Estimated reading time: 8 minutesThis malware has all basic functionalities of the Android banker along with additional features like call forwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser with URL received from the C&C server. It repeatedly opens the accessibility setting page until the user switches ON the ‘AccessibilityService’. The AccessibilityService allowing the Trojan to enable and abuse any required permission without user concern. Fig.1 Malicious app icon and accessibility setting page opened by malware Overlays on targeted Apps After launching one of the targeted application, the Trojan displays an overlay phishing login form of confidential information over its window where it asks the user to enter a username, password, and other sensitive data. Following are some overlays displayed by Trojan : Fig.2 Overlay on banking Apps Fig.3 Overlay on Play store and zebpay Commands and respective features are shown in below table The malware performs activity according to commands received from the C&C server. Following list shows the commands used by the malware- Commands Meaning Send_GO_SMS Send SMS from the infected device nymBePsG0 Upload all numbers from the phone book to C&C server GetSWSGO Upload all SMS to C&C server telbookgotext Send the SMS to all numbers saved in the infected device getapps Upload the list of all installed applications ALERT Show alert whose contents are specified in the command PUSH show notification whose contents are specified in the command startAutoPush Show notification whose contents are set in the Trojan’s code ussd Calls a USSD number from the infected device sockshost Start Server Socket stopsocks5 Stop Server Socket recordsound Start record sound replaceurl Replace URL Panel startapplication Start application specified in the commands killBot Clear the C&C server address getkeylogger Upload keystrokes logs on the server startrat Start Remote Administration Tool startforward Start call forwarding to the number specified in the commands stopforward Stop call forwarding openbrowser Open URL in the browser openactivity Open URL in WebView cryptokey Encrypts all files decryptokey Decrypts all files Technical analysis The main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make it difficult for reverse engineering. The main APK contains ‘image/files’ encrypted file. The ‘image/files’ file is decrypted at runtime and drops another file ‘app_filesdriqoy.jar’. Further malicious activities are performed by that file. Fig.4 The main APK file code Fake alert to disable Google Play protect service It checks whether a user’s Google Play protection service is ON or OFF. If it is ON then it displays the fake alert to disable it with the message”The system does not work correctly, disable Google Play Protect!” Fig.5 Fake alert to disable google play protect service Prevent from uninstalling the malicious App If user goes to uninstall the application from the setting then malware shows the alert with “System Error 495” message. Fig.6 Fake alert code Fig.7 The fake alert when user tries to uninstall Used Twitter for malicious purpose The malware author uses the Twitter to get C&C server address. The malware takes the encrypted server address from the specified Twitter account that starts with <zero> and ends with </zero>. Twitter accounts used in this malware are “hxxps://twitter.com/KeremTu81270252” and “hxxps://twitter.com/JackCorne”. Fig.8 Code to take server address from twitter Fig.9 Tweet on the specified account It Encrypts and Decrypts the files Whenever the client receives a command “cryptokey” from the server, it encrypts all the files. All the encrypted files are renamed with the extension “.AnubisCrypt”. It deletes all the original files whereas when the client receives a command “decryptokey” from the server, it decrypts all files. Fig.10 Code for files Encryption and Decryption After it encrypts all the files it shows the ransom screen. It blocks the screen of the device by Window WebView, which shows the content received from the server. Below Fig. shows the htmllocker code which is received from the server. Fig.11 HTML locker code Quick Heal detection Quick Heal successfully detects this Android Trojan as Android.Banker.L Indicator of compromise App Name: sistemguncelle Package name: com.qvgstiwjsndr.jktqnsyc MD5: b0ff12e875d1c32bd05dde6bb34e9805 Size: 344 KB App Name: Adobe Flash Player Package name: com.fzuhnorsz.xgvmhdztawmg MD5: bc53a5857b1e29bef175d64fbec0c186 Size: 383 KB Targeted Apps com.csam.icici.bank.imobile com.snapwork.hdfc hdfcbank.hdfcquickbank com.sbi.SBIFreedomPlus com.axis.mobile org.bom.bank com.idbi.mpassbook com.amazon.mShop.android.shopping com.paypal.android.p2pmobile com.mobikwik_new com.ebay.mobile zebpay.Application pl.ideabank.mobilebanking wos.com.zebpay at.easybank.mbanking at.bawag.mbanking com.idbibank.abhay_card src.com.idbi com.citibank.mobile.au com.citibank.mobile.uk ru.sberbank.mobileoffice…
Source: QuickHeal Feeds