[ Technical Tear Down: UUPlay, ANDROID Malware ]

[ Sample used in the analysis ]
MD55: E7D6FEF2F1B23CF39A49771EB277E697
SHA1: F5735DC4D9502F99D3B62C49EF083B403D627124

We gotten this sample from Jacob’s old friend, “Amnesia”. UUPlay application portrays itself as an legitimate Google playstore application but it also doubles up as an malware in disguise, sending out victim(s)’ information from the device. You can check the VirusTotal detection rate here. https://www.virustotal.com/en/file/918ec0a543b6774c54564fe676e7bd47456b6a95facca42a2da4a995703129b8/analysis/

[ Tools Used ]
Cebero Profiler is used to disassemble the apk file to analyse the smali code.

Dex2Jar and Java Decompiler are used to decompile the apk file to a jar file and subsequently to get the java code for analysis.

Android Emulator and Burp Suite are used for the dynamic analysis portion.

[ Permissions ]
uuplay-permissions

From the permissions list above, you can notice that it also haves the capability to download and install applications. Users may think that since it is a Google PlayStore app , it needs such permissions. But in this case, it also have the READ,WRITE and SEND SMS permissions. These permissions can be abused to send premium SMSes to premium numbers resulting in additional costs for the victim(s).

[ Source Code Analysis ]
The .apk is most probably obfuscated using ProGuard. From the screenshot below, one can notice that after reversing the .apk file, it seems bloated with multiple alphabetical java class files like any typical .apk file that is protected by ProGuard.

uuplay-proguard

Thus it makes analyzing the source code harder. For more information on what ProGuard actually does, you can refer here.  In this analysis, dynamic analysis was primarily done to map out the behavior of the application.

[ Analysing Manifest File ]
From the manifest file, there are quite a lot of activities declared under the “com.google.hfapservice” package.

uuplay-google-hfapservice

For the list of Google Package names available for Android, you can refer to the list here. When checked against this list, it does not have any “com.google.hfapservice” package. It is a clear sign that these might potentially be malicious activities running in the background masquerading as Google services.

Other than these activities, from the manifest file, it can also be deduced that a total of 3 services are running.

uuplay-services

Two of the services are linked to the fake Google packages and the third service is supposedly a log service linked to the “com.uucun” package which is the main package name as noted from the manifest file.

Now let’s move on to the dynamic analysis portion.

[ Dynamic Analysis ]

Upon installing the uuplay.apk, the app’s icon does not appear under the device home or the application’s display. However, it can be found under the apps’ listings under Android system’s settings.

uuplay -appinfo

As you can notice, the icon is the same as the Google PlayStore’s icon.

The app can be started using Android Debug Bridge (adb) commands. From the manifest file, the main activity’s name can be deduced as RootActivity. The following command was used to invoke the main activity:

adb shell am start -n com.uucun4470.android.cms/com.uucun4470.android.cms.activity.RootActivity

After firing up the application, the UI is displayed as below.

uuplayUI

Next, we used Burp Suite to monitor the network traffic. For instructions on configuring Android emulator to work with Burp Suite you can refer here.

Upon installing the app, information like imei number, sim card type, os version, date timestamp, app version and airpush version (mobile ads) were double url encoded and was posted to h–p://cloud6.devopenserv.com as shown in the screenshot from Burp Suite below.

uuplay-burpsuite1Next it checks for updates for all the pre-installed apps from h–p://agoldcomm.plat96.com

uuplay-burpsuite-appupdate

If you search for any app, e.g Whatsapp, you can see that the searched information together with the phone information being posted out and subsequently the relevant apk file will be downloaded from h–p://apk.hiapk.com

h–p://apk.hiapk.com is one of many un-official Android Marketplace from China.

While all these can be considered “fairly” normal behavior for an “Google PlayStore”, there are also other suspicious activities. Like at certain intervals (even when the app is not in use) encrypted data are being posted to urls like h–p://log6.devopenserv.com

uuplay-burpsuite-encrypteddata

The URL to which the data is posted is not hard-coded.  Meaning, sometimes the data are being posted to other URLs. But the key point is data (judging from the long list of permissions, it could be anything the app has access to) is being encrypted and were being ex-filtrated from the device.

[ Conclusion ]

In conclusion, uuplay is an application that masquerades as the official Google PlayStore application. It does similar activities like installing applications fetched mainly from the following urls:

– h–p://apk.hiapk.com

-h–p://agoldcomm.plat96.com

At the same time, it also posts out personal information masked as log data to the following urls:

-h–p://cloud6.devopenserv.com

-h–p://pus7.devopenserv.com

-h–p://log6.devopenserv.com

In short, install at your own risk!!

David Billa (@billa316)

Leave a Reply