Jump to content
Nytro

Android malware drops Banker from PNG file

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]Android malware drops Banker from PNG file[/h]

Nowadays is malware trying to hide wherever it is possible to get under the radar of anti-virus companies. Lately I found Trojan dropper carrying malicious payload, encoded by base64, embedded inside an image file. It’s nothing special these days but it is very rare dropping technique. In the most cases are malware authors lazy enough to not even encrypt the payload file.

[h=3]Analysis[/h]

In the time of writing this blog post is this Trojan dropper still available to download from attacker server (hxxp://jackdojacksgot.ru/img/Update.apk). Based on VirusTotal is detection for this Trojan dropper very poor.

[TABLE=align: center]

[TR]

[TD]vtScreen.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 1 VirusTotal detection

[/TD]

[/TR]

[/TABLE]

This malicious application masquerade itself as Adobe Flash Player. Based on alternative names I found in application resources malware name can be different in the other versions like: Viber New, App4porno,CommBank, My Online Security, Viber or Whatsapp.

[TABLE=align: center]

[TR]

[TD]strings.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 2 Possible Trojan dropper names

[/TD]

[/TR]

[/TABLE]

After launch, Trojan will immediately drop and request user to install Adobe Flash Player. But first let’s take a look on dropping technique.

In app assets there is nothing else to drop other than image file.

[TABLE=align: center]

[TR]

[TD]struktura.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 3 Trojan dropper assets

[/TD]

[/TR]

[/TABLE]

There is only one image of dices stored in assets, but it size is more than 3.6 MB and that’s bit suspicious.

After inspecting the code application wasn’t dropping this PNG file. The Trojan dropper at first opens this image file and searches for delimiter string, in this case "12345678901234567890". Right after this delimiter is stored another application encoded by Base64.

[TABLE=align: center]

[TR]

[TD]Capture.png[/TD]

[/TR]

[TR]

[TD]

Figure 4 Dropping embedded malware

[/TD]

[/TR]

[/TABLE]

[TABLE=align: center]

[TR]

[TD]far.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 5 Binary view of PNG file

[/TD]

[/TR]

[/TABLE]

Decoded data are then stored on external storage as “prefix.apk” and demand to install. Decoded application, prefix.apk, is heavily obfuscated Android banker, stealing user credentials.

After installation it requests user to activate Administrator rights for application. This is the simplest method that prevents to uninstall this Trojan.

[TABLE=align: center]

[TR]

[TD]Screenshot_2015-11-18-15-22-49__all.png[/TD]

[/TR]

[TR]

[TD]

Figure 6 Banker install and device administrator request

[/TD]

[/TR]

[/TABLE]

If user tries to deactivate Administrator rights then is repeatedly asked to activate it again. There are two ways how to get rid of this nasty banker. Either by going to safe mode of your device and deactivate Administrator rights and uninstall it or by using Android Debug Bridge (adb) and uninstall it from your computer.

Both apps Trojan dropper and dropped banker are the most probably obfuscated and protected by DexProtector. It’s very complicated to analyze it statically without any dynamical intervention.

[TABLE=align: center]

[TR]

[TD]obfuscatedCode.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 7 Code obfuscation

[/TD]

[/TR]

[/TABLE]

Banker can steal user login credentials or credit card information with phishing technique. When user opens his mobile banking application or just Google Play Store, malicious activity will be displayed on the top of the official application. This way user can be easily fooled and insert sensitive information to banker pop-up window.

[TABLE=align: center]

[TR]

[TD]__all.png[/TD]

[/TR]

[TR]

[TD]

Figure 8 Bankers phishing windows

[/TD]

[/TR]

[/TABLE]

User credentials are immediately sent to remote server.

[TABLE=align: center]

[TR]

[TD]1.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 9 Send stolen credentials for Gmail app

[/TD]

[/TR]

[/TABLE]

[TABLE=align: center]

[TR]

[TD]2.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 10 Send stolen credentials for CommBank app

[/TD]

[/TR]

[/TABLE]

[TABLE=align: center]

[TR]

[TD]3.PNG[/TD]

[/TR]

[TR]

[TD]

Figure 11 Send stolen credentials for PayPal app

[/TD]

[/TR]

[/TABLE]

This banker is very popular. Lately I tweeted about same banker but stored on different server.

[h=3]More information[/h]

HASH dropper: 1F41BA0781D51751971EE705DFA307D2

HASH PNG: 575551FBC343EC8E1A1C771D81963096

HASH dropped: 90886B56372F5191A78A20DCB3F9FE6E

Download link: http://jackdojacksgot.ru/img/Update.apk

Remote server: 75jng75ufnf.ru:2080

Posted by Lukas Stefanko at 11:47 PM

Sursa: http://b0n1.blogspot.ro/2015/11/android-malware-drops-banker-from-png.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...