The file on the blog is named "3E076979644672A0EF750A4C3226F553_assassins_creed". On my Kali, md5sum for the file looks like this:
I tried to open the ‘game’ in
a couple of tools. One of them was APK Studio:
When you will open APK in APK
Studio, you need to create new folder for APK’s decompiled files. I created
that folder on my “Desktop\assasin”. Quick overview for files found inside the
app:
Ok, let’s go to the next file. In AndroidManifest.xml file you can find several information, very useful from the RE perspective. In our case the most interesting now will be:
…so what kind of permissions we need to run this malware on our Android phone. I copied AndroidManifest file to Kali box (just to grep few more things during the research and learning process…).
Malware needs few permissions
to be allowed:
Below you will find details of
all of them:
- ACCESS_NETWORK_STATE
- READ_EXTERNAL_STORAGE
- WRITE_SMS (removed)
- SEND_SMS
- READ_PHONE_STATE
- WAKE_LOCK
- RECEIVE_BOOT_COMPLETED
- WRITE_EXTERNAL_STORAGE
- GET_ACCOUNTS
- INTERNET
- READ_SMS
- RECEIVE_SMS
- PROCESS_OUTGOING_CALLS
So basically, it looks like an
app to steal some data from our phone. Cool. :) I found something else:
Receiver is described here. Using this small list we will
try to check each function one by one to figure out what’s going on inside the
code. So let’s go back to the code now:
This one is cool:
Yeah, sure. ;] By the way, you can also use
apktool (eg. $ apktool d app.apk) to
decompile APK and check (if possible) for any Java code inside to analyze:
As you can see, code is trying
to go to Repeat.class. Let’s do the same:
Going down (Call.java file), we can see some string to decrypt:
As you can see, to decrypt it
we need to check Secure.java class.
Let’s do this:
Nice, some AES.
We will get back to it later.
To summarize it a little bit I grepped
all “public” (“private” and so on…) functions:
Below - grep for “private”:
And the last one, including “protected” results:
Ok, let’s back to our actions in Manifest file:
We can easily see that all
“actions” here are related to functions (deeper in the source). Cool, so let’s
check “first” of them:
Ok, so we’re looking for MainActivity
in the code:
Ok, let’s get back to the
source:
We can see that the app will check some information about our installed packages:
Next application is trying to
copy itself and start as a service in background:
Next action in our case will be CheckAction():
Next I was looking for BroadcastReceiver to see what’s the
purpose of it. I found couple of links:
Checking first link:
Ok, cool. I assume that this
class will prepare a “request” (see devimsi,
clientID and dataFetcher defined
in the code) with data to send to attacker’s host:
Ok. Let’s go to the next class
(when you already tried all Connect*
classes): this time we will check GetAccs.java:
This time some information
about packages are delivered to the attacker. In the next file – GetAll.java – we will find that the code
will try to send our SMS messages to the attacker’s host:
Finally, we are in the file Receiver.java:
Assasin will try to get our
SMS after receiving and re-send it to the attacker.
Small summary: application is
trying to steal information from the victim’s phone. SMS book will be grabbed
as well as all new incoming messages. This can be a problem when you’re using
your bank account via mobile phone.
Tools and links used (and
found) during this case:
- md5sum
- JAD
- Smali2Java
If you know some other nice
tools or decompilers, feel free to leave a comment below. Thanks.
Cheers!
Brak komentarzy:
Prześlij komentarz