Cyble_OSINT_Android_Spyware_Chat_DoNot_APK

DoNot APT Group Delivers a Spyware Variant of Chat App

DoNot APT Group, also known as APT-C-35, is an Advanced Persistent Threat (APT) group targeting government-related organizations. DoNot has a reputation for carrying out APT attacks against India, Pakistan, Argentina, and countries in South Asia. This group mainly spreads malware using malicious programs developed in C++, Python, .NET, and other languages.

DoNot APT mainly spreads malware via spear-phishing emails containing malicious documents and files. In addition to spreading malware via spear-phishing emails with attachments that contain either a vulnerability or a malicious macro, this APT group leverages malicious Android APKs in their target attacks. 

Android-based Spyware applications are often disguised as system tools and in some cases as fake apps, counterfeit mobile games, and fake news apps. Post installation, these apps perform Trojan functions in the background and can remotely control the victim’s system, besides stealing confidential information from the targeted device. 

During our Open-Source Intelligence (OSINT) research, Cyble researchers found a malware sample of the DoNot APT group posted on Twitter. Upon analyzing the malware sample, the Cyble Research Lab discovered that it is a fake app disguised as a legitimate messaging app that collects sensitive information from the victim’s device.

The APT group uses the deobfuscation code along with some packers within the application to conceal malicious functionalities. This prevents the spyware from being detected during the static analysis of the app.

Technical Analysis:
We performed the technical analysis of an APK, with the following hash value: 
fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280. 

App name: Mecaller.apk

Package name: com.chat.nsgnest

Some of the applications’ permissions, activities, and services that may be used to perform malicious activities are listed below: 

Permissions: 

  • android.permission.READ_CALENDAR
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.INTERNET
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.READ_CALL_LOG
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_SMS
  • android.permission.AUTHENTICATE_ACCOUNTS
  • android.permission.CALL_PHONE
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECORD_AUDIO
  • android.permission.READ_CONTACTS

Activities: 

  • ime.serviceinfo.app.MainActivity
  • ime.serviceinfo.app.qsharehong.qsharelackhong

Services: 

  • ime.serviceinfo.app.qsynchong.qSyncServicehong
  • ime.serviceinfo.app.qsynchong.qAuthenticatorServicehong
  • ime.serviceinfo.app.qaleolehong.qdcerthong
  • ime.serviceinfo.app.qaleolehong.qnqwerhong
  • ime.serviceinfo.app.qstunthong.qSensorServicehong
  • ime.serviceinfo.app.qsharehong.qsttrServicehong
  • ime.serviceinfo.app.qsharehong.qServicehong
  • ime.serviceinfo.app.qaleolehong.qhepjshong
  • ime.serviceinfo.app.qhelphong.qgarohong
  • ime.serviceinfo.app.qaihihihong.tknnotify.sfsSr

We also performed a dynamic analysis and discovered that the app has an emulator check that avoids running the app in an emulator or VirtualBox, and only runs this app on legitimate devices. Further, on bypassing the scripts using Frida and on loading the application, it displays a message as shown in the figure below.

Figure 1 Error Message from The App on Loading It Through Frida Scripts

Using the same Frida scripts and on loading the various activities, the app requests users to enable the accessibility service and on activating, it displays the below message as shown in Figure 2.

Figure 2 – Message displayed on turning on the Accessibility Service

The malware then initiates malicious behavior from the application main class, “ime.serviceinfo.app.MainActivityThe entry point of the app is this class, which gets executed at first when the user starts the application.

Using the above permissions granted from users, the following data is fetched from the devices:  

  • Tracking the user’s location along with network operator details, device location, latitude, and longitude from the compromised device.

Figure 3 Code to track the location of the device with Latitude and Longitude

  • Checking for the availability of internet connection from the device to collect the network and connectivity information.

Figure 4 Checks for Internet connection Availability

  • The application also has the capability to record audio and collect media files from the infected device without the user’s knowledge.

Figure 5 Code to Record Audio/Media Files from the Infected Device

  • Sending text messages using permissions and SMS manager.

Figure 6 Sends text Messages using SMS Manager and Android Permissions

  • Tracking the Service/Receiver that are registered post device reboot.

Figure 7 Registers the service/receiver on phone reboot

  • After the accessibility service is enabled, the application launcher icon is removed from the main screen, thereby allowing the app to stay hidden.

Figure 8 Hides the Application launcher Icon from View

  • Collecting the information on the running application processes or tasks.

Figure 9 Collects list of running processes

  • Verifying the infected device fingerprint, hardware, and model to find out whether the application is executed through emulator or through VirtualBox. If it is executed through emulator, the application will not be performing any malicious activity to avoid any kind of detection.

Figure 10 Code to detect the analysis device (Emulator Check)

  • Monitoring the device phone number from both outgoing and incoming calls using broadcastreceiver and storing the collected data into “CallLogs.txt“.

Figure 11 Code that queries phone numbers from incoming and outgoing calls

Figure 12 Code that monitors and collects call logs

  • Monitoring the incoming messages, creating Protocol data unit (PDU), intercepting SMSes to collect information from them and storing the information in “sms.txt“.

Figure 13 Code that monitors and collects SMS data

Figure 14 Stores the collected SMS data

  • Collecting phone contacts from the infected device and storing it in “contacts.txt” file.

Figure 15 Collects and stores Phone contacts

  • Along with the above sensitive information, this malicious app has the code to fetch stored mail accounts and application accounts like Gmail, WhatsApp, besides storing the information in “accounts.txt“.

Figure 16 Code that collects and stores mail, application accounts

  • Base64 Encryption technique used in multiple classes and methods.

Figure 17 Encrypted strings using Base64 encryption technique

Upon decrypting the encrypted strings, we were able to determine that the data being collected by this app is sent to the C2 link through which the application communicates and uploads the information to the server.

C2 Server: hxxp[:]//tinyshort[.]icu/

CONCLUSION:

Spyware apps have been around for a long time, yet they still pose a significant threat to sensitive data on victim devices. The APT groups responsible for creating the spyware are constantly adapting and using various encryption techniques to avoid detection. This makes removal of the spyware nearly impossible, thus users should exercise caution while installing applications.

SAFETY RECOMMENDATIONS:

  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Uninstall the application if you find this malware in your device. 
  • Keep your system and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 
  • Download and install software only from trusted sites and official app stores. 
  • Verify the privileges and permissions requested by apps before granting them access. 
  • People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic  Technique ID  Technique Name  
Defense Evasion  T1406  
T1418 
Obfuscated Files or Information  
Application Discovery 
Credential Access  T1409  
T1412 
Access Stored Application Data  
Capture SMS Messages 
Collection  T1507  
T1430  
T1412 
T1429 
T1432 
T1433 
Network Information Discovery  
Location Tracking  
Capture SMS Messages 
Capture Audio 
Access Contact List 
Access Call Log 
Discovery  T1421
T1430
T1426
T1418 
T1424 
System Network Connections
Discovery  Location Tracking   
System Information Discovery  
Application Discovery 
Process Discovery 
Command and Control  T1573 
T1571  
Encrypted Channel  
Non-Standard Port 
Exfiltration T1532 Data Encrypted 

Indicators of Compromise (IoCs): 

IOCs IOC type 
fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280SHA256   
hxxp[:]//tinyshort[.]icu/Interesting URL 
45.61.137[.]7IP address 

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

%d bloggers like this: