[ Sample used in the analysis ]
We gotten this sample from Jacob’s old friend, “Amnesia”. UUPlay application portrays itself as an legitimate Google playstore application but it also doubles up as an malware in disguise, sending out victim(s)’ information from the device. You can check the VirusTotal detection rate here. https://www.virustotal.com/en/file/918ec0a543b6774c54564fe676e7bd47456b6a95facca42a2da4a995703129b8/analysis/
[ Tools Used ]
Cebero Profiler is used to disassemble the apk file to analyse the smali code.
Android Emulator and Burp Suite are used for the dynamic analysis portion.
From the permissions list above, you can notice that it also haves the capability to download and install applications. Users may think that since it is a Google PlayStore app , it needs such permissions. But in this case, it also have the READ,WRITE and SEND SMS permissions. These permissions can be abused to send premium SMSes to premium numbers resulting in additional costs for the victim(s).
[ Source Code Analysis ]
The .apk is most probably obfuscated using ProGuard. From the screenshot below, one can notice that after reversing the .apk file, it seems bloated with multiple alphabetical java class files like any typical .apk file that is protected by ProGuard.
Thus it makes analyzing the source code harder. For more information on what ProGuard actually does, you can refer here. In this analysis, dynamic analysis was primarily done to map out the behavior of the application.
[ Analysing Manifest File ]
From the manifest file, there are quite a lot of activities declared under the “com.google.hfapservice” package.
For the list of Google Package names available for Android, you can refer to the list here. When checked against this list, it does not have any “com.google.hfapservice” package. It is a clear sign that these might potentially be malicious activities running in the background masquerading as Google services.
Other than these activities, from the manifest file, it can also be deduced that a total of 3 services are running.
Two of the services are linked to the fake Google packages and the third service is supposedly a log service linked to the “com.uucun” package which is the main package name as noted from the manifest file.
Now let’s move on to the dynamic analysis portion.
[ Dynamic Analysis ]
Upon installing the uuplay.apk, the app’s icon does not appear under the device home or the application’s display. However, it can be found under the apps’ listings under Android system’s settings.
As you can notice, the icon is the same as the Google PlayStore’s icon.
The app can be started using Android Debug Bridge (adb) commands. From the manifest file, the main activity’s name can be deduced as RootActivity. The following command was used to invoke the main activity:
adb shell am start -n com.uucun4470.android.cms/com.uucun4470.android.cms.activity.RootActivity
After firing up the application, the UI is displayed as below.
Next, we used Burp Suite to monitor the network traffic. For instructions on configuring Android emulator to work with Burp Suite you can refer here.
Upon installing the app, information like imei number, sim card type, os version, date timestamp, app version and airpush version (mobile ads) were double url encoded and was posted to h–p://cloud6.devopenserv.com as shown in the screenshot from Burp Suite below.
If you search for any app, e.g Whatsapp, you can see that the searched information together with the phone information being posted out and subsequently the relevant apk file will be downloaded from h–p://apk.hiapk.com
h–p://apk.hiapk.com is one of many un-official Android Marketplace from China.
While all these can be considered “fairly” normal behavior for an “Google PlayStore”, there are also other suspicious activities. Like at certain intervals (even when the app is not in use) encrypted data are being posted to urls like h–p://log6.devopenserv.com
The URL to which the data is posted is not hard-coded. Meaning, sometimes the data are being posted to other URLs. But the key point is data (judging from the long list of permissions, it could be anything the app has access to) is being encrypted and were being ex-filtrated from the device.
[ Conclusion ]
In conclusion, uuplay is an application that masquerades as the official Google PlayStore application. It does similar activities like installing applications fetched mainly from the following urls:
At the same time, it also posts out personal information masked as log data to the following urls:
In short, install at your own risk!!
David Billa (@billa316)