLysis’ output shows the malware uses DexClassLoader
## DexClassLoader
- file=…gsxtysyue/rqjgllnxahaafqsyplz/lcoguawmyxbdzriqeiczstw/Ncoffeetop.smali no=3864 line=b’ invoke-virtual/range {v1 .. v6}, Lgohcthplmgmyrcnhcgsxtysyue/rqjgllnxahaafqsyplz/lcoguawmyxbdzriqeiczstw/Ncoffeetop;->squeezedefy(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/reflect/Field;Ljava/lang/ref/WeakReference;)Ldalvik/system/DexClassLoader;\n’
- file=…gsxtysyue/rqjgllnxahaafqsyplz/lcoguawmyxbdzriqeiczstw/Ncoffeetop.smali no=5445 line=b’.method public squeezedefy(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/reflect/Field;Ljava/lang/ref/WeakReference;)Ldalvik/system/DexClassLoader;\n’
- file=…gsxtysyue/rqjgllnxahaafqsyplz/lcoguawmyxbdzriqeiczstw/Ncoffeetop.smali no=5474 line=b’ const-class v0, Ldalvik/system/DexClassLoader;\n’
- file=…gsxtysyue/rqjgllnxahaafqsyplz/lcoguawmyxbdzriqeiczstw/Ncoffeetop.smali no=5535 line=b’ check-cast p1, Ldalvik/system/DexClassLoader;\n’
As malware’s namespace are long it is particularly helpful to use the search function in the Bytecode/Hierarchy panel
Obfuscated squeezedefy() method uses DexClassLoader
String dexpath = this.dreamdrill(v12);
Do not pay attention to junk code, and focus online on the last line, calling slowunusual()
this.Uobligeparrot = String.valueOf(Oconductgaze.pioneerwhat(Integer.numberOfTrailingZeros(Math.round(((float)Color.alpha(Integer.reverse(Math.getExponent(((float)Integer.signum(Color.green(Integer.parseInt("255"))))))))))).trim().intern().toString()).trim().intern();
Filename decoding function. Lots of junk code.
pioneerwhat() method, without junk code and explicit variable names
# ls
app_DynamicLib app_DynamicOptDex cache code_cache shared_prefs
Main of the malware, from the unpacked, decrypted DEX.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

GDPR, FADP and data privacy in Switzerland & Europe

Flexible Pool for your Flexibility

A word on payments…

What Is Cross Site Request Forgery?

Are random numbers really random?

{UPDATE} Playtime: 3 juegos educativos Hack Free Resources Generator

{UPDATE} Minubus Driver Hack Free Resources Generator

PUBLIC KEY ENCRYPTION EXPLAINED

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

[PoS Round-Up] Ethereum-NFTs in the Super Bowl, NFT user verification on Solana, Polygon raises…

How DApps Reliance on Web 2.0 Can Cost Them Dearly

Acceptance of Security Exploits

DLT Interoperability and More ⛓️#2 ⛓️