Malware Analysis Opinion about this .apk

D

Deleted member 65228

Guest
#2
According to that Hybrid-Analysis report, the sample references "Baidu" in its strings and has permissions such as READ_HISTORY_BOOKMARKS. That permission in-particular being granted will allow the sample to read the bookmarks from your web browser.

According to the VirusTotal report:

Certificate information
Code:
Subject
    DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
    CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
validto: 11:46 AM 06/05/2043
serialnumber: 5ad9df61
thumbprint: ef48cab315787d955dc7ebda688a4d3cb6c49d88
validfrom: 11:46 AM 01/18/2016
Issuer
    DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
    CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
Interesting Strings
Code:
http://
http://3g.sina.com.cn
http://3g.sina.com.cn/
http://addons.sync.maxthon.
http://android.datacenter.maxthon.%domain%/news/category?v=1&guid=%device_id%&section_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&lang=%language%&country=%country%
http://android.datacenter.maxthon.%domain%/news/channel?v=1&source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&lang=%language%&country=%country%&local_version=%local_version%
http://android.datacenter.maxthon.%domain%/news/customize?v=1&guid=%device_id%&section_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&country=%country%&lang=%language%
http://android.datacenter.maxthon.%domain%/news/item?v=1&guid=%device_id%&id=%id%&section_id=%section_id%&lang=%language%&country=%country%&type=html
http://bookmark.sync.maxthon.
http://data-android.maxthon.cn/upload.html
http://data-android.maxthon.com/upload.html
http://g.dcs.maxthon.com/mx4/enc?data=%data%
http://g.dcs.maxthon.com/mx4/enc?keyid=default&data=%data%
http://g.perload.maxthon.com/mx4/enc?keyid=default&data=%data%
http://g.perload.maxthon.com/rss/enc?data=%data%
http://gate.baidu.com/tc?from=1090q&src=%target%
http://haha.mx
http://hostname/?
http://m.ccb.com
http://m.cpdyj.com/
http://m.dili360.com/
http://m.tianya.cn/
http://mad.m.maxthon.%host%/promotion/query.php?source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&country=%country%&language=%language%&dvc_id=%device_id%&uid=%uid%&vname=%version_name%
http://maxthon.cn
http://maxthon.com
http://mm.maxthon.cn
http://mm.maxthon.cn/bugcollect/bugreport.php
http://mm.maxthon.cn/feedback/feedback.php
http://mm.maxthon.cn/helpcenter/help/
http://mm.maxthon.cn/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%
http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%&status=%status%
http://mm.maxthon.cn/mxbrowser2/checkin/checkin.php?country=%country%&imei=%imei%
http://mm.maxthon.cn/quickdialext/getexturl.php
http://mm.maxthon.cn/webapp/quickdail/
http://mm.maxthon.com/helpcenter/help/
http://mm.maxthon.com/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
http://mm.maxthon.com/quickdialext/getexturl.php
http://mm:blank
http://my.maxthon.cn/convention.html
http://my.maxthon.cn/recover.html
http://my.maxthon.com/convention.html
http://my.maxthon.com/recover.html
http://online.user.maxthon.
http://p.dcs.maxthon.com/android/ueip
http://profile-api.user.maxthon.
http://profile.user.maxthon.
http://rss_chl.fakeurl
http://rss_reader.fakeurl
http://schemas.android.com/apk/res/android
http://sns.user.maxthon.
http://sns.user.maxthon.cn/v1/request_token?command=
http://sns.user.maxthon.com/v1/request_token?command=
http://stats-a.maxthon.cn/phone-1/online?
http://stats-a.maxthon.com/phone-1/online?
http://suggest.yandex.ru/suggest?part={query}&n=10&nav=yes&mob=1&partner=maxthon
http://suggestion.baidu.com/su?wd={searchTerms}&t={time}&ie=utf-8
http://w.159.com/Index.aspx?url=
http://w2w.spforum.net/?
http://wap.baidu.com/s?from=1097d&word=%s
http://www.baidu.com
http://www.commercial-my-netsky.cu.cc/ton.php?sid=7&tds-key=Bluetooth ToolKit
http://www.google-analytics.com/collect
http://www.google.com
http://www.google.com.hk
http://www.google.com.hk/complete/search?hl={lang}&client=android&q={searchTerms}
http://www.google.com/search?client=aff-maxthon-maxthon4&channel=t8&q=%s
http://yandex.ru/
http://yandex.ru/touchsearch?clid=1909116&text=%s
https://
https://contacts-u.maxthon.com/v1/contacts/sendfile/get
https://contacts-u.maxthon.com/v1/contacts/sendfile/setnickname
https://cs-s.maxthon.com
https://device-u.maxthon.com/device/bind/
https://device-u.maxthon.com/device/status/
https://login-u.maxthon.
https://my.maxthon.cn
https://my.maxthon.com
https://mytabs-u.maxthon.com/
https://mytabs-u.maxthon.com/?userid=
https://profile-api-u.maxthon.cn/getCountryName
https://profile-api-u.maxthon.cn/getMobileVcode
https://profile-api-u.maxthon.cn/register
https://profile-api-u.maxthon.com/getCountryName
https://profile-api-u.maxthon.com/getMobileVcode
https://profile-api-u.maxthon.com/register
https://ssl.google-analytics.com/collect
https://transfile-s.maxthon.com/share
https://transfile-s.maxthon.com/transfile/device
If you check the information regarding the other permissions, you'll see it has the potential to: start-up as soon as the device has booted; prevent the phone from going into sleep mode; perform network activity; utilise GPS; access browser history/bookmarks; and more.

I do not know if the APK is malicious or not because I am no Android malware analyst however what I will say is that personally it does raise red flags and I would not trust it. You can look into using a Virtual Machine/emulation for Android to maybe test the sample out if you needed to for further analysis.
 

tim one

Level 21
Trusted
AV-Tester
Joined
Jul 31, 2014
Messages
1,072
OS
Windows 10
Antivirus
F-Secure
#3
@Opcode said a lot and also according to me this file is not so safe, already seeing the network activity and permissions.
Honestly, I didn't get additional info from the HA report and it would be really interesting to know if this file has some interaction with the operating system processes, for example.

I'm more familiar with Windows runtime code injection and CreateRemoteThread lets us force an arbitrary running process to call LoadLibrary and load a DLL into its address space ( DLL Injection).

Unfortunately there’s no CreateRemoteThread equivalent on Andoid/ARM system, therefore we can only rely on ptrace and something else.
But avoiding technical explanations, usually an apk that injects code may:

- get the needed functions addresses.
- Use the remote malloc/calloc to copy the library name string into the remote process.
- Use the remote dlopen with the previously allocated buffer to load the library.
- Use the remote dlsym if needed.

Once it has the library injected, it can do some things, like dynamic API hooking/tracing/patching, process introspection, runtime memory patching, etc.

I have some background about Android analysis but, really, I'm not expert, so please correct me if I said some nonsense :)
 
Last edited:
D

Deleted member 65228

Guest
#4
Once it has the library injected, it can do some things, like dynamic API hooking/tracing/patching, process introspection, runtime memory patching, etc.
Run-time memory patching is the same as API hooking since it is changing execution flow in memory, as long as you're redirecting to elsewhere.

For example, run-time byte (or you could say memory) patching is also known as "detours"/"detouring" and it consists of inserting your own instructions at the address of a function so when execution flow lands at that address, the Instruction Pointer processes your instructions since they now exist in memory. An example of instructions you might insert could be:

Code:
32-bit process:
MOV EAX, ADDRESS (4 bytes in size for the address)
JMP EAX ; or call EAX

64-bit process:
MOV RAX, ADDRESS (8 bytes in size for the address)
JMP RAX
On Windows I would use RtlCreateUserThread or NtCreateThreadEx for creating a remote thread for cross-user process support (processes being ran under other user accounts) as long as SeDebugPrivilege can be enabled. CreateRemoteThread will land at RtlCreateUserThread and then RtlCreateUserThread will land at NtCreateThreadEx. :)

As far as Android is concerned, I don't have experience with it so I don't know... My personal verdict earlier was just based on the information I read from the H-A/VT report, but it is probably unsafe!
 
Joined
Jul 1, 2017
Messages
275
OS
Linux
Antivirus
Isolation
#5
I add one thing more, I informed the author of the original .apk, this application renamed as bluetooth toolkit unlimited coins was download from Aptoide to see what was, I saw from beginning it was something else. I will read very carefully your comments. Very instructive for me.

This is the original Android .apk from that the author of this ".apk" copied the main icon.

[XPOSED] Bluetooth ToolKit - Android Apps on Google Play

He told me he will start the removal process, but need some time to remove from Aptoide.
 
D

Deleted member 65228

Guest
#6
I add one thing more, I informed the author of the original .apk, this application renamed as bluetooth toolkit unlimited coins was download from Aptoide to see what was, I saw from beginning it was something else. I will read very carefully your comments. Very instructive for me.

This is the original Android .apk from that the author of this ".apk" copied the main icon.

[XPOSED] Bluetooth ToolKit - Android Apps on Google Play
Sorry if I am misunderstanding, but just to make sure... The APK file from the starting post in this thread is a fake copy of the genuine APK download you linked us to in the post I am quoting now? :)
 
Joined
Jul 1, 2017
Messages
275
OS
Linux
Antivirus
Isolation
#10
I first informed the dev, the detection on virustotal was only catched by Fortinet, was also a way for me to decide what program use on phone as Antivirus.

Just this:
2017-08-23 19:27:23 UTC ( 1 week, 3 days ago )
 
Likes: rockstarrocks
D

Deleted member 65228

Guest
#11
I wanted to know if was a malware, at this point this look to me as an infostealer?
I cannot comment on an official verdict because I am not an Android analyst, nor do I have experience with handling malicious software for Android however what I can tell you is that if the APK is pretending to be something it is not while having the intention of performing malicious operations then it at least falls under the term "Trojan". But I am not sure what the naming is for Android malware.

I suggest you submit the APK to AV vendors and ask for their verdict. They have teams of Android/Linux/OS X analysts usually, not just Windows.
 
Joined
Jul 1, 2017
Messages
275
OS
Linux
Antivirus
Isolation
#12
I deleted the sample here, if someone can inform some AV vendors about that, I was disappointed wasn't catched, but remember me of signature base detection.
I think can be download from hybrid-analysis with login.
 
Likes: rockstarrocks
Joined
Jul 1, 2017
Messages
275
OS
Linux
Antivirus
Isolation
#13
I also saw there are many description of WAP of operators of Chinese market, I'm not expert, maybe was created specifically for a specific target.
 
Likes: rockstarrocks
Joined
Jul 1, 2017
Messages
275
OS
Linux
Antivirus
Isolation
#14
The .apk is still there under the name of harryvlnrt, if some Antivirus Vendors want check.
The removal surely is harder than Google Play, after 2 weeks.
 
Likes: rockstarrocks