Tuesday, January 19, 2016

2nd part of Tinba Malware analysis: The APK side

As showed in my previous post about Tinba malware Threat Actors are continually adapting and changing their techniques and tools. While doing the analysis of the Tinba malware, I ended up with an Android APK which it sounded very familiar to me. This APK is the new version of the Android Bank Trojan Emmental/Retefe. 

I wrote a bit about previous versions of the trojan in several posts:

http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html


The sample I got (49a7217ea3af4f4254fe8acbf221263afee24900193870dcc094fac39858e5c4is not reported in VT yet. However, there are similar samples already reported in VT since few weeks:

3cbe649958ab07238c2e4145f37f04bc4f4fd1e3a12f55129355a72e04ffe8da
c88bb1eb09246e52b009386066da3b3b74a4c3f791a0ccc8d5b641ca5c365d1e


What is new in this version of the malware?

There are several interesting new things that have been introduced in this new version of the malware, but I am going to focus in what I have seen as the most interesting feature: the persistence in the device.

Looking at the initial encrypted configuration file, where all the C&C URL are stored, I see a new field named 'download_url'

$cat config_plain.txt
<?xml version="1.0" encoding="utf-8"?>
          <config>
            <data rid="25"
                  shnum10="" shtext10="" shnum5="" shtext5="" shnum3="" shtext3="" shnum1="" shtext1=""
                  del_dev="0"
                  url_main="http://mbarbaram.com/Tri-Oval/09291245410kk.php;http://hoteldellenazionimilan.com/wp-includes/main.php"
                  phone_number=""

 download_url="http://hardits.com/seta.apk"
                  ready_to_bind="0" />

          </config>

This field contains a link to another APK. This is really interesting and worth to investigate.

When I installed the APK in my device, the new application "CreditSuisse SMSSecurity" is there


When launching it, I get a new windows which requires 'additional settings to work'


In the accessibility options, it exists now a new option for the CreditSuisse SMSSecurity


Going to that option I can see that it is asking to enable some 'updates', which it is really suspicious





After I have enabled the 'new service', I see a new 'Messaging' application is installed.


At the same time I can see HTTP traffic to the C&Cm but also to the URL configured in the initial configuration which points to the APK (http://hardits.com/seta.apk)



There are now in the system two different new applications with different names running. 

root@hammerhead:/ # ps | grep sms
root      20    2     0      0     c01af260 00000000 S smsm_cb_wq
u0_a143   3096  199   1572676 72728 ffffffff b6e6c898 S com.google.smsmms
u0_a143   3173  199   1498728 41028 ffffffff b6e6c898 S com.google.smsmms:remote
u0_a142   30882 199   1529224 65980 ffffffff b6e6c898 S com.google.securesms
u0_a142   31068 199   1501308 49196 ffffffff b6e6c898 S com.google.securesms:remote




com.google.securesms is the first installed application (CreditSuisse SMSSecurity), and com.google.smsmms has been installed by com.google.securesms. However, it looks like only the first one has the proper configuration file MainPref.xml with the C&C



Although, if I uninstall the original 'CreditSuisse SMSSecurity', the MainPref.xml with the C&C appears. But in this case the download_url field pointing to the APK doesn't exist.


After this, the connections to the C&C are normally done.

What's going on here?
  • The initial APK fools the user to allow some special 'permissions' in order to perform updates
  • Once those 'permissions' are granted, the application installs another  'Messaging application'. The URL of the APK is in the initial configuration file MainPrefs.xml
  • This second 'Messaging Application' doesn't do anything and doesn't contain the C&C configuration MainPref.xml file in the beginning
  • The second application becomes active and with the MainPref.xml populated once the first application CreditSuisse SMSSecurity is uninstalled in order to guarantee persistence
More to come in next posts :)