[ Technical Tear Down: Fake WeChat Android App (Packed using Bangcle)]

[ Sample used in the analysis ]

MD5: 35C0A075CBC6135D957BD10769E3A620
SHA1: 554FD3D80B696F0677231A54F35B61B5774F2940

This is an Android malware found in the wild. You may be wondering what’s so special about this malware as there are thousands of Android malware out there. Well, this is one of the first few Android malware that has been packed. By being packed, it make reversing almost impossible for  static code analysis. As mentioned in my previous writeup, script from @timstrazz is available if bangcle is used to pack the apk.

As we at vxsecurity.sg always encourages people to get their hands dirty, we have attached the malicious sample here.
The password is “infected29A

[ Tools Used ]
Cebero Profiler is used to disassemble the apk file to analyse the smali code.

Dex2Jar and Java Decompiler are used to decompile the apk file to a jar file and subsequently to get the java code for analysis.

Android Emulator is used for the dynamic analysis portion.

[ Before debangcling the app ]

As explained in my previous writeup, if Bangcle is used to pack an apk, when you try to reverse the file, you will notice a certain pattern like additional library files and new Java class files (ACall.class, ApplicationWrapper.class, FirstApplication.class). As shown in the picture below, this particular .apk when we decompile using dex2jar or disassembled using Profiler also contains similar files.

banksteal-bangcled

One thing my team and i found out is whenever we see this class (com.secapk.wrapper.ApplicationWrapper) and it’s be instantiated by default whenever the process is started.
We can safely deduce that it could have been packed using bangcle. So I tried using the script from @timstrazz found  here to unpack it.

Success!! It could be unpacked 🙂

[ Debangcled APK ]

The resultant of the debangcling process is a dex file which can now be reversed.

debangcled-apk

There are some obvious clues which flags out as a sorethumb to the analyst analysing the apk. Like the package name is called “com.example.banksteal“!! Who names their application banksteal anyway? And furthermore if your package name contains words like “example”, you can’t upload your apk into Google Playstore as it is deem as a generic name. So there are 2 things you can conclude even without analysing anything. 1st: This .apk is obviously from some third party market or circulated elsewhere other than the official Google Playstore. 2nd: This .apk is highly suspicious due to the naming conventions used. You can’t be 100% sure that this is a malware based on the above mentioned 2 pointers. So let’s delve in deeper.

[Analysis]

The app requests for the following permissions:

app-permissions

Upon installing the app, you will get the following icon. This is the popular WeChat Android app, a Whatsapp like instant messaging app. The App is named as “Wēixìn” in Chinese which is the pinyin name for WeChat and means micro message.

bangcle-install

 

When the app is invoked, it will first ask you for device admin permission for lock your phone, it can be seen from the code snippet below taken from the Launcher class.

launcher-device-admin

 

bangcle-activate-lockscreen

and then for your credit card details as shown from the screenshot below when the app is executed on an emulator:

bangcle-creditcard

Next, more details will be asked like the type of bank from which the credit card was issued, card’s cvc number, expiry date, social security number, address etc

bangcle-socialsecurity-number

bangcle-mastercard

Let’s say, I chose the JCB card as my credit card and fill in all the details and click next:

banksteal-email-failed-to-send-out

I am running this in an emulator and it prompts that, “The email/message is not sent out!” I hope that my Chinese translation is accurate but then this raises another question of why a messaging app needs to send out an email. Let’s look into the source code for more evidence.

If you look at the BankData class, it summarises the data it harvests:

bangcle-bankdata

 

Under the Const class you will also get the email address of the receiver.

email

 

There are more clues in the MailUtil class where the host of the receiver is resolved.

email-host

In summary, this app requests for your credit card details and mail out these details.

Well ok, what’s wrong you may ask.

Just that in an actual WeChat app registration/installation no such details are required.

[Actual WeChat App]

Now let’s look at the actual WeChat app’s permissions when downloaded from the Google PlayStore.

real-wechat3

You may think, this looks more malicious as it requests for much more permissions as compared to the previous app!!! But hold on.

Let’s take a look at the registration portion:

real-wechat1

real-wechat2

And that’s it. No credit card nor any bank details is required during installation nor registration of the official WeChat app.

[Conclusion]

The analysed application is an Android malware masquerading as the WeChat android application and request user for their credit card details. Supposedly to give the user a surprise at the end of the month!! On the other end the original app even though it requests for much more permissions, it does not cause financial loss for the user. This reiterates the point that users must not install app from unknown sources or third party markets. Most importantly, whichever app from third party or even the official Google Playstore requests for your credit card details, you are highly recommended to uninstall the app unless you feel generous 🙂

Another unique feature of this app is the usage of a packer. In this case, it is using Bangcle and we already have an unpacker available which helps in our analysis. What if a more complicated packer is used? It will further impede the analysis process. Then we have to only rely on dynamic analysis and if the apk is advanced enough to have anti-emulator techniques etc, how do we overcome this ? I will have another writeup on the possible dynamic analysis paradigm in the near future. If you have ideas, do share with us too.

David Billa (@billa316)