Sonicwall Capture Labs Threats Research Team observed another rampant Android threat that is targeted mainly towards Asian countries. This malware campaign - coined Roaming Mantis - began spreading via hijacked router DNS settings.
Hijacked DNS settings of a router belonging to a particular domain allows attackers to point the users visiting the legitimate domain to malicious websites, these websites can then push malicious payloads onto the visitor's devices via pop-ups. The user typically trusts these pop-up's as they appear to originate from a legitimate website. This technique was used to push malicious Android apps to victims and thereby spread further. We analyzed few such malicious apps belonging to the Roaming Mantis campaign in this blog.
Once the app is opened it opens a dex file named db in one of its folders - /assets:
Then it Base64 decodes the contents of this file and saves it locally as test.dex in one of the app folders named "a":
Later it loads this file using DexClassLoader. Apart from the above activity, the original classes.dex file that is loaded as part of the app requests for device administrative privileges:
From the set of samples we analyzed, each sample contacted one of the two domains listed below:
We saw limited network activity during our analysis thereby limiting the activity shown by the malware. Regardless there are a number of malicious components present in the code (specifically in the decoded test.dex) that showcase the capabilities of this threat:
Once the test.dex file is decoded and loaded, the malware overlays the screen with an error message that is likely chosen from the code below:
Then the malware shows a spoofed Google authentication page on a webserver started on the device at a random port. This screen shows the users account (obtained as described below) and requests for name and date of birth.The malware accesses accounts present on the device and presents that on the spoofed page in an effort to make it look authentic:
The above image shows the malware access accounts present on the device - Google and Twitter in our case - and use it to its advantage.
Close inspection of one of the error message in the above point shows how this app gives importance to verification codes. The complete error message is stored as parts, interesting ones are as below:
The malware monitors presence of certain hardcoded apps on the device, these include:
As highlighted above this malware keeps an eye on OTP apps.
This malware requests for a number of dangerous permissions during installation, few of them stand out as they can be correlated with stealing verification codes/OTP:
As mentioned in an earlier point, the malware has one hard-coded domain name (out of the two for this campaign). For each hard-coded domain it contains specific user accounts, for instance for baidu.com the following user accounts are present (separated by a "|"):
The only network communication we saw during our analysis was GET requests from the malware to a specific user profile on baidu:
The malware contains an interesting piece of code as shown below:
Correlating this with the user accounts present in the code reveals the mystery of the code above. The malware extracts specific data from the web page using the code above as a search pattern :
The data present on the web page after the search pattern is - 傀傸傸偠傠傠傠偘傀傠偘傰傸傈僨傀僨僸傸傀
Upon correlating the characters one by one with a Unicode chart we obtained the following:
We did not see further network activity during our analysis, as a result we could not ascertain what happens once this code is extracted or the significance of this code.
The malware contains code which indicates it can communicate with the attacker via smtp protocol. The below code shows how it can send an email with "new information" about the infected device:
The malware contains code where it check if the device is rooted. We did not see any specific actions that might be taken if the device is rooted/unrooted:
A lot of things in the code point towards the fact that this malware might be targeted towards users in Asia, Korea in particular:
The malware appears to contain a number of hard-coded commands:
Overall this malware campaign appears to be targeted towards Asian countries. Apart from its capability to harvest sensitive information from the infected device, it is particularly interested in OTP verification codes. The current set of samples target Banking and Gaming apps for their OTP codes but this can change to other types of apps as well.
Sonicwall Capture Labs provides protection against this threat with the following signatures:
Following are apps that were targeted in the samples we analyzed:
Following are MD5's of few samples that we analyzed for this threat:
Share This Article
An Article By
An Article By
Security News
Security News