Tracking Android/Joker payloads with Medusa, static analysis (and patience)

Medusa

use http_communications/uri_logger
use encryption/cipher_1
use code_loading/dump_dyndex
use code_loading/load_class
I use URI hooks (http_communications/uri_logger) in Medusa and see the malware calls those URLs. Android/Joker is known to use URLs such as xxx[.]aliyuncs.com.
Bingo! The look4.oss-ap[..]aliyuncs.com URL is encrypted. The decryption hooks, encryption/cipher_1, with shows the decrypted value.
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/audience_network.dex
[+] Dumped /data/user/0/com.designemoji.keyboard/files/audience_network.dex to dump_1
loadClass: com.designemoji.keyboard.EnableActivity
loadClass: com.facebook.ads.internal.dynamicloading.DynamicLoaderImpl
...
PathClassLoader(f,p) called: /data/user/0/com.designemoji.keyboard/cache/nuff
[+] Dumped /data/user/0/com.designemoji.keyboard/cache/nuff to dump_2
loadClass: seek
...
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/seek
[+] Dumped /data/user/0/com.designemoji.keyboard/files/seek to dump_3
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/Yang
[+] Dumped /data/user/0/com.designemoji.keyboard/files/Yang to dump_4
loadClass: com.xjuys
loadClass: com.android.installreferrer.api.InstallReferrerClient

Loading nuff (payload 1)

## Cipher
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 25 line=b'.method private b()Ljavax/crypto/Cipher;\n'
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 63 line=b' invoke-static {v0, v1}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;Ljava/lang/String;)Ljavax/crypto/Cipher;\n'
Decrypted=https://look4[.]oss-ap-southeast-5[.]aliyuncs.com/designemoji
Decrypted=getClassLoader
Decrypted=loadClass
Decrypted=seek
Decrypted=melody
Code loading the JAR with getClassLoader, then invokes a method named melody()

Static analysis of nuff (payload 1)

  1. It downloads DEX file from https://look4.oss-ap-southeast-5[.]aliyuncs[.]com/nunber
Code of payload 1. Download URL for payload 2 — we also see that class cantus, method bustle is called.

Static analysis of payload 2

Payload 2 is loading … Payload 3

Static analysis of payload 3

  1. https://xjuys.oss-accelerate[.]aliyuncs.com/fbhx1. We have already seen this payload. It is the same as in this article and contains facebook hooks.
  2. https://beside.oss-eu-west-1[.]aliyuncs.com/af2. It stores the file in the app’s file directory, with filename KBNViao. Then, it loads com.appsflyer.AppsFlyerLib and methods init() then startTracking() [love the name of the method, don’t we? 😏]. This is Apps Flyer SDK, a mobile analytics library.
Connect to remote URL and download payload 4.

Summary

  • Payload 1 (designmoji/nuff) has no other use than loading Payload 2
  • Payload 2 (nunber/seek) enables notification listeners (we haven’t detailed this in this article) and loads Payload 3
  • Payload 3 (xjuys/Yang) has yet more malicious code (not detailed here) and loads 2 additional DEX: one for Facebook, the other one contains Apps Flyer SDK.
  • Payload 4a and 4b: Facebook hooks + Apps Flyer SDK.

--

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Popupwindow Android example in Kotlin

How to use Proto DataStore in Android

Retrieving Network Usage Details

What is inside whatsapp?

Building an Android Video Chat App with In-Call Statistics

Create Drawing app in Android using Kotlin | Custom Views in Android

Android Online Training Course: Android App Development Training

ML Kit and Text Recognition in Android

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

Practical Content Security Policy, Same Origin Policy, Cross Origin Resource Sharing for Everyone

Firebase Allow Anonymous Read and Write Access

Pwning Minesweeper

Writing your own Burpsuite Extensions: Complete Guide