Evil App: Russian FruitNinja - #Android Backdoor Analysis15 Oct 2012 This is a contribution of our #MalwareMustDie fellow researcher during his crusading against malware, a research material for the android malware complete from evil code analysis down to its crime aspect which linked to the SMS fraud and more.
This post is also a cross post from (checkmate); done by Sanoop Thomas (@s4n7h0) from InR Labs of NII Consulting. All right reserved to the author.
The research was well done conducted and #MalwareMustDie checked its credibility, you will find it useful as reference research against similar threat.
So here we go..
For my research, I chose to analyze a popular Android application for malwares. But why select a Russian version? Well, it made a compelling case study from analysis perspective that I later found out during my research. The application I selected was popular game called FruitNinja downloaded from Russian Fake Android Store (Figure 1).
Steps for Analysis:
Note: Application PacKage (APK) is the file format used to distribute and install application in Android phone. This is zip archive/package based on JAR file format which contains the certificates, assets, resources, manifest file, and DalvikEXecutable (DEX) containing the actual program code.
On changing the APK extension to ZIP, I got the extracted archive as shown:
AndroidManifest.xml is the Android Binary XML describing the name of the application, version, permission rights, and referenced library resources. To make the file into human readable XML format, I used python script manitree.py for conversion.
Here, the manifest auditing result reveals FruitNinja’s permission of sending and receiving SMS which was catching in the very first glance. Also the resource folder (res) was quite interesting.
A quick glance to the picture files reveals a common face in all pictures. So, who is that guy? Intrigued, I probed further using Google image search resulting in a Russian Meme Character from “Bestman from Fryazino”. In Russian context, Bestman is a term used as a reference of “witness”
A leprosy user made a series of photos, including a witness from the groom of was at a wedding in the suburban town of Fryazino. On all of them witness depicted in the same posture and same expression. The bestman’s picture (black jacket &white pants) is replicated separately with Photoshop morphing with dark contrast background. A Russian wiki says this guy’s name is “Alex”. But it doesn’t make any sense to the analysis; rather it was just another piece of information. Nevertheless, this picture was found to be in many malwares.
Figure 5 : Original Wittness Picture
Figure 6 : Morphed Witness Picture
But Wait!! How does it matter with FruitNinja?
The main reason is that these “temp” files can change the application fingerprints, and eventually bypass traditional signature based antivirus scanners by providing a different pattern. This is a classical AV bypass technique which is known as server-side polymorphism found in many windows based malwares, and now it’s been found in popular Android applications such as Instagram, Angry birds, etc. Each time when a user downloads the application, it creates a different unique mutated version of the same file.
Analysis of Dalvik Executable File
Dex2jar converter is handier as it will generate a java archive (.jar file) which is basically the source code itself. From here on, we can use any Java de-compiler to inspect the source code as shown in the below figure.
The first package in the JD-GUI (Java Decompiler) shows C2DM class which is Cloud to Device Messaging Framework. C2DM is a service which provides a simple and lightweight mechanism that helps an application developer send data from server to their applications. This service is usually used to do application updates, but can be also used for malicious purpose such as maintaining Command and Control (C&C) servers.
The second package carries more malicious code. Notice the code at startSendMessages() as shown in the above figure. As expected it is sending SMS to some numbers. But what is that number? And what is it trying to send? Lets’s probe further.
While analyzing the program code, I noticed that the application is building certain texts messages, as shown in the figure: 8 above; based on an xml file stored in the resource folder. The code checks for certain country codes (ID) here such as Russian Federation (RF), Ukraine (UA), and Kazakhstan (KZ). It then sets the message depends on which country code identified. What if the country code is not from any of these lists? Here, anything apart from this country code will be set as Russian Federation by default.
When Android program gets compiled, all these resource files will get converted as binaries. Using the utility tool apktool, I decodeded everything back to original state. (Figure: 9).
The converted xml file now looks like as shown below (figure 10). A Quick Google translator (to English) reveals it as installation operation message.
Further analyzing the Actor Class, I realized the application build Messages based on the Mobile Country Code (MCC) and the Mobile Network Code (MNC). The application validates mobile country code of Russian Federation (RF), Kazakhstan (KZ) and Ukraine (UA) and the corresponding Operator Code.
Table1: MCC used by the Application
The pseudo code looks like below:
The application schedules some tasks (figure 12) such as setting up an alarm for checking the purchase of the application. If it is purchased, it will send only one SMS to the premium number. It sets the initial alarm time as 300000000+systemtime (in milliseconds) which means 83.33 hour after the application gets installed for the first time in the device.
The scheduler checks for license of the application once in every 50000L+systemtime (in milliseconds) which is 50 Seconds. Eventually the SMS count will get decreased as the application license is getting renewed.
As the application continues running as free version, the scheduler keeps checking the license and also keeps spying the stored messages (figure 14) to the preset number.
Analyzing further (figure15) on the number revealed that it belongs to a Russian Company called PM-Invest Ltd. This website provides an online service for SMS fraud. They have a pool of premium numbers from which some can purchase one of them, and if any of the infected users send message to those numbers, the fraudulent will get a certain commission from PM-Invest Ltd for each SMS.
Henceforth, the malware cycle function as below:
The following figure was taken from the fraudulent website which shows their tariff plans and how their system works.
Safeguards and General Precautions: