(Almost) a FUD: another "Porn App", this time Italian

I like FUDs, because they must show creativity either in packing or in the code. Anyhow, they are almost always interesting to analyze. Recently I came across a "porn" app targeting Italy (md5: 0995aceaeb8e338aff542ab3f1d8dab4). When you run it it displays an ansa.it website, which I guess is a kind of Italian news site. But what it does in the background is really interesting.

Quick look

First off the app is still in the making and let me tell you the author devotes 5 hours a day to make it work! He (or she) is really trying to make it both FUD and powerful and I have to tell you that it starts to shape up with some nifty features. There are still a lot of blanks, which maybe will be filled in in the future. Look at this beautiful icon (remember that it is supposed to be a porn app):


Second up, the strings. They are encrypted using DES encryption in a famous Adobe mode with "Some Key" key. All of the strings seem to be encrypted, even the ones popular in Android apps like "pdus" or "com.android.launcher.action.INSTALL_SHORTCUT" action. And this action is used to create a shortcut on your desktop with the same icon as above.

Some of the telephone info is send to a C&C server located in San Marino (that's new, right?). Below is a list of stolen data.


Now to the interesting parts! It has a kill switch implemented, which activates after some predefined time. Before this time a specified number can send a short message instructing the app to send SMS to another number. This is probably done to facilitate the Premium SMS feature, where the attacker can make money out of paid subscription services. Unfortunately no number was provided in the sample. After the kill switch gets activated the SMS sending features are disabled.

Other interesting functionality is the Hidden Browser. This is an Activity that displays a website in the background using Theme.NoDisplay and excludeFromRecents parameters in the AndroidManifest file, as shown below. As you can see MainActivity uses the same tricks.


This activity can open a website and then, when the page is loaded, open a different URL or execute a piece of JavaScript code by passing the javascript: "protocol" to loadUrl of the WebView. In this, what I believe to be a test sample, executed JavaScript was just a simple redirect. Moreover, at least for now, the executed JavaScript is hardcoded to be a redirect and there is no way to change it other then rebuilding the app.

Hidden Browser is meant to be run using an Intent and has an Extra String called "link" specifying the redirect. The page that is opened up before the redirection was hardcoded to be google.com. Using this Activity you can covertly make the Android visit a specific website.

It also gains persistence using a standard BOOT_COMPLETED Broadcast Receiver.

Summary

Both strings and permissions show that the next implemented feature will be stealing contacts. Let's wait and see how the app will evolve. In the meantime, for all the Blade Runner fans, this is an excerpt from an app certificate:

Issuer
    DN: C=IT, ST=Italy, L=Rome, O=Tyrrel Corporation, OU=R&D, CN=Marco Rossi
    C: IT
    CN: Marco Rossi
    L: Rome
    O: Tyrrel Corporation
    S: Italy
    OU: R&D

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Sandroid RAT analysis: Part I - synthetic communication

Image
My first post is about Sandrorat, a fairly new RAT tool that was prominent for being a part of a Polish spam campaign . The analyzed sample hash is bed05d8eace6a7ebc5dec7141ea4b9cc559f1b2aab8848e2c79df7a79de39b9d . Sample was obtained thanks to The Honeynet Project . Everything is synthetic First part will be about a little known synthetic methods and the way Sandrorat uses them to obfuscate the code . This sample declared three different services:
Read more