[ Technical Tear Down : First Android Tor Trojan ]

This is probably the 1st Tor Android Trojan which Kaspersky was the first to report on this. I was lucky to be able to grab a sample of this off Mila’s website. But i’ll be doing my own technical tear-down of this malware.

[ Sample used in the analysis ]
MD5: 58fed8b5b549be7ecbfbc6c63b84a728
SHA1: 2e6dbfa85186af23a598694d2667207a254f8979

[ How it starts ]
Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

You should see something like this after running the above command.

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

From the extracted AndroidManifest file, we can see that it requires the following permission(s) and it’s starting in the Main class as indicated in the AndroidManifest file.

Hmmm, why does it require BIND_DEVICE_ADMIN?
The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware applications that are useful in enterprise settings.

Looking through the folder hierarchy structure on the image below, we also found some other files of interest which we will go through them later.

But let’s take a look at com.baseapp.Main first, manually converting the initial Dalvik code back to pseudo Java code.
We will get back something like the one shown below. Looking through the codes, we can see that it’s starting another class, MainServiceStart.

After a quick analysis of MainServiceStart, i’ve realised that it’s basically a module used to start Tor
Further checks revealed that the Tor module could be a variation of Orbot or using Orbot itself.
Why would it do that? Probably trying to make use of Tor to do data exfiltration. So i decided to do a quick grep and one of the more interesting things that i’ve found is this “Onion URL, yuwurw46taaep6ip[.]onion” in the constants & TorSender class. As of now, “yuwurw46taaep6ip[.]onion” seems to cease to exist.

[ What are the data that malware exfiltrates ]
So the question is “Is this malware exfiltrating any data? If it is, what is it exfiltrating.
So i was taking a look at all the Tor related classes, the one that caught my eye is “TorSender” class
Taking a deeper look at TorSender class, i’ve discovered several interesting findings as shown in the image below.

From the above image, we can see that it is sending telephone data such as telephone number, country, IMEI, model & OS version to the C&C.
Looking at the rest of TorSender class, we also found out that it got the following functions :

  • sendInterceptedIncomingSMS – start/stop intercepting incoming SMSs
  • sendUSSDData – perform a USSD request
  • sendInstalledApps – send the C&C a list of apps installed on the mobile device
  • sendInterceptedIncomingSMS & sendListenedIncomingSMS & sendListenedOutgoingSMS- send an SMS to a number specified in a command
  • Another interesting finding came from “SMSProcessor” class.
    Looking at the snippet taken from “SMSProcessor” class, we can find the communication service and that it is intercepting sms to check for commands from C&C.

    While checking at the “TorService” class, there is an interesting function call, installFromRaw from the “TorBinaryInstaller” class.
    Within this function, we found out that it is copying a different iptables binary depending whether the infected device is ARMv6 as we can see from the code snippet below. Remember earlier when i’ve mentioned that there are some interesting binaries found while inspecting the folder hierarchy structure. These are the binaries that i’ve found.

    It also copy obfsproxy & privoxy binaries to the infected device. All these are used for Tor to work on the infected devices.

    Another interesting finding that i have is that the author of this Android Tor Trojan disguises the Tor binary and the MaxMind GeoIP database as .mp3 files.
    Probably just to avoid suspicion that why there are some files without extensions.

    [ Conclusion ]
    While this is not one of the state of the art Android Trojan, but it’s probably one of the first Android Trojan using Tor and a .onion url as C&C.

    I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Android Malware.

    Happy Reversing,
    Jacob Soo