A number of samples were submitted to contagio and with my reversing skill and curiosity kicking in, I analyzed one of the sample.
Filename: 1F68ADDF38F63FE821B237BC7BAABB3D_IBanking_Chase.apk
When you first start the app, it will force itself to be installed as a device administrator so that even if you cancelled, it will re-launch the screen where it asks the user again if you want to install it as administrator. I am not sure how it was programmatically done.
Installing this app as administrator enables the app to wipe your data and lock your phone.
This malware disguises itself as an anti-virus program but it just fakes the scan and do some nasty things.
Command and Control
This bot can communicate and accept commands from a web server and a phone number. The following are the CnC servers for this malware.
- myredskins.net
- mynamesmith.com
- +79067075145
- +790670751454
The servers and numbers above are from Russia.
The CnC web servers are defined in res/values/arrays.xml
It iterates to the list of its CnC web servers and check if they are active via http POST to:
- {domain}/iBanking/sms/ping.php
If the server replied as expected, it will POST the following information to {domain}/iBanking/sms/index.php
- bot_id (defined in strings.xml)
- telephone number
- iccid
- device model
- OS version
- IMEI
- control_number (this is the CnC phone number)
This bot can accept commands from its CnC via SMS or HTTP. It intercepts any incoming SMS and checks the number.
Via http it reads command from:
- {domain}/iBanking/sms/sync.php
It is looking for the following command strings:
- sms start - tell the bot to start intercepting and reading SMS
- sms stop - tell the bot to stop intercepting and reading SMS
- call start - forward calls to +79067075145
- call stop - stop call forwarding
- change num - tell the bot to change the CnC phone number
- sms list - read SMS inbox and sent messages and POST to {domain}/iBanking/getList.php
- call list - read call history, e.g., INCOMING, OUTGOING and MISSED calls and POST to {domain}/iBanking/getList.php
- start record - start audio recording. The file is saved as {externaldir}/Android/obb/{dd-MM-yyyy_HH-mm-ss}.txt. The files are then sent to {domain}/iBanking/sendFile.php
- stop record - stop recording.
- sendSMS - send intercepted SMS to the CnC phone number.
- contact list - get contact list
- wipe data - wipe data if device administrator is enabled.
- ping - check if the CnC server is alive
Looking at how this piece of malware is capable of, it was quite scary seeing those features packed in a single malware. And it is not far fetched to see malwares soon with more powerful features. It is still advisable for users to always be smart and watchful of things they visit and install into their system.
