Android Mobile Money Malware targeting Kenyan users (MPESA and other mobile money service providers)

THREAD

1/8

I used hybrid analysis for a quick overview after doing my manual static analysis.
https://www.hybrid-analysis.com/ 

So, this Android malware is being shared in groups and I had someone forward me the apk to look at it, the malware works as such:

-spread by forwarding in chat groups
-after install (user installs) it asks for permission to read/send SMS

2/8

The Malware works like this,

Reads your SMS's and sends to all people you converse with and asks to send 50ksh , it quotes the recipients address so it looks very casual and friendly:

sample:

3/8

Technical aspect:

Hybrid analysis shows only 34% of antivirus will catch it and has the following techniques!!

4/8

I decided to have a look at it quickly (static analysis)

-Enjarify
-JDGUI

As you can see it has the ability to ask to be an admin on your android system, wipe/format your memory card, note when you lock screen, start when you restart phone

5/8

One class was obfuscated as noted above, I used http://apk-deguard.com/  to do a quick static decompile/deobfuscate/decrypt*

love this webapp :) (exports src code too)

6/8

As noted on the manifest file:

Interesting strings (in-fact the phone number the money it requests to send to is pretty much hardcoded)

(probably a fake registration)

7/8

Finally technical aspect:

SHA256 signature: 97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390

com.darlcom.elite.MainActivityEntrypoint
com.darlcom.elite.LockScreen
com.darlcom.elite.UninstallAdminDevice

REPORT: https://www.hybrid-analysis.com/sample/97d7fdb8bd2f8cad48c62a135277eabaed480fef879bd881b22dd701ec838390/5e8b05699667337bcb44b4ef

8/8