Bangle Android App Packer: Unpacking & Analysis

Trustlook Labs has identified a malicious app which is most likely using social engineering attacks to trick users to install it. The app (MD5: eb9d394c1277372f01e36168a8587016) is packed by Bangle packer. The main activity triggering installation of the app is “com.goplaycn.googleinstall.activity.SplashActivity.” However, that activity is not found anywhere in the decompiled code:

image1

A closer look at what is happening in the code
From class SecAppWrapper, there is a “System.loadLibrary” call to load “secShell.” The native layer code in the module is responsible for decrypting and loading the app’s primary payload from “assets\secData0.jar,” which is a zipped DEX file after it’s decrypted.

image3

image2

Most method names in the “secShell” module are obfuscated, and their strings are decrypted when in use.

image5

The app detects most hooking and patching frameworks, such as Xposed. Xposed is a framework for manipulating Android applications’ flow at runtime.

image4

image7

The app forks a child process and calls “ptrace” to attach to the parent to prevent any attaching attempts by debuggers. The multiple processes trace one another to make sure the children stay alive.

image6

image9

image8

The app also monitors values in the /proc files system to check the status of the process.

image12

The JNI_OnLoad function in the “secShell” module has switch branches. One branch is responsible for anti-debugging, the other (located at 0x7543EAE4 below) will lead to the main DEX module for decrypting.

image10

The following is the decrypting function:

image11

image13

After the anti-debugging is bypassed, the function “p34D946B85C4E13BE6E95110517F61C41” decrypts the data. Register R0 contains the file location, as identified by the header bytes “PK\x03\x04.” R1 stores the size of the file.

image14

image15

We can dump the memory:

image16

After unzipping the file, we get the DEX file which can be viewed normally:

image17

Summary
Android packers are valuable tools used to protect the intellectual property of legitimate mobile application developers. However, they can be also used for nefarious purposes, and make analyzing malicious apps more difficult. Trustlook Labs continues to work on identifying malicious applications to protect our customers and the mobile ecosystem.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s