Cyble-Android-App-Turkish-Ministry-of-Justice

Malicious App Targets Turkish Ministry of Justice

Android App capable of stealing sensitive credentials

While conducting our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter post wherein researchers mentioned a malware named “Adalet,” which has an icon/logo similar to the Turkish Ministry of Justice (Türkiye Cumhuriyeti Adalet Bakanlığı).

During our analysis of this malware, we observed that the package name of the malicious app was com.language.task. Further research revealed that this malware pretends to be the official app of the Turkish Ministry of Justice and primarily targets Turkish citizens.

Cyble Research Labs has identified several sophisticated features in this malicious app, such as keylogging, stealing data from Google Authenticator,  Gmail, and TeamViewer, as well as recording microphone audio, sending SMSs, etc.

Technical Analysis

APK Metadata Information

  • App Name:  Adalet
  • Package Name: com.language.task
  • SHA256 Hash: 3aa982b5078d60217ba961a2d79e2930d9bbeb24f21e794eb5a96212bfca4e74

Figure 1 shows the metadata information of an application.

Figure 1 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 2 – App Icon and Name

Manifest Description

The malware requests users for 40 different permissions, of which it abuses over 13. These dangerous permissions are listed below.

PermissionsDescription
READ_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which has the potential to be misused by attackers
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
ACCESS_FINE_LOCATIONAllows the device’s precise location to be detected by using the Global Positioning System (GPS).
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.

Source Code Review

Our static analysis indicated that the malware steals sensitive data such as Google Authenticator data, Gmail credentials, recording microphone audio, sending SMSs, grabbing pattern lock, etc., from the infected device based on the commands received from the C&C server.

The malware uses the code snippet shown below to grab the device pattern lock using Accessibility overlay.

Figure 3 – Code to Grab Pattern Lock

The malware uses the code shown in Figure 4 to grab Gmail credentials using Accessibility overlay.

Figure 4 – Code to Grab Gmail Password

The malware opens the TeamViewer application on the device and steals credentials using Accessibility overlays, as shown in Figure 5. It also disables security apps warning pop-ups from programs such as the Samsung KLMS agent.

Figure 5 – Code for Collecting TeamViewer Credentials

The code snippet below depicts the malware’s ability to record audio based on commands from the TAs C&C server.

Figure 6 – Code to Record Audio

The malware tries to obtain all the necessary permissions without any user interaction, as shown below.

Figure 7 – Code to Obtain Permissions

The malware steals Google Authenticator codes using Accessibility overlays based on commands sent from the TA’s C&C server, as shown below.

Figure 8 – Steals Google Authenticator Code

The malware can also push notifications to the device, as shown in Figure 9. Using this, the Threat Actors (TAs) can push any notifications into victims’ devices and perform several malicious activities. These include luring the victims to click on the notifications that redirect them to phishing pages or malicious websites.

Figure 9 – Push Notifications

Figure 10 demonstrates the malware’s ability to send text messages from the victim’s machine. The TA’s C&C server will provide the number and SMS content.

Figure 10 – Code to Send SMS

Figure 11 showcases the code that illustrates the malware’s ability to steal key logs.

Figure 11 – Code to steal keylogs

The code in the below snippet depicts the malware’s tendency to forward the victim’s incoming calls to any number specified by the TA.

Figure 12 – Code to Forward Calls

The malware also disables the device administrator and takes full control of the device, as shown below.

Figure 13 – Code to Disable Admin

In both our static as well as dynamic analysis, we identified the TA’s C&C communication with the device. The malware uploads contact data to the server, as shown below.

Figure 14 – Malware C&C Communication

We have listed the commands used by the TAs to control the infected device below:

CommandDescription
grabbing_lockpatternGrabs Pattern Lock
run_record_audioRecords Audio
get_all_permissionAllow Permissions by self
access_notificationsRead Incoming Notification Contents
grabbing_google_authenticator2Steal Google Authenticator codes
notificationPush Notifications
grabbing_pass_gmailGets Gmail Password
remove_botDelete itself
send_smsSends SMS
call_forwardForward Calls

Conclusion

The volume of Cyberattacks on Government organizations is increasing every day; furthermore, these attacks are growing more sophisticated. This malware is one such example of an Android application that pretends to be the official app of the Turkish Ministry of Justice (Türkiye Cumhuriyeti Adalet Bakanlığı).

According to our research, these types of malicious apps and malware are only distributed via sources other than Google Play Store. As a result, practicing cyber-hygiene across mobile devices and online banking applications is a good way to prevent malware such as this from compromising your systems.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS about malicious apps and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1433Access Call Log
CollectionT1412Capture SMS Messages
CollectionT1432Access Contact List
CollectionT1429Capture Audio
CollectionT1512Capture Camera
CollectionT1533Data from Local System
CollectionT1430Location Tracking
Command and ControlT1436Commonly Used Por

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
3aa982b5078d60217ba961a2d79e2930d9bbeb24f21e794eb5a96212bfca4e74SHA256Adalet APK
36d9a4956eb95d125e4e24a1cc40eb0147771f11SHA1Adalet APK
baea707ad27c85c922215ed947752151MD5Adalet APK
hxxp://sanatatolyesii[.]comURLC&C URL
Scroll to Top