TetCon Saigon 2015 presentation, Analyze Code4HK Android Malware aka mRat In this presentation, I present how I reverse engineer, deobfuscate and analyze ProGuard obfuscated Code4HK Android Malware from Hong Kong Code4HK malware campaign with JEB.
5. ● Hong Kong activists receive
Whatsapp phishing
messages from an unknown
phone number containing a
link to download and install
app
● Phishing message: “Check
out this Android app
designed by CODE4HK, for
the coordination of
OCCUPYCENTRAL!”.
How was fake Code4HK
Distributed?
6. Fake Code4HK Installation
Process
● An .apk file is downloaded to device after
victim presses the link in the Whatsapp
phishing message
● If the victim select to install the apk, a list of
sensitive permissions is requested to proceed
the installation.
● A new prompt to install second apk from the
app is presented to victim with the message
“Application is updated, please click to install.”
8. What Can fake Code4HK Get from
the Device?
● Contacts: name, contact id, phones, emails
● SMS messages
● Call logs: number, name, type of call (incoming,
outgoing, missed), date, duration
● Geographic location (networkId, systemId,
baseStationId, latitude, longitude), Mac address
● Email accounts (email provider, username,
password) and email contents (display name,
sender, recipient, sending time, subject, email
body)
9. What Can fake Code4HK Get from
the Device?
● Browser bookmarks
● Telephone: phone number, device ID, telephone
provider (China Mobile, China Unicom, China
Telecom), max CPU frequency, network state
(connected, connecting), SIM serial number,
Mac address, IP address, total memory)
● Wifi passwords: SSID Name, WPA Passphrase,
Encryption Type, priority
10. What Other Capabilities does fake
Code4HK Possess?
● LIST_DIR: Get tree of files, directories and size of files in a directory
● DO_REMARK: write to log file
● DO_TOAST: show a quick little message for the user
● DO_CALL: call a phone number
● DO_SHELL: execute commands from CnC server
● DO_SET_MONITORNUM: set phone number to monitor
● DO_DOWNFILE: Download file to victim device
● DO_DELETEFILE: delete file from victim device
● DO_UPLOADFILE: upload file from victim host to CnC server
● DO_DELAY_RECORD: delay audio recording time
11. What Other Capabilities does fake
Code4HK Possess?
● DO_START_RECORD: start recording audio
● DO_STOP_RECORD: stop recording audio
● DO_XSHELL: create a thread to receive, execute commands
and send back results to CnC server
● DO_GET_ROOT_FILE: get content of a file in victim device,
save file to /data/data/com.v1/ and send back to CnC server
● DO_SAVE_ALL: get all the data Code4HK could steal from
victim device
● DO_GET_SDCARD: Get tree of files, directories in sdcard
13. JEB
● Disassembler
● Decompiler
● Resource viewer
● Interactive features to analyse protected
Android applications and Android malware
● JEB = IDA + Hex-Rays for Android with some
limitations
16. Reverse Engineering Strategies with
JEB
● Using manifest viewer to know the essential information the app
present itself to the Android system: permission, package, names of
application/activities/services/receivers and corresponding intent-
filters,...
● Start from the main activity to traverse the app, renaming variables,
methods and classes to meaningful names
● Utilize cross-references to know how an object is used in a class and
how a method is used across the application
● Use Strings window to quickly search for interesting references while
reading the code
● Study Android APIs used in the app with the corresponding used
prototype: http://developer.android.com/reference/packages.html
17. Empty methods in JEB and IDA
● When Android app loadLibrary from native Android libraries to
use external methods, JEB doesn't know the content of the
methods. We get empty methods inside classes.
● Solution: Apktool d target.apk
: get the native libraries used in the app (in directory /lib)
● Map library: MyLibrary turned into libMyLibrary.so
● Research exported functions of Android native libraries with
IDA and Hex-Rays ARM
22. Digital Certificate
Type: X.509
Version: 1
Serial Number: 0xc481b832c80b4239
Issuer: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
Validity: from = Mon Mar 10 13:51:27 ICT 2014
to = Thu Jul 25 13:51:27 ICT 2041
Subject: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
23. Required Permission
android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.ACCESS_MOCK_LOCATION (mock location sources for testing)
android.permission.PROCESS_OUTGOING_CALLS (intercept outgoing calls)
android.permission.ACCESS_COARSE_LOCATION (coarse (network-based) location)
android.permission.INTERNET (full Internet access)
android.permission.ACCESS_FINE_LOCATION (fine (GPS) location)
android.permission.INTERACT_ACROSS_USERS_FULL ()
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.WRITE_CALL_LOG (write (but not read) the user's contacts
data.)
android.permission.GET_TASKS (retrieve running applications)
android.permission.READ_CALL_LOG (read the user's call log.)
com.android.browser.permission.READ_HISTORY_BOOKMARKS (read browser's history
and bookmarks)
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.RECORD_AUDIO (record audio)
24. Required Permission
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.VIBRATE (control vibrator)
android.permission.PERMISSION_NAME (Unknown permission from android reference)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems)
android.permission.READ_SMS (read SMS or MMS)
com.android.email.permission.ACCESS_PROVIDER (Unknown permission from android
reference)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.MODIFY_AUDIO_SETTINGS (change your audio settings)
25. Infection flow
1.) Open “qq.xml” from the Assets directory.
2.) Create a new directory, “/sdcard/.qq/”
3.) Read the contents of “qq.xml” and create a file,
“/sdcard/.qq/temp.apk”
4.) Start StreamService (this will run after reboot)
5.) Display Update message
Code4hk.apk
Create /sdcard/.qq/
2
Start SteamService
4
Create /sdcard/.qq/temp.apk
3
26. qq.xml & temp.apk
qq.xml is a minor version of Code4HK which
was extracted, renamed to temp.apk and copied
to /sdcard/.qq/temp.apk on the first run.
This file will execute if victim clicks “Update” button
when the app first run.
40. Prevention and Mitigation
● Don't download and install applications from
third-party Android stores or unknown sources.
● Look for homepages, information and reviews
of the application before you install it to make
sure it's legitimate and it only asks for
necessary permissions.
● Use an up-to-date antivirus software.
41. Conclusion
● Malware targets Hong Kong protesters.
● Include many specific malware features, some
of them are not implemented.
● Android users should read carefully
permissions needed while installing apps,
compare to the functionalities of the app. When
in doubt, submit the apk to Android sandbox or
reverse engineers for application audit.