Authors: Jinjian ZHAI, Yang SONG, Mengmeng LI
100 miles north of San Francisco in the City of Ten Thousands Buddhas, a statue of Mercy Goddess with 1,000 hands has been worshipped since 1974. The 1,000 hands are used to save people separately. However, those hands are rooted from the same body.
A series of repackaged apps can be looked at in the same way as that statue with 1,000 hands. That is, thousands of individual apps with distinctive MD5 hash were indeed similar derivatives, classified by the unique package name with the same or a handful of developing groups.
Research of the individual APK samples can lead to the specific app version and developer information, and in turn reveal the developer’s reputation and network of repackaged apps within the global Android markets.
Fig. 1 The popular QQDownloader app has over 1,600 derived APKs available on the internet.
As shown in Fig.1, we take the APKs which share the same package name “com.tencent.android.qqdownloader” as research samples in this blog. They are chosen because firstly, the app reflects a variety of APK downloading sources; secondly, the app itself is an Android marketplace, and thus is prone to the attack of hackers as a base app to deliver more repackaged apps.
The market itself is an Android app, which needs to be downloaded from the internet directly. It recommends apps as well as provides downloading sources upon search / query.
We have kept monitoring the malicious behaviors of this family, and have collected over 1,605 versions of this family. The 1,605 versions of QQDownloader consists of many authentic apps, as well as a few repackaged apps. Some of the repackaged apps are even malware.
The reason that such a large number of versions exist lies in the fact that firstly QQDownloader is the counterpart of Google Play in China, and has been updated frequently; secondly, QQDownloader is so popular that it has been the target of hackers for possibly monetary gains.
I. The Authentic Apps
The authentic apps of “com.tencent.android.qqdownloader” are marked with exactly the same developer signature.
Fig. 2 The authentic developer certificate signature of QQDownloader.
As shown in Fig. 2, the authentic QQDownloader is developed and maintained by the Android QZone Team in Beijing.
This authentic sub-series represents the majority of the 1,605 samples being researched. They consist of 1,583 samples signed by the developer’s certificate signature as shown in Fig. 2.
II. The Repackaged Apps
The remaining 22 apps are repackaged apps. Based on the authentic and repackaged apps’ discrepancy of the main-launcher activity name, which is concurrently registered as “android.intent.action.MAIN” and categorized as “android.intent.category.LAUNCHER” under the same android:name action in the AndroidManifest.xml, we found a few repackaged apps of interest.
We analyzed one APK for its dynamic behaviors, network traffic, and static code logic. The Metadata of the sample being researched is shown in Fig. 3.
Fig. 3 The Metadata of the Illegitimate and Repackaged Sample of the QQDownloader app.
Fig. 4. AndroidManifest.xml of the repackaged QQDownloader app. The main activity from the launcher is com.fk.bh.MyActivity
As shown in Fig. 4, the main activity which is linked to the launcher icon in the home page of the phone is com.fk.bh.MainActivity, while the main activity of the authentic QQDownloader app – “com.tencent.assistant.activity.SplashActivity” is bypassed.
The sample passed most AV vendor scannings as benign, with Virustotal score of 1/55 when initially submitted, as shown in Fig. 5:
Fig. 5 VirusTotal scan of the repackaged sample when queried on 11/09/2015.
Yet further investigation of the main activity reveals some suspicious function calls.
Fig. 6. The main activity of the repackaged app redirects the onCreate() function to a stored string in AndroidManifest.xml.
Firstly, a service called YangService is started by the initializer YangInit.getM() from the initSad() function of Fig. 6.
Secondly, as shown in jumpToOther() function of Fig. 6, a class name is read from the MyUtil.getRac() function, which in turn reads the activity name “com.tencent.assistant.activity.SplashActivity” from AndroidManifest.xml (as shown in Fig. 4)
A question of who and why they insert the extra service into the SplashActivity of the QQDownloader would be proposed naturally against the repackaged app. Bearing such questions, we examed the developer’s certificate signature of the app:
Fig. 7. The developer’s certificate signature of the repackaged app.
As shown in Fig. 7. the Issuer’s Information is too brief to reveal the real developer’s information, which suggests his/her suspicious behavior.
A detailed scrutiny of the YangServer and YangReceiver class reveals that the injected service is used to load class methods dynamically :
Fig. 8. The dynamic class loading source code called by the functions of the injected YangService class.
When monitoring the dynamic behaviors and sniffing the network traffic while the app is running in the Trustlook Mobile Sandbox environment, we found that the app slagged the initial activity of the main QQDownloader layout and covered the phone screen with a large ad window.
Fig. 9 The ad window started by the repackaged QQDownloader app.
When following the network traffic packets, we found that customer’s privacy was collected and sent to the ad server in Aliyun, the public cloud service platform.
Fig. 10. The network packet with customer’s privacy was sent to the ad server based on the Aliyun cloud service platform.
Fig. 11. The ad packet contains URL of APKs and ad pictures. The pictures are rotating and clickable in Fig. 9.
As shown in Fig. 10 and Fig. 11, the ad server collects the following private information and uses it to push ads in the injected ad window:
- customer’s gender and age
- phone number
- IP address
- MAC address
- location, longitude, and latitude
- IMEI and IMSI
- OS version
- ISP service
We see that the repackaged QQDownloader sample as being dangerous adware. When we continued to research other repackaged QQDownloader samples, we found a list of suspicious developer certificate signatures. As shown in Fig. 12, they either contain little information or purposely alter the initial QZone developing team’s information.
Fig. 12. Some suspicious developer certificate signatures of the repackaged apps of QQDownloader.
In general, the authentic apps are repackaged due to one or more of the following reasons:
- The developer would like to change the ad network
- The developer would like to inject malicious code
- The developer would like to republish the app in an Android market other than the one where the authentic app is published.
If you would like to know the list of malware MD5s or the detailed report, please contact email@example.com