Category Archives: Android

[ Technical Tear Down: SIMPLELOCKER, ANDROID Ransomware ]

[ Sample used in the analysis ]
MD5: FD694CF5CA1DD4967AD6E8C67241114C
SHA1: 808DF267F38E095492EBD8AEB4B56671061B2F72

This is one of the latest Android ransomware that we got. It can be found in Mila’s website and you can take a look at the VirusTotal analysishere. The ransomware is TOR enabled and goes about encrypting files in the Android system and subsequently requesting for ransom before the key will be given to decrypt the files. Now let’s look at the technical details of the ransomware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
The password to the attachment is “infected29A

[ Tools Used ]
Cebero Profiler is used to disassemble the apk file to analyse the smali code.
Dex2Jar and Java Decompiler are used to decompile the apk file to a jar file and subsequently to get the java code for analysis.
Android Emulator is used for the dynamic analysis portion.

[ Files ]
Below is the list of files after using Cebero Profiler to disassemble the apk file.

simplelocker-filelist

[ Manifest File ]

Below is the full manifest file extracted from the .apk file:

simplelocker-manifest

[ Permissions ]
Now let’s take a look at the AndroidManifest.xml file. When installing the application, the user is prompted with a list of permissions the application requires.

simplelocker-manifest-permissions

The permissions are more or less harmless in nature and doesn’t throw a redflag as in the case with other malwares. The permissions that could raise any kind of suspicion are android.permission.RECEIVED_BOOT_COMPLETED and android.permission.WAKE_LOCK. RECEIVED_BOOT_COMPLETED permission is required to allow an application to receive a broadcast that the system has finished booting up. WAKE_LOCK permission is required to keep the processor from sleeping or screen from dimming.
Both these permissions look harmless at first look but could be used to run an application upon bootup and keep it running without being pushed to suspended state by the Android operating system.

[ Source Code Analysis ]
From the manifest file, Main.class file is first launched upon starting of the app. The Main.class checks whether the MainService.class is running and if not calls it. MainService.class is linked to 5 other classes. MainService1.class, MainService2.class, MainService3.class, MainService4.class and MainService5.class. These classes are all interlinked.  What it does:

• Checks whether the TOR connection is established.
• If not try to establish a TOR connection.
• Next it gets a list of predetermined file extensions..
• Gets the filename of all files in the external storage that has any of the file extension.
• Does an AES encryption of the files.
• Displays a message presuming asking for an ransom.

Now let’s look at 2 class files that is of special interest. As it reveals more information about how the ransomware works. First is the Constants.class file. Look at the screenshot below.

simplelocker-constants

The first constant ADMIN_URL which point to http://xeyocsu7fu2vjhxs.onion/ is the TOR site the ransomware connects to. This explains why it checks and tries to establish TOR connection upon starting. 2nd piece of information we can find from the “Constants” class is that it contains a variable EXTENSIONS_TO_ENCRYPT which contains the following file extensions: “jpeg”, “jpg”, “png”, “bmp”, “gif”, “pdf”, “doc”, “docx”, “txt”, “avi”, “mkv”, “3gp”, “mp4”. As the name of the variable suggest, this is the file extensions which the Ransomware would encrypt.

Another key piece on information is the CIPHER_PASSWORD, “jndlasf074hr“. Is this the key used to encrypt the files? If yes, could it also decrypts the files? For this, we take a look at the FileEncryptor.class. Look at the screenshot below of two of the functions:

simplelocker-fileencryptor

As you can see from the functions, the encrypt and decrypt routine is fairly straightforward, AES using “jndlasf074hr“. Now let’s take a look at the AesCrypt class.

simplelocker-aescrypt

AesCrypt has both the encrypt and decrypt functions. Thus for example if you have installed the app by mistake and your files are now encrypted, you can re-use the functions to decrypt the files without the need to pay the ransom!!!

2 other interesting classes are “HttpSender” & “HttpSender$1”, as it send data & fetches JSON data from “http://xeyocsu7fu2vjhxs.onion/“.

[ Dynamic Analysis ]

I installed the app onto an emulator to test how it works. As it was executed on the emulator it could not perform all the ransomware “features”. But from the errors thrown, you can confirm the flow of the features. And also another reason is so that I need not turn one phone into a brick just in case it does some irreversible damage to the device.

Upon installing, it is displayed as a porn app as shown from the name of the icon.

simplelocker-icon

When the app is run, it shows a message in Russian and this screen just keeps on popping up consistently even when the app is closed.

simplelocker-firstscreen

So what does actually it do in the background. Let’s check the logcat.

simplelocker-torconnection

Obviously it is trying to establish a TOR connection which it can’t and this is repeated continuously.

simplelocker-netwkstat2

There are also a lot of error messages thrown by the external libraries (which are actually *.so files needed for TOR connection) and also error that the app could not excess the External Storage which it needs to access in order to encrypt the files.

These confirms the flow of the ransomware features/actions as discussed earlier in the static analysis portion.

[ Conclusion ]

In conclusion, the ransomware is most probably marketed as an porn app and upon installing will establishes a TOR connection to the C&C and  encrypts the victim’s files and will subsequently asks for an ransom in order to decrypt back the files. However on closer observation, a technically savvy person could decrypt the files without paying the ransom as the decryption key is hardcoded within the app itself. But to be absolutely safe, don’t install porn apps 🙂

David Billa (@billa316)

 

 

 

[ Technical Tear Down : First Android Tor Trojan ]

This is probably the 1st Tor Android Trojan which Kaspersky was the first to report on this. I was lucky to be able to grab a sample of this off Mila’s website. But i’ll be doing my own technical tear-down of this malware.

[ Sample used in the analysis ]
MD5: 58fed8b5b549be7ecbfbc6c63b84a728
SHA1: 2e6dbfa85186af23a598694d2667207a254f8979

[ How it starts ]
Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

You should see something like this after running the above command.

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

From the extracted AndroidManifest file, we can see that it requires the following permission(s) and it’s starting in the Main class as indicated in the AndroidManifest file.

Hmmm, why does it require BIND_DEVICE_ADMIN?
The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware applications that are useful in enterprise settings.

Looking through the folder hierarchy structure on the image below, we also found some other files of interest which we will go through them later.
Tor.Android.Trojan.02

But let’s take a look at com.baseapp.Main first, manually converting the initial Dalvik code back to pseudo Java code.
We will get back something like the one shown below. Looking through the codes, we can see that it’s starting another class, MainServiceStart.

After a quick analysis of MainServiceStart, i’ve realised that it’s basically a module used to start Tor
Further checks revealed that the Tor module could be a variation of Orbot or using Orbot itself.
Why would it do that? Probably trying to make use of Tor to do data exfiltration. So i decided to do a quick grep and one of the more interesting things that i’ve found is this “Onion URL, yuwurw46taaep6ip[.]onion” in the constants & TorSender class. As of now, “yuwurw46taaep6ip[.]onion” seems to cease to exist.

[ What are the data that malware exfiltrates ]
So the question is “Is this malware exfiltrating any data? If it is, what is it exfiltrating.
So i was taking a look at all the Tor related classes, the one that caught my eye is “TorSender” class
Taking a deeper look at TorSender class, i’ve discovered several interesting findings as shown in the image below.
Tor.Trojan.01

From the above image, we can see that it is sending telephone data such as telephone number, country, IMEI, model & OS version to the C&C.
Looking at the rest of TorSender class, we also found out that it got the following functions :

  • sendInterceptedIncomingSMS – start/stop intercepting incoming SMSs
  • sendUSSDData – perform a USSD request
  • sendInstalledApps – send the C&C a list of apps installed on the mobile device
  • sendInterceptedIncomingSMS & sendListenedIncomingSMS & sendListenedOutgoingSMS- send an SMS to a number specified in a command
  • Another interesting finding came from “SMSProcessor” class.
    Looking at the snippet taken from “SMSProcessor” class, we can find the communication service and that it is intercepting sms to check for commands from C&C.

    While checking at the “TorService” class, there is an interesting function call, installFromRaw from the “TorBinaryInstaller” class.
    Within this function, we found out that it is copying a different iptables binary depending whether the infected device is ARMv6 as we can see from the code snippet below. Remember earlier when i’ve mentioned that there are some interesting binaries found while inspecting the folder hierarchy structure. These are the binaries that i’ve found.

    It also copy obfsproxy & privoxy binaries to the infected device. All these are used for Tor to work on the infected devices.

    Another interesting finding that i have is that the author of this Android Tor Trojan disguises the Tor binary and the MaxMind GeoIP database as .mp3 files.
    Probably just to avoid suspicion that why there are some files without extensions.

    [ Conclusion ]
    While this is not one of the state of the art Android Trojan, but it’s probably one of the first Android Trojan using Tor and a .onion url as C&C.

    I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Android Malware.

    Happy Reversing,
    Jacob Soo