Android Mobile Money Malware targeting Kenyan users (MPESA and other mobile money service providers)

THREAD

1/8

I used hybrid analysis for a quick overview after doing my manual static analysis.
https://www.hybrid-analysis.com/ 
Android Mobile Money Malware targeting Kenyan users (MPESA and other mobile money service providers)THREAD1/8I used hybrid analysis for a quick overview after doing my manual static analysis. https://www.hybrid-analysis.com/ 
Android Mobile Money Malware targeting Kenyan users (MPESA and other mobile money service providers)THREAD1/8I used hybrid analysis for a quick overview after doing my manual static analysis. https://www.hybrid-analysis.com/ 
So, this Android malware is being shared in groups and I had someone forward me the apk to look at it, the malware works as such:

-spread by forwarding in chat groups
-after install (user installs) it asks for permission to read/send SMS

2/8
The Malware works like this,

Reads your SMS's and sends to all people you converse with and asks to send 50ksh , it quotes the recipients address so it looks very casual and friendly:

sample:

3/8
Technical aspect:

Hybrid analysis shows only 34% of antivirus will catch it and has the following techniques!!

4/8
I decided to have a look at it quickly (static analysis)

-Enjarify
-JDGUI

As you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone

5/8
I decided to have a look at it quickly (static analysis)-Enjarify-JDGUIAs you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone5/8
I decided to have a look at it quickly (static analysis)-Enjarify-JDGUIAs you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone5/8
I decided to have a look at it quickly (static analysis)-Enjarify-JDGUIAs you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone5/8
I decided to have a look at it quickly (static analysis)-Enjarify-JDGUIAs you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone5/8
One class was obfuscated as noted above, I used http://apk-deguard.com/  to do a quick static decompile/deobfuscate/decrypt*

love this webapp :) (exports src code too)

6/8
As noted on the manifest file:

Interesting strings (in-fact the phone number the money it requests to send to is pretty much hardcoded)

(probably a fake registration)

7/8
Finally technical aspect:

SHA256 signature: 97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390

com.darlcom.elite.MainActivityEntrypoint
com.darlcom.elite.LockScreen
com.darlcom.elite.UninstallAdminDevice

REPORT: https://www.hybrid-analysis.com/sample/97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390/5e8b05699667337bcb44b4ef

8/8
You can follow @jadethuo.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more