CloudAtlas - commercial-grade Android malware

Few days ago Blue Coat published a whitepaper about so-called "The Inception Framework": a commercial-grade malware used in some more or less targeted attacks. The paper describes the details (with some nice pictures) and outlines an Android app used in this attacks. Because AV companies seem to stick with the "CloudAtlas" name in their signatures for this malware I will use the same name. Let's dive a bit into the most interesting bits, which I haven't seen in the Android malware before.

The "you can't see the log name" trick

First things first: it's a commercial-grade malware and is written as any commercial software would be - one class has a single responsibility, everything is logged and the code looks clean even after the decompilation. If you're a software engineer in a big company you probably recognize the function names presented on the screenshot below (maybe you even use the same names in your project?).



It also uses a simple obfuscation techniques that we got used to. It pretends that it's a "WhatsApp" update, which is a common theme in the commercial-grade malware segment - FinSpy suggested a similar infection vector for its customers. Anyhow, let's start with a log file, which has a really interesting name that I cannot write. Not because I don't want to, but because it's a white character, namely System.getProperty("line.separator"). This, on Android, should be the newline character (\n).  Below is the code responsible for the logging and, as you can see, static member b holds the name of the logfile.


The logging mechanism is pretty extensive - it logs every action so the forensic analysis of the infected phone should be a piece of cake.

C&C hosted on the blog

Malware does not seem to use the SMS C&C, it only uses the HTTP. Well, actually it is more complicated then this. It uses a livejournal blogging website with three different blog addresses. These are supposed to look like a legitimate blogging websites (at least according to the Blue Coat whitepaper), but they also contain something extra - a blog-index tag. Malware searches for this tag and its content, as you can see below.


This search returns one or more base64 encoded strings. After the decoding there is also some kind of a custom encryption scheme, some part of which is presented below. If you want to know more see the g, i and c classes in the sample.


This extra tag content provided both the dropzone URL and the commands (or rather "tasks" as it is called in the malware). It should be pointed out that this is a known technique in the Windows malware. Anyhow, very nice feature for an Android malware! I haven't seen it yet.

From what I gathered, apart from the features mentioned in the whitepaper (call and audio recording, location, contacts, text messages etc.), this malware could also load a DEX file downloaded from the C&C server. Another nice feature, right? Also, it has an awful lot of log comments in Hindi. Overall, well-written and somewhat creative malware.

Comments

Popular posts from this blog

Having fun with AndroidManifest.xml

Android malware based on SMS encryption and with KitKat support

Android malware goes Mono (.NET) and Lua!