Malware Analysis Opinion about this .apk

Discussion in 'Malware Analysis' started by lowdetection, Sep 1, 2017.

  1. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    Online Malware Analysis Report:
    https://www.hybrid-analysis.com/sample/5530271cfaa69d655a49357deb9c18c9e0082b9c6579ec90bd1b049c38f42f3c?environmentId=200
    VirusTotal Report:
    https://www.virustotal.com/en/file/5530271cfaa69d655a49357deb9c18c9e0082b9c6579ec90bd1b049c38f42f3c/analysis/1503502886/
    Analysis mode:
    Static and Dynamic Analysis
    Host Operating System:
    Tested on Android 7.1.2 and VxStream Sandbox
    Guest Operating System:
    Android
    (Static Analysis) Analysis Tools Used:
    https://apkscan.nviso.be/report/show/09379f417004b442bedffef0b0962f23
    I would like to know what this .apk do, and your opinions. Thanks.
     
    rockstarrocks and frogboy like this.
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    According to that Hybrid-Analysis report, the sample references "Baidu" in its strings and has permissions such as READ_HISTORY_BOOKMARKS. That permission in-particular being granted will allow the sample to read the bookmarks from your web browser.

    According to the VirusTotal report:

    Certificate information
    Code:
    Subject
        DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
        CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
    validto: 11:46 AM 06/05/2043
    serialnumber: 5ad9df61
    thumbprint: ef48cab315787d955dc7ebda688a4d3cb6c49d88
    validfrom: 11:46 AM 01/18/2016
    Issuer
        DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
        CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
    
    Interesting Strings
    Code:
    http://
    http://3g.sina.com.cn
    http://3g.sina.com.cn/
    http://addons.sync.maxthon.
    http://android.datacenter.maxthon.%domain%/news/category?v=1&guid=%device_id%&section_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&lang=%language%&country=%country%
    http://android.datacenter.maxthon.%domain%/news/channel?v=1&source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&lang=%language%&country=%country%&local_version=%local_version%
    http://android.datacenter.maxthon.%domain%/news/customize?v=1&guid=%device_id%&section_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&country=%country%&lang=%language%
    http://android.datacenter.maxthon.%domain%/news/item?v=1&guid=%device_id%&id=%id%&section_id=%section_id%&lang=%language%&country=%country%&type=html
    http://bookmark.sync.maxthon.
    http://data-android.maxthon.cn/upload.html
    http://data-android.maxthon.com/upload.html
    http://g.dcs.maxthon.com/mx4/enc?data=%data%
    http://g.dcs.maxthon.com/mx4/enc?keyid=default&data=%data%
    http://g.perload.maxthon.com/mx4/enc?keyid=default&data=%data%
    http://g.perload.maxthon.com/rss/enc?data=%data%
    http://gate.baidu.com/tc?from=1090q&src=%target%
    http://haha.mx
    http://hostname/?
    http://m.ccb.com
    http://m.cpdyj.com/
    http://m.dili360.com/
    http://m.tianya.cn/
    http://mad.m.maxthon.%host%/promotion/query.php?source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&country=%country%&language=%language%&dvc_id=%device_id%&uid=%uid%&vname=%version_name%
    http://maxthon.cn
    http://maxthon.com
    http://mm.maxthon.cn
    http://mm.maxthon.cn/bugcollect/bugreport.php
    http://mm.maxthon.cn/feedback/feedback.php
    http://mm.maxthon.cn/helpcenter/help/
    http://mm.maxthon.cn/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
    http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%
    http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%&status=%status%
    http://mm.maxthon.cn/mxbrowser2/checkin/checkin.php?country=%country%&imei=%imei%
    http://mm.maxthon.cn/quickdialext/getexturl.php
    http://mm.maxthon.cn/webapp/quickdail/
    http://mm.maxthon.com/helpcenter/help/
    http://mm.maxthon.com/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
    http://mm.maxthon.com/quickdialext/getexturl.php
    http://mm:blank
    http://my.maxthon.cn/convention.html
    http://my.maxthon.cn/recover.html
    http://my.maxthon.com/convention.html
    http://my.maxthon.com/recover.html
    http://online.user.maxthon.
    http://p.dcs.maxthon.com/android/ueip
    http://profile-api.user.maxthon.
    http://profile.user.maxthon.
    http://rss_chl.fakeurl
    http://rss_reader.fakeurl
    http://schemas.android.com/apk/res/android
    http://sns.user.maxthon.
    http://sns.user.maxthon.cn/v1/request_token?command=
    http://sns.user.maxthon.com/v1/request_token?command=
    http://stats-a.maxthon.cn/phone-1/online?
    http://stats-a.maxthon.com/phone-1/online?
    http://suggest.yandex.ru/suggest?part={query}&n=10&nav=yes&mob=1&partner=maxthon
    http://suggestion.baidu.com/su?wd={searchTerms}&t={time}&ie=utf-8
    http://w.159.com/Index.aspx?url=
    http://w2w.spforum.net/?
    http://wap.baidu.com/s?from=1097d&word=%s
    http://www.baidu.com
    http://www.commercial-my-netsky.cu.cc/ton.php?sid=7&tds-key=Bluetooth ToolKit
    http://www.google-analytics.com/collect
    http://www.google.com
    http://www.google.com.hk
    http://www.google.com.hk/complete/search?hl={lang}&client=android&q={searchTerms}
    http://www.google.com/search?client=aff-maxthon-maxthon4&channel=t8&q=%s
    http://yandex.ru/
    http://yandex.ru/touchsearch?clid=1909116&text=%s
    https://
    https://contacts-u.maxthon.com/v1/contacts/sendfile/get
    https://contacts-u.maxthon.com/v1/contacts/sendfile/setnickname
    https://cs-s.maxthon.com
    https://device-u.maxthon.com/device/bind/
    https://device-u.maxthon.com/device/status/
    https://login-u.maxthon.
    https://my.maxthon.cn
    https://my.maxthon.com
    https://mytabs-u.maxthon.com/
    https://mytabs-u.maxthon.com/?userid=
    https://profile-api-u.maxthon.cn/getCountryName
    https://profile-api-u.maxthon.cn/getMobileVcode
    https://profile-api-u.maxthon.cn/register
    https://profile-api-u.maxthon.com/getCountryName
    https://profile-api-u.maxthon.com/getMobileVcode
    https://profile-api-u.maxthon.com/register
    https://ssl.google-analytics.com/collect
    https://transfile-s.maxthon.com/share
    https://transfile-s.maxthon.com/transfile/device
    If you check the information regarding the other permissions, you'll see it has the potential to: start-up as soon as the device has booted; prevent the phone from going into sleep mode; perform network activity; utilise GPS; access browser history/bookmarks; and more.

    I do not know if the APK is malicious or not because I am no Android malware analyst however what I will say is that personally it does raise red flags and I would not trust it. You can look into using a Virtual Machine/emulation for Android to maybe test the sample out if you needed to for further analysis.
     
  3. tim one

    tim one Level 19
    Trusted AV Tester

    Jul 31, 2014
    904
    9,098
    Europe
    Windows 10
    Emsisoft
    #3 tim one, Sep 2, 2017
    Last edited: Sep 2, 2017
    @Opcode said a lot and also according to me this file is not so safe, already seeing the network activity and permissions.
    Honestly, I didn't get additional info from the HA report and it would be really interesting to know if this file has some interaction with the operating system processes, for example.

    I'm more familiar with Windows runtime code injection and CreateRemoteThread lets us force an arbitrary running process to call LoadLibrary and load a DLL into its address space ( DLL Injection).

    Unfortunately there’s no CreateRemoteThread equivalent on Andoid/ARM system, therefore we can only rely on ptrace and something else.
    But avoiding technical explanations, usually an apk that injects code may:

    - get the needed functions addresses.
    - Use the remote malloc/calloc to copy the library name string into the remote process.
    - Use the remote dlopen with the previously allocated buffer to load the library.
    - Use the remote dlsym if needed.

    Once it has the library injected, it can do some things, like dynamic API hooking/tracing/patching, process introspection, runtime memory patching, etc.

    I have some background about Android analysis but, really, I'm not expert, so please correct me if I said some nonsense :)
     
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    Run-time memory patching is the same as API hooking since it is changing execution flow in memory, as long as you're redirecting to elsewhere.

    For example, run-time byte (or you could say memory) patching is also known as "detours"/"detouring" and it consists of inserting your own instructions at the address of a function so when execution flow lands at that address, the Instruction Pointer processes your instructions since they now exist in memory. An example of instructions you might insert could be:

    Code:
    32-bit process:
    MOV EAX, ADDRESS (4 bytes in size for the address)
    JMP EAX ; or call EAX
    
    64-bit process:
    MOV RAX, ADDRESS (8 bytes in size for the address)
    JMP RAX
    
    On Windows I would use RtlCreateUserThread or NtCreateThreadEx for creating a remote thread for cross-user process support (processes being ran under other user accounts) as long as SeDebugPrivilege can be enabled. CreateRemoteThread will land at RtlCreateUserThread and then RtlCreateUserThread will land at NtCreateThreadEx. :)

    As far as Android is concerned, I don't have experience with it so I don't know... My personal verdict earlier was just based on the information I read from the H-A/VT report, but it is probably unsafe!
     
  5. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    I add one thing more, I informed the author of the original .apk, this application renamed as bluetooth toolkit unlimited coins was download from Aptoide to see what was, I saw from beginning it was something else. I will read very carefully your comments. Very instructive for me.

    This is the original Android .apk from that the author of this ".apk" copied the main icon.

    [XPOSED] Bluetooth ToolKit - Android Apps on Google Play

    He told me he will start the removal process, but need some time to remove from Aptoide.
     
  6. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    Sorry if I am misunderstanding, but just to make sure... The APK file from the starting post in this thread is a fake copy of the genuine APK download you linked us to in the post I am quoting now? :)
     
  7. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    Exactly, but only for icon, is a modified browser runned on Android.
    I tried to follow some of those urls, but for example the cu.cc domain was already closed.
    I think was a fast and run action.
     
    rockstarrocks and Opcode like this.
  8. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    I wanted to know if was a malware, at this point this look to me as an infostealer?
     
    rockstarrocks likes this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    Me too! I actually tried to do the same thing earlier before posting the URLs wrapped around the CODE tags and the same result here. :)
     
  10. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    I first informed the dev, the detection on virustotal was only catched by Fortinet, was also a way for me to decide what program use on phone as Antivirus.

    Just this:
    2017-08-23 19:27:23 UTC ( 1 week, 3 days ago )
     
    rockstarrocks likes this.
  11. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    I cannot comment on an official verdict because I am not an Android analyst, nor do I have experience with handling malicious software for Android however what I can tell you is that if the APK is pretending to be something it is not while having the intention of performing malicious operations then it at least falls under the term "Trojan". But I am not sure what the naming is for Android malware.

    I suggest you submit the APK to AV vendors and ask for their verdict. They have teams of Android/Linux/OS X analysts usually, not just Windows.
     
    rockstarrocks and lowdetection like this.
  12. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    I deleted the sample here, if someone can inform some AV vendors about that, I was disappointed wasn't catched, but remember me of signature base detection.
    I think can be download from hybrid-analysis with login.
     
    rockstarrocks likes this.
  13. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    I also saw there are many description of WAP of operators of Chinese market, I'm not expert, maybe was created specifically for a specific target.
     
    rockstarrocks likes this.
  14. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    The .apk is still there under the name of harryvlnrt, if some Antivirus Vendors want check.
    The removal surely is harder than Google Play, after 2 weeks.
     
    rockstarrocks likes this.
  15. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    898
    6,363
    Caille
    Windows 10
    The sample wasn't shared when uploaded to Hybrid-Analysis so the sample cannot be downloaded.
     
    rockstarrocks and lowdetection like this.
  16. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    644
    China
    Linux
    Isolation
    rockstarrocks likes this.
Loading...
Similar Threads Forum Date
Antivirus companies opinions on testing labs General Security Discussions Nov 20, 2017
Q&A What's your opinion about BD database? Bitdefender Nov 6, 2017
Opinions on Immunet? Other Security for Windows Sep 25, 2017