In all of our earlier blogs about the Android threats, we have highlighted the fact that user awareness is one of the most important factors to fight against the social engineering threats.
Yesterday, a familiar Android threat was making news powered by a sound social engineering trick. This blog looks at the differences/similarities of the different variants of this particular bunch of variants.
Though the variants exhibit the same behavior claiming that the “application” is an installer for famous applications, different variants use different brands such as Opera browser, Jimm, and Skype. However in the process, they actually send messages to the message centers obtained by decrypting the config file. After sending the SMS messages, the user may or may not be redirected to the download link of the orignial application.
Fig.1 illustrates the call stack that was captured while invoking the decryption routine of the encrypted config file.
Fig.1: decrypting the config file
Let us capture the decryption activity in action. In OOPS terms, an instance's state is represented by the value stored in the instance variables and the behaviors of the instance are implemented in their member functions.
Fig.2 shows the states of the ConfReader instance frozen at the point of invoking the decrypt routine.
Fig.2: encrypted content read from the config file and passed to decrypt function.
Once the decrypt function runs on the encrypted data read from the assets file, the decrypted content can be observed as shown in Fig.3.
Fig.3: the decrypted content
In the later variants, the code readability is reduced in an attempt to thwart casual reversing efforts.
Fig. 4 shows some of the differences between the first variant and the recent variant where the names have been made less meaningful and the code has been re-organized into more number of sub components.
Fig.4: A sample basic block difference
As a result, it can be observed that the similarity metric of these variants is significantly on the lower side.
Fig.5: Sampled similarity metric between the earlier variants and new variant
Wheras, the earlier variants group share much higher similarity metric among them.
Fig.6: Sampled similarity metric computed among the earlier variants.
It should be noticed that the decryption logic is straight forward XOR operation with a double word.
Fig.7: The decrypt snippet
The decrypt function of this component can be directly reused to create a simple decryptor utility to test the rest of the configuration files present in the different variants.
Fig.8 shows the result of this approach.
Fig.8: processing the different config resources decrypted using the decrypt procedure present in confReader component.
Even at the risk of sounding like a broken record, the take away from such incidents should be to avoid “app” installations from outside the Android market place. Additionally practicing safe browsing practices and keeping your security software up to date goes a long way.
General good practices guideline:
- Install applications only from the official Android Market (Though in the past, there have been few incidents reported in the market as well, it is generally secure)
- Do not trust any third party applications by default.
- Pay attention to the attractive "offers" you receive and be dilegent while surfing. Remember nothing comes as free.
- Pay attention to the user reviews of the applicaiton your are trying to download and install.
- Keep your OS and software components up to date.
- Avoid pirated/cracked applications
- Be critical and sensitive about authorising the permissions an application needs during installation.