niedziela, 23 października 2016

Playing Assasin's APK

In the middle of time I was checking some sample malwares from excellent Contagio’s Blog.  This time I decided to get back to APK files. Below you will find small analysis of Assassins_Creed.apk.



The file on the blog is named "3E076979644672A0EF750A4C3226F553_assassins_creed". On my Kali, md5sum for the file looks like this:




I tried to open the ‘game’ in a couple of tools. One of them was APK Studio:




When you will open APK in APK Studio, you need to create new folder for APK’s decompiled files. I created that folder on my “Desktop\assasin”. Quick overview for files found inside the app:





Ok, let’s go to the next file. In AndroidManifest.xml file you can find several information, very useful from the RE perspective. In our case the most interesting now will be:








…so what kind of permissions we need to run this malware on our Android phone. I copied AndroidManifest file to Kali box (just to grep few more things during the research and learning process…).


Malware needs few permissions to be allowed:



Below you will find details of all of them:

 
So basically, it looks like an app to steal some data from our phone. Cool. :) I found something else:



Receiver  is described here. Using this small list we will try to check each function one by one to figure out what’s going on inside the code. So let’s go back to the code now:
   

This one is cool:
 
Yeah, sure. ;] By the way, you can also use apktool (eg. $ apktool d app.apk) to decompile APK and check (if possible) for any Java code inside to analyze:


Other also pretty cool tool is Small2Java, screen below:
 


As you can see, code is trying to go to Repeat.class. Let’s do the same:



Going down (Call.java file), we can see some string to decrypt:


As you can see, to decrypt it we need to check Secure.java class. Let’s do this:  


 



Nice, some AES. 


We will get back to it later. To summarize it a little bit I grepped all “public” (“private” and so on…) functions:



Below - grep for “private”:
 


And the last one, including “protected” results:



Ok, let’s back to our actions in Manifest file:

We can easily see that all “actions” here are related to functions (deeper in the source). Cool, so let’s check “first” of them:




Ok, so we’re looking for MainActivity in the code:



Ok, let’s get back to the source:



We can see that the app will check some information about our installed packages:



Next application is trying to copy itself and start as a service in background:



Next action in our case will be CheckAction():



Next I was looking for BroadcastReceiver to see what’s the purpose of it. I found couple of links:



Checking first link:

Ok, cool. I assume that this class will prepare a “request” (see devimsi, clientID and dataFetcher defined in the code) with data to send to attacker’s host:



Ok. Let’s go to the next class (when you already tried all Connect* classes): this time we will check GetAccs.java:


This time some information about packages are delivered to the attacker. In the next file – GetAll.java – we will find that the code will try to send our SMS messages to the attacker’s host:


Finally, we are in the file Receiver.java:


Assasin will try to get our SMS after receiving and re-send it to the attacker.

Small summary: application is trying to steal information from the victim’s phone. SMS book will be grabbed as well as all new incoming messages. This can be a problem when you’re using your bank account via mobile phone.

Tools and links used (and found) during this case:

- md5sum
- JAD
- Smali2Java 


If you know some other nice tools or decompilers, feel free to leave a comment below. Thanks.

Cheers!


Brak komentarzy:

Prześlij komentarz