Cyble Research Labs identified a malware sample during a routine threat-hunting exercise from MalwareBazaar posted by a Researcher. The app poses itself as a “Voicemail” app to deceive users into thinking that it is genuine. The application has various functionalities like Keylogging, screen recording, SMS, and call logs collection on performing the analysis.
The application was developed using an open-source platform called “Xamarin”. This open-sourced platform is used for building Android and iOS apps with .NET and C# codes. The source code is essentially compiled into CIL (IL) instructions, which are then saved in DLL-managed assemblies. These, together with app resources and other data, are then bundled into an APK package by the android package builder.
On analyzing the app further, it is observed that the malicious app is a forked version of an open-source project AndroSpy.
Figure 1 depicts the DLL files found from the application
The app also carries out Spyware operations, which are masked by Xamarin packaged source codes. The attackers’ purpose in using Xamarin is to hide the malicious code and extract sensitive data without being detected.
The apps of this variant are commonly disguised as messaging, camera, or utility apps, and they are designed to steal information such as:
- SMS data
- Call logs
- Device information
- Location tracking
Researchers at Cyble downloaded the malware samples and performed a detailed analysis, based on which we determined that the malware is a variant of spyware and uploads the victim data to a Command & Control (C2) server.
APK Metadata Information:
Figure 2 represents the metadata information of the application.
- App Name: Voicemail.apk
- Package Name: com.device.voicemail
- SHA256 Hash: 6c454bda271d459ed3325ac77ef503972d170d099f53623c057d02d194a295de
The malware has and requests multiple dangerous permissions to collect contacts, SMSs, and the victim’s location. Table 1 shows this list of hazardous permissions.
|INTERNET||Allows applications to open network sockets|
|READ_PHONE_STATE||Read-only access to phone state|
|READ_CONTACTS||Access to phone contacts|
|WRITE_CONTACTS||Allows an application to write the user’s contacts data.|
|ACCESS_MOCK_LOCATION||Allows the app to override the location and/or status returned by other location sources such as GPS or location providers|
|PROCESS_OUTGOING_CALLS||Allows an application to see the number being dialed during an outgoing call|
|ACCESS_COARSE_LOCATION||Allows an app to access approximate location|
|BLUETOOTH||Allows applications to connect to paired Bluetooth devices.|
|BLUETOOTH_ADMIN||Allows applications to discover and pair Bluetooth devices.|
|ACCESS_FINE_LOCATION||Allows an app to access precise location|
|SEND_SMS||Allows an application to send SMS messages.|
|WRITE_SMS||Allows the app to write to SMS messages stored on your phone or SIM card|
|READ_SMS||Allows an application to read SMS messages.|
|RECEIVE_SMS||Allows an application to receive SMS messages.|
|WRITE_CALL_LOG||Allows an application to write (but not read) the user’s call log data.|
|READ_CALL_LOG||Allows an application to read the user’s call log.|
|WRITE_EXTERNAL_STORAGE||Allows an application to read from external storage.|
|CHANGE_WIFI_STATE||Allows applications to change Wi-Fi connectivity state.|
|CALL_PHONE||Allows an application to initiate a phone call without going through the Dialler|
|CAMERA||Required to be able to access the camera device.|
|RECORD_AUDIO||Allows an application to record audio.|
Upon reviewing the application’s code, it has multiple entry points declared in the manifest file. “crc646c638bcfc2425995.MainActivity” is the main entry point of the app that loads initially.
In the main activity, the app calls the code from the ServicesDemo3 DLL file.
When looking at other classes like SMSBroadcastReceiver, SMSSTATUS, screenActivty, it invokes the code from the ServicesDemo3 DLL file.
Providing insight into the ServicesDemo3 DLL file, Figure 5 shows listed services and receivers.
Application on execution requests users with live streaming permission. Upon users’ access grant, the attacker could monitor the device screen without users’ knowledge.
ForegroundService collects all the sensitive information and performs malicious activities on the infected device. Following are the details observed during our analysis:
- Malicious code checks for the Build version of the infected device
- Malicious code collects and monitors the details of the installed apps from the infected device
- Malicious code can disable the battery optimization feature, to always run in the background
- Malicious code runs the shell commands, even though the device is not rooted
- The collected SMS data are stored as logs and send via sockets
- Similarly, the collected Contacts data are stored as logs and communicated to the C2 server via sockets
- Furthermore, the application also reads/collects the call logs from the infected devices and communicates to the C2 server again via sockets
- Also, the application has code to collect the hardware information of the infected device
- Finally, the collected data and activities performed within ForegroundService are interconnected to Oncreate() function
The ServicesDemo3 DLL also has SMSBroadcastReceiver, which is used for sending and receiving text messages also can send SMS to the number provided by the TA.
The threat actor also operates the malicious app through commands received from his inbuilt C2 server. The following figure depicts the C2 server identified from the application.
Even though spyware has been around for a long time, it continues to constitute a severe threat since the Threat Actors behind it are constantly changing and employing various encryption techniques to prevent detection. This situation makes spyware eradication nearly impossible.
Based on our research, the malware writers are now producing increasingly sophisticated bits of software, which they embed into various packages designed for specific devices and platforms. As a result, users should be cautious when installing software.
We recommend that our readers follow the best practices given below:
- Keep your anti-virus software updated to detect and remove malicious software.
- Uninstall the application if you find this malware on your device.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from trusted sites and official app stores.
- Verify the privileges and permissions requested by apps before granting them access.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406||Obfuscated Files or Information|
|Collection/Credential Access||T1412||Capture SMS Messages|
|Collection||T1433||Access Call Log|
|Collection||T1507||Network Information Discovery|
|Network Effects||T1449||Exploit SS7 to Redirect Phone Calls/SMS|
|Command and Control||T1571||Non-Standard Port|
|Impact||T1447||Delete Device Data|
|Impact||T1448||Carrier Billing Fraud|
Indicators Of Compromise (IOCs)
|193.161.193[.]99||IP||IP address of C2|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.