Cyble-Research-OSCORP-malware-variant-Flash-Player-App

A Variant Of OSCORP Masquerades As Flash Player App Targeting Global Users

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

During a recent threat hunt, Cyble Research Labs identified a malware sample from MalwareBazaar. The app poses as a “FlashPlayer” to deceive users and targets the global user community.

Our investigation reveals that the malicious app shares code and encrypted strings with the UBEL Android botnet, a descendant of the OSCORP malware. OSCORP was developed to attack global banking organizations. When the OSCORP malware is successfully installed on a victim’s device, the Threat Actor (TA) connects to the device remotely via the Web Real-Time Communication (WebRTC) protocol.

The UBEL Android botnet is a new variant of the OSCORP botnet that includes a few minor alterations in the code implementation and is advertised for sale on several cybercrime forums.

The malware internals of OSCORP has several features, the majority of which are obtained by abusing the Android Accessibility services, a well-known technique utilized by other malware families such as Anubis, Cerberus.

The “bot id” string format, which consists of an initial “RZ-” substring followed by random alphanumeric characters, exposes the link between OSCORP and UBEL.

The application has various functionalities such as:

  • Keylogger – Capture keystrokes
  • Virtual Network Computing (VNC) – Control the bot screen (remote mouse and clicks)
  • Send/Intercept/Delete SMS
  • Call forwarding – Start/Stop forwarding calls
  • Open link in browser – Open specific link in the browser
  • Send SMS – Send SMs with specific text to the target number
  • Unstructured Supplementary Service Data (USSD) – Execute a USSD request
  • SMS interception – Intercept incoming SMS
  • Installed Applications – Fetch Installed applications from the device
  • Start Application – Launch the application

Technical Analysis

Cyble Research Labs’ detailed analysis establishes that the malware is a variant of UBEL. The malicious app has encrypted strings and patterns along with Command & Control (C2) paths like those present in the UBEL samples analyzed earlier.

APK Metadata Information

Figure 1 represents the metadata information of the application. 

Figure 1 Metadata Information of the APK file
  • App Name: FlashPlayer.apk
  • Package Name:  hrevxqea.hgistuqw
  • SHA256 Hash: 486d6a713d8c907df70a919729ac685328ab91a8977c2e352165640c4bd4d507
  • Delivery Method: Distributed via web download
  • Delivery URL: hxxps://ttneiv[.]com/927515/nuevo_files/FlashPlayer.apk

Manifest Data

The malware requests multiple dangerous permissions. Table 1 shows this list of hazardous permissions.

PermissionsDescription
INTERNET  Allows applications to open network sockets 
READ_PHONE_STATE  Read-only access to phone state 
ACCESS_SUPERUSERDeclared by the Superuser app. Android 5.0 onward was deprecated
SEND_SMSAllows an application to send SMS messages.
WRITE_SMSAllows the app to write to SMS messages stored on your phone or SIM card
READ_SMSAllows an application to read SMS messages.
RECEIVE_SMSAllows an application to receive SMS messages.
WRITE_EXTERNAL_STORAGEAllows an application to read from external storage.
READ_EXTERNAL_STORAGEAllows an application to read from external storage.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialler 
CAMERARequired to be able to access the camera device.
RECORD_AUDIOAllows an application to record audio.
INJECT_EVENTSTo Inject events into a separate process
REQUEST_DELETE_PACKAGESAllows an application to request deleting packages
DISABLE_KEYGUARDAllows applications to disable the keyguard if it is not secure.
Table 1 Declared Permissions found in Manifest file of the app

hrevxqea.hgistuqw.MainActivity” is the main entry point of the app that loads initially.

Figure 2 Manifest Information from the APK file

The application also uses the permission SYSTEM_ALERT_WINDOW. This permission grants an app the ability to overlay on background apps. Very few apps use this permission; these windows are meant for system-level interaction with the user. During the installation phase, OSCORP utilizes this permission to prompt the user to accept the Accessibility permission.

The application additionally makes use of services like the BIND ACCESSIBILITY SERVICE. Accessibility services should only serve to help impaired Android users operate their devices and apps. They run in the background and detect when the system launches AccessibilityEvents. Such events indicate a change in the user interface’s state when the focus is shifted, or a button is pressed. Optionally, such a service can ask for the ability to query the content of the active window. On the other hand, the malicious app abuses this permission to monitor and retrieve data from the affected device.

Figure 3 Accessibility Service used by the app to monitor and retrieve data from Victim’s device

It captures the victim’s device screen height and width and frequently used apps and dimensions by analyzing the launcher activity of the application that opens when clicking the app icon. To enable Overlay permissions, it also checks for the building manufacturer and package details.

Figure 4 Enables overlay permission based on package check

Post enabling the overlay access, the method “a()” as highlighted in Figure 4 removes the application launcher icon from visibility to stay hidden within the victim’s device.

Figure 5 Hides launcher icon from visibility

The application reads the incoming SMSs and collects the data from the SMS like originating address, and message body.

Figure 6 Reads the incoming SMS

The malicious app also gains the device administrator access through enabled accessibility services by prompting the user to add a new device as administrator to the system.

Figure 7 Enables the device admin access through accessibility services

The device administrator check is also performed in other classes like “hrevxqea.hgistuqw.Lukas” & “hrevxqea.hgistuqw.PJService” but doesn’t have any cross-references.

The app can send text messages using SMSManager API and delete SMS and contacts data, as shown in the below figure.

Figure 8 Sends Text Message Using SMSManager

The application also uses accessibility services to protect itself from uninstallation and control other applications by checking for application packages, as shown in Figure 9.

Figure 9 Prevents app from Uninstallation and to Control other applications

The application has a code to query the list of installed packages from the infected devices and collects the installed app data and then stores it in shared preferences.

Figure 10 Queries the list of Installed packages

The application employs several approaches to slow down static analysis. For example:

  • All strings are obfuscated using an open-source method, which is encrypted using AES and base64 encoding.
  • On top of HTTP, the network connection to the C2 is encrypted using the AES algorithm and base64 encoding.
Figure 11 Encryption Routine used in App explained through the flowchart

Encryption methods and techniques used in the app are listed below in Figure 12.

Figure 12 Encryption technique and method used in the app

WebRTC – Web Real-Time Communication

WebRTC (Web Real-Time Communication) is a free and open-source project that enables real-time communication (RTC) between web browsers and mobile applications using application programming interfaces (APIs).

It enables audio and video communication within web pages by allowing the direct peer-to-peer connection, removing the requirement for plugins or native programs to be downloaded.

WebRTC technologies are implemented as an open web standard and are available in all major browsers as ordinary JavaScript APIs. In addition, a library is available for native clients, such as Android and iOS apps, that provides the same capabilities.

Using WebRTC and Android Accessibility Service the TA can take control of the whole device such as controlling the screen, interacting with App, etc.

Figure 13 depicts the code implementation of WebRTC, often used for remote VNC.

Figure 13 WebRTC Implementation used for Remote VNC

C2 Communication:

The collected data is sent to the Command-and-control server (C2) found in the class “o.Qh.a.” Upon decrypting the encrypted strings using the technique identified in Figure 12, the app developer has hidden the C2 host address in strings.xml file.

On decrypting the host address present within the app, the host communicates to various C2 paths using an if-else case verifying with the random strings.

Figure 14 C2 path that communicated with host address

Identified C2 Links:

  • hxxps://leevinsbots[.]xyz
  • hxxps://leevinsbots[.]xyz/api/trashcan/billboard/find
  • hxxps://leevinsbots[.]xyz/api/trashcan/billboard/rhino

While analyzing the C2 interaction, we have also identified a list of bot commands used by the TA.

Below is the list of some of the bot commands:

Bot CommandsDescription
send_messageSend an SMS message‍
stock_injectionSave the injections (phishing HTML payload) provided by C2 in the Jedi / Injections.txt file‍
forward_callCall forwarding through the code *21* + number + ##‍
run_applicationRun an application‍
enab_silMute the device (set to 0 the volume level of the device)‍
switch_smsChange the default SMS application with Oscorp (through android.provider.Telephony.ACTION_CHANGE_DEFAULT)‍
remove_injectionRemove an injection‍
make_callPerform a call to someone
‍dev_adminSet itself as admin app‍
run_ussdAllows itself to initiate a phone call without going through the Dialer user interface for the user to confirm the call‍
blockSave the apps to be blocked in Jedi / block.txt and start MyService‍
launch_urlLaunch and URL‍
fetch_applicationsGet the list of installed apps‍
delete_messageRemove an SMS‍
delete_applicationRemove an application‍
batt_optInsert Oscorp app to a list of apps that ignore optimization battery‍
url_injectionStart the “ramp” class used to perform stream video of the screen and audio of the compromised device‍
screencapStart to record the audio and video through the WebRTC and STUN protocols (the stun server are embedded in the code)

Conclusion:

The bankbot/botnet malware family has always used a simple coding style and introduces new campaigns regularly. The difficulty with this variant’s malware is that the code’s modification is compared to the older versions to execute a complex attack.

Interestingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account to commit fraud.

The objective of the threat actor in employing this functionality is to avoid a ‘new device enrolment,’ thus dramatically minimizing the risk of being reported ‘as suspicious’.

Users should be wary of activating the required permissions even in apps distributed through well-known app portals like Google Play Store – since we have observed banking malware increasingly exploiting the Accessibility Service on Android devices.

Our Recommendations:

We have listed some essential cybersecurity best practices that create the first line of defense against attackers. We recommend that our readers follow the best practices given below:   

  • Download and install software only from official app portals such as Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions on the devices.
  • If you find any suspicious applications on the device, uninstall, or delete them immediately. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Use strong passwords and enable two-factor authentication. 

Adobe has stopped providing support to Flash Player beginning January 2021. We recommend users to uninstall Flash Player immediately to help secure their systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Defense EvasionT1406Obfuscated Files or Information
Collection/Credential AccessT1412Capture SMS Messages
DiscoveryT1421System Network Connections Discovery
Discovery/CollectionT1430Location Tracking
DiscoveryT1426System Information Discovery
CollectionT1429Capture Audio
CollectionT1507Network Information Discovery
Network EffectsT1449Exploit SS7 to Redirect Phone Calls/SMS
Command and ControlT1571Non-Standard Port
ImpactT1448Carrier Billing Fraud

Indicators Of Compromise (IOCs) 

IndicatorsIndicator typeDescription

486d6a713d8c907df70a919729ac685328ab91a8977c2e352165640c4bd4d507
SHA256Malicious APK
hxxps://ttneiv[.]com/927515/nuevo_files/FlashPlayer.apkURLDelivery URL
hxxps://leevinsbots[.]xyz/api/trashcan/billboard/findURLCommunicating URL
hxxps://leevinsbots[.]xyz/api/trashcan/billboard/rhinoURLCommunicating URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.

Scroll to Top