Tracking Android/Joker payloads with Medusa, static analysis (and patience)

Medusa

I recently discovered Medusa and like it very much… for dynamic analysis (I still prefer static analysis, everybody knows that by now?). Medusa is easy to use and comes with a collection of ready-to-use Frida hooks. Launch an Android emulator, a Frida server, install the sample, then launch Medusa python3 medusa.py.

use http_communications/uri_logger
use encryption/cipher_1
use code_loading/dump_dyndex
use code_loading/load_class
I use URI hooks (http_communications/uri_logger) in Medusa and see the malware calls those URLs. Android/Joker is known to use URLs such as xxx[.]aliyuncs.com.
Bingo! The look4.oss-ap[..]aliyuncs.com URL is encrypted. The decryption hooks, encryption/cipher_1, with shows the decrypted value.
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/audience_network.dex
[+] Dumped /data/user/0/com.designemoji.keyboard/files/audience_network.dex to dump_1
loadClass: com.designemoji.keyboard.EnableActivity
loadClass: com.facebook.ads.internal.dynamicloading.DynamicLoaderImpl
...
PathClassLoader(f,p) called: /data/user/0/com.designemoji.keyboard/cache/nuff
[+] Dumped /data/user/0/com.designemoji.keyboard/cache/nuff to dump_2
loadClass: seek
...
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/seek
[+] Dumped /data/user/0/com.designemoji.keyboard/files/seek to dump_3
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/Yang
[+] Dumped /data/user/0/com.designemoji.keyboard/files/Yang to dump_4
loadClass: com.xjuys
loadClass: com.android.installreferrer.api.InstallReferrerClient

Loading nuff (payload 1)

DroidLysis doesn’t detect any use of DexClassloader, PathClassLoader or InMemoryDexClassLoader. So, how is the first payload loaded? Let’s locate the URL (look4[…]aliyuncs.com). It is encrypted, so I search where encrypted is used in DroidLysis’ detailed report.

## Cipher
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 25 line=b'.method private b()Ljavax/crypto/Cipher;\n'
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 63 line=b' invoke-static {v0, v1}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;Ljava/lang/String;)Ljavax/crypto/Cipher;\n'
Decrypted=https://look4[.]oss-ap-southeast-5[.]aliyuncs.com/designemoji
Decrypted=getClassLoader
Decrypted=loadClass
Decrypted=seek
Decrypted=melody
Code loading the JAR with getClassLoader, then invokes a method named melody()

Static analysis of nuff (payload 1)

The JAR contains a classes.dex with a single class named seek, and a method named melody. It is simple to understand:

  1. It downloads DEX file from https://look4.oss-ap-southeast-5[.]aliyuncs[.]com/nunber
Code of payload 1. Download URL for payload 2 — we also see that class cantus, method bustle is called.

Static analysis of payload 2

Just guess what cantus.bustle() does? It downloads yet another DEX from https://xjuys.oss-accelerate[.]aliyuncs.com/xjuys !

Payload 2 is loading … Payload 3

Static analysis of payload 3

This com.xjuys JAR had been already used in several other samples of Joker (sha256: 2edaf2a2d8fd09a254ea41afa4d32b145dcec1ab431a127b2462b5ea58e2903d).

  1. https://xjuys.oss-accelerate[.]aliyuncs.com/fbhx1. We have already seen this payload. It is the same as in this article and contains facebook hooks.
  2. https://beside.oss-eu-west-1[.]aliyuncs.com/af2. It stores the file in the app’s file directory, with filename KBNViao. Then, it loads com.appsflyer.AppsFlyerLib and methods init() then startTracking() [love the name of the method, don’t we? 😏]. This is Apps Flyer SDK, a mobile analytics library.
Connect to remote URL and download payload 4.

Summary

The initial DEX is quite heavily obfuscated

  • Payload 1 (designmoji/nuff) has no other use than loading Payload 2
  • Payload 2 (nunber/seek) enables notification listeners (we haven’t detailed this in this article) and loads Payload 3
  • Payload 3 (xjuys/Yang) has yet more malicious code (not detailed here) and loads 2 additional DEX: one for Facebook, the other one contains Apps Flyer SDK.
  • Payload 4a and 4b: Facebook hooks + Apps Flyer SDK.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.