Digital transactions and the use of Mobile Banking are growing exponentially – particularly due to the ongoing pandemic. The increase in popularity of mobile banking has attracted the interest of Threat Actors (TAs), who plan on leveraging this situation to steal information and money from users. Cybercriminals are also looking to compromise mobile phones which contain the highest amount of sensitive user information.
A researcher has reported a phishing page linked to spreading Android malware in a Twitter post. Cyble Research Labs has analyzed the page and found that the phishing page is targeting Korean-speaking users.
A screenshot of the fake page is shown in the figure below.
Upon further analysis, we observed that on the phishing page, the TA is spreading a fake version of the Woori Bank app. Woori Bank is a multinational South Korean Bank headquartered in Seoul. The fake page offers the victim a loan amount with extremely attractive interest rates to entice and mislead them into accepting the offer.
Cyble Research Labs has performed a thorough analysis of the fake app and found that it is a variant of spyware. We also found that the same spyware is spreading through other phishing pages as well.
Based on our investigation, the spyware collects contacts, SMSs, call logs and audio and video files. Additionally, it performs other malicious activities such as enabling permissions without the need for user interaction, stealing credentials, etc.
Technical Analysis
The spyware shares the same icon of the WON App by Woori Bank as shown in the below figure.
APK Metadata Information
APK File Info
- APP Name: Woori Bank (우리은행)
- Package Name: com.fomta.c002
- SHA256: ed7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36
Upon investigating the files inside the malware’s APK file, we observed the following:
- There are two files with .dex extension in addition to the classes.dex file, which looks suspicious. Refer to Figure 3.
Upon inspecting magic numbers of the two .dex files highlighted in above figure, we found the file type of both files are not of a DEX file.
Magic numbers are the first bits of a file that uniquely identify the type of file.
- 10 armv7-based native libraries present in APK file.
- Set of HTML files in the assets folder as shown in Figure 5.
Manifest File Description
The malware requests 41 permissions, out of which attackers can leverage 22 permissions to collect victim’s personal information such as contacts, SMSs, call logs, etc. These dangerous permissions are listed in Table 1.
| Permission Name | Description |
| ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION | Access device location (with the help of GPS and Phone network) |
| ANSWER_PHONE_CALLS | Allows the app to answer phone calls |
| CAMERA | Access device’s camera |
| GET_TASKS | Fetch currently running apps and processes |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls |
| READ_CONTACTS | Access to phone contacts |
| READ_EXTERNAL_STORAGE | Access device external storage |
| WRITE_EXTERNAL_STORAGE | Modify device external storage |
| READ_PHONE_STATE | Access phone state and information |
| RECORD_AUDIO | Allows to record audio using device microphone |
| CALL_PHONE | Perform call without user intervention |
| READ_CALL_LOG | Access user’s call logs |
| READ_SMS | Access user’s SMSs stored in the device |
| REQUEST_INSTALL_PACKAGES | Install applications without user interaction |
| RECEIVE_SMS | Fetch and process SMS messages |
| SEND_SMS | Allows the app to send SMS messages |
| SYSTEM_ALERT_WINDOW | Allows to display system alerts over other apps |
| WRITE_CALL_LOG | Modify or Delete Call Logs stored in the database |
| WRITE_CONTACTS | Modify or Delete Contacts Stored in Database |
Upon inspecting the Android components in the fake app’s manifest file, we identified the following entry point classes:
- com.ppnt.ccmd.aavv.Nforg – The class which executes first when the malware is initiated by the user. The declaration of the application subclass in the manifest file is shown in below figure.
- com.fomta.c002.MainActivity – The activity class which executes and displays the starting page of the app. Launcher activity declaration is shown in Figure 7.
In the manifest file, the malware has declared a service for accessing Android’s Accessibility Service.
Accessibility Service is a background service running in the device with the purpose of aiding users with disabilities.
Malware such as Banking trojans, Remote Access Trojans (RATs) and Spyware abuse this service to intercept and monitor all activities happening on the device screen. An example of this is the ability to intercept the credentials being entered by the user on any app.
Most of the component classes declared in the Manifest file are not present in the APK. As shown in the below figure, the launcher activity, Accessibility service, and several other classes are also missing in the APK.
Source Code Analysis
Upon further analysis, we observed that the malware authors used packer software to conceal the actual behavior of the spyware. In this case, the malware is packed using custom packer software. Additionally, the malware also uses multiple obfuscation techniques to evade detection and to restrict reverse engineering.
Packers are a type of software used by developers to hide important code from reverse engineering. The code will only unpack during the execution of the application.
Unpack the DEX Files
Our investigation on the application subclass led us to a code where the spyware filters and passes the two suspicious DEX files, secret_classes.dex and secret_class2.dex files.
The two files are passed to a function named decrypt which is part of a native library, libdn_ssl.so. The code flow used in the malware to decrypt the DEX files is shown in the below figure.
Upon analyzing the libdn_ssl.so file, we found that the DEX files are encrypted using the AES-128-bit encryption technique. The code used for decryption is shown in Figure 11. The key used in the encryption is also highlighted below.
We decrypted the DEX and files using the above findings. Upon decryption, we observed that the missing classes are present in the unpacked DEX files. We also found that the spyware uses anti-sandboxing techniques to stay undetected.
Anti-Sandbox Techniques
The malware performs anti-sandboxing techniques in the initial stages of the execution (after unpacking the DEX code) to hide its malicious behavior. The below code depicts the checks performed by the malware in the initial stages of execution. The malware does not execute if the device is a test environment as shown in the below figure.
The anti-sandbox techniques used are:
- Checks for test device (checks for the presence of adb): adb is enabled in most of the test devices. The code used by the spyware to check adb is shown in below figure.
- Anti-Emulator Checks: Checks for emulator driver files and device fingerprints as shown in the Figure 14.
- Device root check: Check for the presence of rooting software in device as shown below.
- Proxy and VPN Checks: Malware analyst uses proxies and VPNs to capture the traffic of the malware. The code used to check for the presence of this technique is shown in the below figure.
- Device Language: The spyware verifies whether the device uses Korean language as shown in the code below.
The spyware checks for the Korean language used in the victim’s device which concludes that the malware is created to target Korean-speaking users.
The fake application reveals the spyware behavior only if the malware identifies the device is not a sandboxing environment.
Spyware Behavior
The malware prompts the user to enable Accessibility permission on start, post the anti-sandboxing check. Upon enabling the permission, the malware has the capability to enable all other permissions requested with the help of the Accessibility service. The code used to request the Accessibility permission is shown below.
The code used to enable all other permissions is shown in the figure below.
The spyware also displays the HTML files in the assets folder using a WebView. Upon analyzing the HTML files, we observed that the spyware creates a fake webpage to collect user information. The below figure shows the starting webpage and the other web pages used to collect user information.
Using the fake webpage, the spyware collects information such as name, Resident Registration Number (RRN), company name, phone number, etc.
Upon further analysis, we observed that the malware collects information from the victim’s device such as:
- Contacts from device phonebook
- SMSs
- Call Logs
- Audio and Video recording
- GPS Location
- Applications List
- Screen Content as text
The malware uses a service called, com.fomta.c002.service. LInitService, to perform the spyware activity.
The spyware collects information based on the commands from the TA’s Command & Control (C&C) server.
The below figure shows the code to collect contacts from the victim’s device phonebook.
The spyware also constantly monitors victim’s activities such as:
- Intercepting phone calls and recording phone call audio
- Receiving SMSs
The malware sends SMS messages based on commands from C&C, shared by the TA. The code used to send SMS messages is shown in the figure below.
The malware also has the capability to make a phone call without user interaction as shown in the Figure 23.
The malware encrypts the collected data and uploads it to the C&C server based on the commands from the TA. The code to encrypt the data before the upload is shown in Figure 24.
The spyware uses two different C&C server IPs.
- C&C IP1: hxxp://125[.]227.0.22/: Encrypted and stored in a native library, libfirebase.so
- C&C IP2: hxxp://45[.]115.127.106/: Encrypted and stored in a GitHub account
- GitHub URL: hxxps://raw[.]githubusercontent.com/maxw201653/dest/main/pwdText
C&C IP1 is encrypted using AES-128-bit encryption and Base64. The code used to decrypt the IP is shown in the below figure.
Figure 26 shows the code used to retrieve the C&C IP2 from the GitHub repository.
The code used by the spyware to decrypt the C&C IP2 is shown in the below figure.
Resilience
The malware has registered listeners for the victim’s device events and initiates the spyware activity accordingly. These events include BOOT_COMPLETED, NEW_OUTGOING_CALL, etc. The below figure shows one such listener and events registered.
The fake application invokes the LInitService, as shown in the figure below. This is the service that initiates the spyware activity.
Commands
The TA sends the commands as integer values and the spyware translates it to the commands as shown in Figure 30.
Conclusion
As per our observations, during the Covid-19 pandemic, there has been a substantial increase in malware targeting financial services. Some notable examples are Aberebot, S.O.V.A., etc. This spyware is one of the latest amongst them.
The TA uses sophisticated techniques to evade detection and infect multiple users. Identifying phishing pages and fake applications is a best practice for not being a victim of this type of malware.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
- Use the shared IoCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Operating System and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 T1444 T1581 T1575 | Obfuscated Files or Information Masquerade as Legitimate Application Geofencing Native Code |
| Credential Access | T1412 | Capture SMS Messages |
| Discovery | T1421 T1430 T1424 T1418 | System Network Connections Discovery Location Tracking Process Discovery Application Discovery |
| Collection | T1507 T1412 T1432 T1429 | Network Information Discovery Capture SMS Messages Access Contact List Capture Audio |
| Command and Control | T1571 T1573 | Non-Standard Port Encrypted Channel |
| Impact | T1447 | Delete Device Data |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| ed7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36 | SHA256 | Hash of the APK sample |
| b4d3d4519427eec34c709a6d6ca43b9001fcc5802a71c8d3afa45cd4f3505626 | SHA256 | Hash of the second APK sample |
| 14264416ad72a75ac2e2a399a9b19b7533bcf33d8427bea0241a317f513acb50 | SHA256 | Hash of the third APK sample |
| 8dbc872f284fbe5eee635aab96a08bc6441ac10f3a5b8eb3aab712b52ca73534 | SHA256 | Hash of the fourth APK sample |
| hxxp://114[.]47.93.211 | URL | Phishing page used to deliver first APK |
| hxxp://61.227.36[.]150 | URL | Phishing page used to deliver second and third APK |
| hxxp://125[.]227.0.22/ | URL | C&C URL1 |
| hxxp://45[.]115.127.106/ | URL | C&C URL2 |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
