SonicWall Threats Research team observed an AndroidBot malware that contains multiple obfuscation layers that hides the hardcoded URLs and malicious code. Similar to a number of Android malware, this malware drops the dex file during execution that contains malicious code.
At the time of writing this blog, this sample is hosted on the following link:
The app requests for a number of permissions, below are a few risky ones:
Upon installation and execution the application requests for accessibility permissions, once granted the application gains the ability to execute its malicious components:
The main class listed in the Manifest.xml file is not present in the decompiled codebase:
The malware drops a file - agAzJPYW.dex - during execution which is actually the dex file that contains malicious code.:
This dex file contains the main activity which is listed in the original manifest.xml file:
The malware obfuscates the strings present in the code to deter security researchers from analyzing the malware and automated tools from identifying suspicious strings in the code:
However, the decryption routine is also present in the code which can be used to decode the strings:
We identified several interesting bits when the strings were decoded:
This bot is capable of performing a series of malicious/dangerous actions on an infected device, some of them include:
The class BotConfigs contained an interesting string titled Admin URL. Upon deobfuscation we got the string - http://das37rwa5cyfkb7o.onion/api/mirrors. After a series of layers we ultimately obtained a login page on the link newspotheres.xyz:
Based on the hardcoded url's obtained in the code we created a VirusTotal Graph as shown below:
SonicWall Capture Labs provides protection against this threat via the following signature:
Indicators of Compromise (IOC):
We have blacklisted the following URLs:
Share This Article
An Article By
An Article By
Security News
Security News