• The URL to contact is configurable, and saved in the malware’s configuration file (a shared preferences file named set). The default URL to contact depends on the sample. For the one we analyze, it is hxxps://old.mandamientos.ga
Default configuration file for the malware
  • The page to reach depends on the nature of the action and data: a1.php, a2.php ... to a17.php
  • The PHP page usually takes an argument p, which contains the victim’s Android ID followed by additional data, encrypted and then converted to Base64. The algorithm is RC4 and uses a hard-coded key ericcartman.
Processing C&C command “cryptokey=”
C&C commands for the bot
Overview of malware’s main features

Propagation

The malware propagates to other victims via SMS. There are 2 different methods:

  1. Option 1: the malware retrieves the list of contacts on the victim’s smartphone (getNumber is set to true/false in the config file) and we assume malware author(s) try to infect them later
  2. Option 2: the malware can have the victim’s smartphone directly send SMS to its contacts. The text to send is configured by the setting cwc_text.
2 different options to propagate to new victims
Send contacts name and phone number to remote C&C

Send spam

The malware asks the C&C (page a17.php) who it should spam: the answer contains the name of the contact and his/her phone number. The malware crafts the spam using a template read from configuration parameter textSPAM, and sends the SMS.

Sending spam by SMS to a given contact (reminder: all variable/method names are obfuscated. They have been renamed here for better readability)

Intercept SMS

If the configuration file has option perehvat_sms (intercept in Russian) set to true, the malware intercepts any incoming SMS and sends its content to a remote C&C. It can also report the contents of the Sent and Drafts box.

High priority for SMS receiver of the malware. This is a common technique.
Malware hides SMS interception by deleting the incoming SMS…
When deleting SMS, the malware also sets the ringer to silent

Keylogger

The keylogging feature is implemented as an AccessibilityService. Those services are normally meant to help end users with disabilities, but the malware abuses that, and asks for accessibility settings:

Launch the Accessibility Settings view
Buttons pressed are logged, and later written to file keys.log

Lock screen

When this feature is enabled, a black rectangle is continuously displayed on the screen. This feature is controlled by malware’s settings lookscreen (true/false).

SSH Tunneling

On request, the malware can communicate through a SSH tunnel. The C&C requests this via a command |sockshost=HOST|user=username|pass=password|port=portnumber|endssh.

Listens for incoming connexions on port 34500 (hard coded)
C&C target PHP pages (o10/a?.php) and what they are used for in the code

RAT

Some specific remote access features of the malware are handled by a different URL: the botmaster sends a command like |startrat=URL|endrat, the specified URL gets saved in configuration parameter websocket, and this URL is used to capture screen, record audio or open/delete directories on the smartphone. The botmaster sends directly commands on the websocket URL: startsound, startscreenVNC (screen capture), opendir (list files in a given directory), deletefilefolder. The data is sent back to the C&C on the websocket URL. Page names are like on the standard URL, /o1o/a1.php, /o1o/a2.php etc, but the base URL is potentially different.

Available RAT commands — this contacts a “WebSocket” URL which is potentially different from the C&C URL
Stop recording audio, and post audio file to WebSocket URL + o1o/a1.php, with label sound[]
The audio file is named RecordSound_DATE.amr, and stored on the SD card

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.