Tuesday, January 19, 2016

2nd part of Tinba Malware analysis: The APK side

As showed in my previous post about Tinba malware Threat Actors are continually adapting and changing their techniques and tools. While doing the analysis of the Tinba malware, I ended up with an Android APK which it sounded very familiar to me. This APK is the new version of the Android Bank Trojan Emmental/Retefe. 

I wrote a bit about previous versions of the trojan in several posts:


The sample I got (49a7217ea3af4f4254fe8acbf221263afee24900193870dcc094fac39858e5c4is not reported in VT yet. However, there are similar samples already reported in VT since few weeks:


What is new in this version of the malware?

There are several interesting new things that have been introduced in this new version of the malware, but I am going to focus in what I have seen as the most interesting feature: the persistence in the device.

Looking at the initial encrypted configuration file, where all the C&C URL are stored, I see a new field named 'download_url'

$cat config_plain.txt
<?xml version="1.0" encoding="utf-8"?>
            <data rid="25"
                  shnum10="" shtext10="" shnum5="" shtext5="" shnum3="" shtext3="" shnum1="" shtext1=""

                  ready_to_bind="0" />


This field contains a link to another APK. This is really interesting and worth to investigate.

When I installed the APK in my device, the new application "CreditSuisse SMSSecurity" is there

When launching it, I get a new windows which requires 'additional settings to work'

In the accessibility options, it exists now a new option for the CreditSuisse SMSSecurity

Going to that option I can see that it is asking to enable some 'updates', which it is really suspicious

After I have enabled the 'new service', I see a new 'Messaging' application is installed.

At the same time I can see HTTP traffic to the C&Cm but also to the URL configured in the initial configuration which points to the APK (http://hardits.com/seta.apk)

There are now in the system two different new applications with different names running. 

root@hammerhead:/ # ps | grep sms
root      20    2     0      0     c01af260 00000000 S smsm_cb_wq
u0_a143   3096  199   1572676 72728 ffffffff b6e6c898 S com.google.smsmms
u0_a143   3173  199   1498728 41028 ffffffff b6e6c898 S com.google.smsmms:remote
u0_a142   30882 199   1529224 65980 ffffffff b6e6c898 S com.google.securesms
u0_a142   31068 199   1501308 49196 ffffffff b6e6c898 S com.google.securesms:remote

com.google.securesms is the first installed application (CreditSuisse SMSSecurity), and com.google.smsmms has been installed by com.google.securesms. However, it looks like only the first one has the proper configuration file MainPref.xml with the C&C

Although, if I uninstall the original 'CreditSuisse SMSSecurity', the MainPref.xml with the C&C appears. But in this case the download_url field pointing to the APK doesn't exist.

After this, the connections to the C&C are normally done.

What's going on here?
  • The initial APK fools the user to allow some special 'permissions' in order to perform updates
  • Once those 'permissions' are granted, the application installs another  'Messaging application'. The URL of the APK is in the initial configuration file MainPrefs.xml
  • This second 'Messaging Application' doesn't do anything and doesn't contain the C&C configuration MainPref.xml file in the beginning
  • The second application becomes active and with the MainPref.xml populated once the first application CreditSuisse SMSSecurity is uninstalled in order to guarantee persistence
More to come in next posts :)