Android Mobile Money Malware targeting Kenyan users (MPESA and other mobile money service providers)
THREAD
1/8
I used hybrid analysis for a quick overview after doing my manual static analysis.
https://www.hybrid-analysis.com/ ">https://www.hybrid-analysis.com/">...
THREAD
1/8
I used hybrid analysis for a quick overview after doing my manual static analysis.
https://www.hybrid-analysis.com/ ">https://www.hybrid-analysis.com/">...
So, this Android malware is being shared in groups and I had someone forward me the apk to look at it, the malware works as such:
-spread by forwarding in chat groups
-after install (user installs) it asks for permission to read/send SMS
2/8
-spread by forwarding in chat groups
-after install (user installs) it asks for permission to read/send SMS
2/8
The Malware works like this,
Reads your SMS& #39;s and sends to all people you converse with and asks to send 50ksh , it quotes the recipients address so it looks very casual and friendly:
sample:
3/8
Reads your SMS& #39;s and sends to all people you converse with and asks to send 50ksh , it quotes the recipients address so it looks very casual and friendly:
sample:
3/8
Technical aspect:
Hybrid analysis shows only 34% of antivirus will catch it and has the following techniques!!
4/8
Hybrid analysis shows only 34% of antivirus will catch it and has the following techniques!!
4/8
I decided to have a look at it quickly (static analysis)
-Enjarify
-JDGUI
As you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone
5/8
-Enjarify
-JDGUI
As you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone
5/8
One class was obfuscated as noted above, I used http://apk-deguard.com/ ">https://apk-deguard.com/">... to do a quick static decompile/deobfuscate/decrypt*
love this webapp :) (exports src code too)
6/8
love this webapp :) (exports src code too)
6/8
As noted on the manifest file:
Interesting strings (in-fact the phone number the money it requests to send to is pretty much hardcoded)
(probably a fake registration)
7/8
Interesting strings (in-fact the phone number the money it requests to send to is pretty much hardcoded)
(probably a fake registration)
7/8
Finally technical aspect:
SHA256 signature: 97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390
com.darlcom.elite.MainActivityEntrypoint
com.darlcom.elite.LockScreen
com.darlcom.elite.UninstallAdminDevice
REPORT: https://www.hybrid-analysis.com/sample/97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390/5e8b05699667337bcb44b4ef
8/8">https://www.hybrid-analysis.com/sample/97...
SHA256 signature: 97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390
com.darlcom.elite.MainActivityEntrypoint
com.darlcom.elite.LockScreen
com.darlcom.elite.UninstallAdminDevice
REPORT: https://www.hybrid-analysis.com/sample/97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390/5e8b05699667337bcb44b4ef
8/8">https://www.hybrid-analysis.com/sample/97...