This corresponds to the reverse engineering of the malware we unpacked in Part 1. Please also see the video at SecSea 2k20.

Update June 22, 2020: thanks to @ektoplasma_ for pointing out the crypto algorithm is not “home-made” but RC4.

The unpacked sample has sha256: 8306aed35abe6dd4105d060a4ccb1afcb87cc97cb2444c03ebf320810706089e.

When it is started, the malware communicates with a remote C&C to report it has infected a phone’s victim (provides phone’s model, release, product name, country and phone number).

All communication to the C&C has the following form:

  • The URL to contact is configurable, and saved in the malware’s configuration file (a shared preferences file named set). The default URL to contact depends on the sample. For the one we analyze, it is hxxps://old.mandamientos.ga
Default configuration file for the malware
  • The page to reach depends on the nature of the action and data: a1.php, a2.php ... to a17.php
  • The PHP page usually takes an argument p, which contains the victim’s Android ID followed by additional data, encrypted and then converted to Base64. The algorithm is RC4 and uses a hard-coded key ericcartman.

The C&C responds to the initial infection report with a list of commands and/or settings. Most commands correspond to an entry in the configuration file. For example, the C&C can activate encryption of files on the smartphone (crypto locker). This features is referred to in the code as “Cryptolocker”, “Cryptor” or “AnubisCrypt”. The C&C sends a command such as |cryptokey=key:50:BTC|endcrypt. This updates several configuration parameters such as key, lock_amount, lock_btc, and status (crypt to request encryption, decrypt to request decryption), and triggers file encryption code: all all files located in /mnt, /mount, /storage, and /sdcard are encrypted. The encryption algorithm is seeded by the “encryption” key. Encrypted files get the suffix .AnubisCrypt.

Processing C&C command “cryptokey=”

Encrypting or decrypting the file system is reported to the remote C&C (on page a6.php) , with an (encrypted) status message saying for example “The Cryptor is activated, the file system is encrypted by key…”.

Once files are encrypted, a ransom message is displayed. The template is stored in the configuration under htmllocker, and the amount and currency to request are configurable (lock_amount, lock_btc).

The malware implements numerous features: SMS interception and deletion, searching for files, listing installed applications, recording audio, screen capture, tracking geographic location, locking the screen, have the victim send spam SMS…

C&C commands for the bot
Overview of malware’s main features

Propagation

The malware propagates to other victims via SMS. There are 2 different methods:

  1. Option 1: the malware retrieves the list of contacts on the victim’s smartphone (getNumber is set to true/false in the config file) and we assume malware author(s) try to infect them later
  2. Option 2: the malware can have the victim’s smartphone directly send SMS to its contacts. The text to send is configured by the setting cwc_text.
2 different options to propagate to new victims
Send contacts name and phone number to remote C&C

Send spam

The malware asks the C&C (page a17.php) who it should spam: the answer contains the name of the contact and his/her phone number. The malware crafts the spam using a template read from configuration parameter textSPAM, and sends the SMS.

Sending spam by SMS to a given contact (reminder: all variable/method names are obfuscated. They have been renamed here for better readability)

Intercept SMS

If the configuration file has option perehvat_sms (intercept in Russian) set to true, the malware intercepts any incoming SMS and sends its content to a remote C&C. It can also report the contents of the Sent and Drafts box.

If the option del_sws is set, it disables the ringer and deletes the SMS on the victim’s phone. The malware implements SMS interception using the well-known receiver technique: it creates a BroadcastReceiver with high priority (999), which therefore handles SMS before the smartphone’s normal apps.

High priority for SMS receiver of the malware. This is a common technique.
Malware hides SMS interception by deleting the incoming SMS…
When deleting SMS, the malware also sets the ringer to silent

Keylogger

The keylogging feature is implemented as an AccessibilityService. Those services are normally meant to help end users with disabilities, but the malware abuses that, and asks for accessibility settings:

Launch the Accessibility Settings view

Then, it implements a service which extends an AccessibilityService and receives accessibility events in onAccessibilityEvent it overrides. Each button clicked, or focus change gets logged to a file keys.log.

Buttons pressed are logged, and later written to file keys.log

Finally, the content of keys.log is reported to the C&C.

Lock screen

When this feature is enabled, a black rectangle is continuously displayed on the screen. This feature is controlled by malware’s settings lookscreen (true/false).

SSH Tunneling

On request, the malware can communicate through a SSH tunnel. The C&C requests this via a command |sockshost=HOST|user=username|pass=password|port=portnumber|endssh.

The malware creates a server socket, which listens for incoming connexions on port 34500, and then reads/writes on the incoming socket.

Listens for incoming connexions on port 34500 (hard coded)

We seldom see SSH Tunneling in Android malware, so it’s interesting.

C&C target PHP pages (o10/a?.php) and what they are used for in the code

RAT

Some specific remote access features of the malware are handled by a different URL: the botmaster sends a command like |startrat=URL|endrat, the specified URL gets saved in configuration parameter websocket, and this URL is used to capture screen, record audio or open/delete directories on the smartphone. The botmaster sends directly commands on the websocket URL: startsound, startscreenVNC (screen capture), opendir (list files in a given directory), deletefilefolder. The data is sent back to the C&C on the websocket URL. Page names are like on the standard URL, /o1o/a1.php, /o1o/a2.php etc, but the base URL is potentially different.

Available RAT commands — this contacts a “WebSocket” URL which is potentially different from the C&C URL

For example, the recording is triggered by RAT command startsound. This launches a service (named brtltydqhiuqbb) which instantiates a MediaRecord object and starts recording for 3 seconds. The audio file can be found on the SD card (.amr extension), and it is posted to the WebSocket URL page a1.php.

Stop recording audio, and post audio file to WebSocket URL + o1o/a1.php, with label sound[]

Strangely the audio recording feature is also available outside the RAT: the C&C sends a command |recordsound=seconds|endrecord. Same, a MediaRecord object is instantiated and records for the supplied number of seconds. The audio file is stored on the SD card (see below). It is posted back to the C&C (not the WebSocket URL) on page a15.php.

The audio file is named RecordSound_DATE.amr, and stored on the SD card

This ends the analysis of the sample. There are a few features I haven’t covered (phone call forwarding, URL “injection”, open the browser with a given URL, send a USSD code…) but the main parts are there 😃

Similar sample, Corona Tracker, wasn’t packed: here.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.