CloudAtlas - commercial-grade Android malware

Few days ago Blue Coat published a whitepaper about so-called "The Inception Framework": a commercial-grade malware used in some more or less targeted attacks. The paper describes the details (with some nice pictures) and outlines an Android app used in this attacks. Because AV companies seem to stick with the "CloudAtlas" name in their signatures for this malware I will use the same name. Let's dive a bit into the most interesting bits, which I haven't seen in the Android malware before.

The "you can't see the log name" trick

First things first: it's a commercial-grade malware and is written as any commercial software would be - one class has a single responsibility, everything is logged and the code looks clean even after the decompilation. If you're a software engineer in a big company you probably recognize the function names presented on the screenshot below (maybe you even use the same names in your project?).



It also uses a simple obfuscation techniques that we got used to. It pretends that it's a "WhatsApp" update, which is a common theme in the commercial-grade malware segment - FinSpy suggested a similar infection vector for its customers. Anyhow, let's start with a log file, which has a really interesting name that I cannot write. Not because I don't want to, but because it's a white character, namely System.getProperty("line.separator"). This, on Android, should be the newline character (\n).  Below is the code responsible for the logging and, as you can see, static member b holds the name of the logfile.


The logging mechanism is pretty extensive - it logs every action so the forensic analysis of the infected phone should be a piece of cake.

C&C hosted on the blog

Malware does not seem to use the SMS C&C, it only uses the HTTP. Well, actually it is more complicated then this. It uses a livejournal blogging website with three different blog addresses. These are supposed to look like a legitimate blogging websites (at least according to the Blue Coat whitepaper), but they also contain something extra - a blog-index tag. Malware searches for this tag and its content, as you can see below.


This search returns one or more base64 encoded strings. After the decoding there is also some kind of a custom encryption scheme, some part of which is presented below. If you want to know more see the g, i and c classes in the sample.


This extra tag content provided both the dropzone URL and the commands (or rather "tasks" as it is called in the malware). It should be pointed out that this is a known technique in the Windows malware. Anyhow, very nice feature for an Android malware! I haven't seen it yet.

From what I gathered, apart from the features mentioned in the whitepaper (call and audio recording, location, contacts, text messages etc.), this malware could also load a DEX file downloaded from the C&C server. Another nice feature, right? Also, it has an awful lot of log comments in Hindi. Overall, well-written and somewhat creative malware.

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Android malware goes Mono (.NET) and Lua!

Image
In December I attended a (really great!) Botconf 2014 conference. During that conferece I gave a  lightning talk about an interesting Android malware sample that (presumably) used Lua and Mono (hence, .NET) as a way of obfuscation. Very recently  @tbiehn  Tweeted to me a solution for a problem that I run into during the analysis. So now, below, you can find details about the weird Lua/.NET/Java Android sample . It says "Please wait, loading data" Quick overview It starts fairly innocent, with an app called Metrics.Me and it has a pretty standard malware permissions, as can be seen on a screenshot below. It uses a VKontakte icon, probably to pose as a kind of social media app. The main and only screen of this app is shown above. Let's start with the usual place: the SMSReceiver . And now things get a little complicated. There are a lot of references to the "monodroid". It turns out that this is actually a Mono (.NET) implementation in Andro
Read more