• Skip to primary navigation
  • Skip to main content
  • Skip to footer
lab52

lab52

The threat intelligence division of S2 Grupo

  • Home
  • Faq
  • Blog
  • About
  • Contact

Complete dissection of an APK with a suspicious C2 Server

April 01, 2022

During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla.

One threat that makes contact with the 82.146.35[.]240 address in particular caught our attention, as it was the only one that contacts against that IP and it was an Spyware for Android devices.

So in this report, we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.

Name: Process Manager

Package: com.remote.app

Hash: e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8 (sha-256)

Size: 0.37 MB

Target SDK: Android 14 – Android 21

On the Android device, the application is displayed with a gear-shaped icon.

When the application is run, a warning appears about the permissions granted to the application. These include screen unlock attemps, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption and disable cameras.

The icon is then removed and the application runs in the background, showing in the notification bar.

As mentioned in the previous section, the malware requests different permissions from the user. However, the number of permissions requested by the application amounts to 18:

PERMISSIONSDESCRIPTION
ACCESS_COARSE_LOCATIONAccess to the phone location.
ACCESS_FINE_LOCATIONAccess to the location based on GPS.
ACCESS_NETWORK_STATEView the status of all networks.
ACCESS_WIFI_STATEView WIFI information.
CAMERATake pictures and videos from the camera
FOREGROUND_SERVICEAllows to put in foreground
INTERNETAllows to create internet sockets
MODIFY_AUDIO_SETTINGSAllows to modify audio settings
REAL_CALL_LOGAllows to read a telephone call
READ_CONTACTSAllows to read contacts information
READ_EXTERNAL_STORAGEAllows to read external storage devices
WRITE_EXTERNAL_STORAGEAllows to write to the Memory Card
READ_PHONE_STATEAllows to read phone status and its id
READ_SMSAllows to read SMS stored on the SIM card
RECEIVE_BOOT_COMPLETED Allows to start the app when the device is turned on
RECORD_AUDIOAccess to the audio recorder
SEND_SMSAllows to send sms
WAKE_LOGPrevents the device from locking/hibernating

In addition, the manifest displays additional information about the application configuration.

  • android:allowBackup=true: Allows the application data to be added to the backup.
  • android:exported=true: Can share info with other apps and be accessed by the device.
  • android_secret_code: In the manifest is the secret code that can allow access to hidden content.

As you can see in the image, the com.remote.app package contains 21 classes.15 of them are named after the first letters of the alphabet and then there are the DeviceAdmin, MainActivity, MainService, MyReceiver, NotificationListener and ServiceReceiver classes (the R class is generated by the JADX software).

The MainService class is the main class and therefore it is the first one to be executed in the application. This class has a main function OnCreate, it creates a notification channel called “Battery Level Service” where it will be executed.

Next, the MainActiviy class is invoked, which using DeviceAdmin configures the device with administration permissions.

Once the application is configured, each of the tasks that steal information from the device are executed. Classes a, b, f, g, i, j, k, l, m, n, o and NotificationListener implement functions that steal information from the device and add it to a JSON.

In the Class a, the malware adds information about the installed packages to the JSON. For each of them it provides the package name, the application name, the version and its number.

In the Class b, the malware adds information about the calls made from the device to the JSON. For each call it shows the number, name (contact), duration, date and type. The type is a number corresponding to the following table:

NUMBER TYPE
1Incoming
2Outgoing
3Missed
4Voice Message
5Refused
6Blacklist

Similarly, the Class f adds to the JSON information about the contact list. Indicating the number and name of each one.

We continue with the Class g that collects all the files in the device, saving in the JSON the name and the buffer of each one of them. In case a file cannot be accessed it also indicates it with “Access Denied”.

In addition, it also lists the directories, indicating the name and path.

This Class i implements functions related to a location listener (When the location is changed, it is enabled or disabled), then adds in the JSON the location information with each change: The altitude, latitude, longitude, precision and even the speed at which the device is moving.

The Class j returns adds to the JSON the clipboard information each time the clipboard is updated. To do so, it uses a listener that is configured in the MainService Class.

The Class k implements a timer that launches task l and deletes the generated temporary file every x seconds. Afterwards, Class l records the audio from the device, extracts it in an .mp3 format in cacheDir and then adds a buffer of the file and the name to the JSON.

The Class m adds information about the permissions a user has on each package to the JSON. It goes through the entire list of packages on the device and checks what permissions each package is requesting.

The Class n adds to the JSON conversations of all contacts thanks to (content://mms-sms/conversations?simple=true) and of addresses of all contacts (content://mms-sms/canonical-addresses). It also has a function that sends a text message in case the contact is not found.

The Class o collects information from Wifis scanned by the device. For each of them it adds to the JSON its SSID and BSSID number.

Finally, NotificationListener Class collects information about notifications. When a notification is opened, it stores in the JSON the name of the app, the content and the time it has been open.

Once all the information has been collected in JSON format, the application contacts the C2 (82.146.35[.]240) and identifies the device by its model, version, id and manufacturer.

Later, it will send the information it has stolen to the same server.

To launch each of the tasks the malware has its own commands that are defined in Class e and are launched (in their entirety) with Class d. In the following table you can see the relationship of these commands with each task.

COMMANDFUNCTIONRELATED CLASS
0xLOLocationi
0xCLCall Listb
0xMIAudio Recorderl
0xFIFile Informationg
0xSMSMS Informationn
0xPM/0xGPPackage Permissionsm
0xCOContact Listf
0xINPackage Informationa
0xWIWifi Informationo
0xNONotificationsNotificationListener

Finally, among one of the communications made by the malware, we noticed that it tried to download an application called Rozdhan using a goo.gl shorter.

The application is on Google Play and is used to earn money, has a referral system that is abused by the malware. The attacker installs it on the device and makes a profit.

IOCs
82[.]146.35.240C2
e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8SHA256
51ab555404b7215af887df3146ead5e44603be9765d39c533c21b5737a88f176SHA256
hxxps://videos-share-rozdhan[.]firebaseio.comURL
hxxp://ylink[.]cc/fqCV3URL
hxxp://d3hdbjtb1686tn.cloudfront[.]net/gpsdk.htmlURL
hxxp://da.anythinktech[.]comURL
akankdev2017@gmail[.]comEMAIL SRC

Customers with Lab52’s APT intelligence private feed service already have more tools and means of detection for this campaign.
In case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been applied.

If you need more information about Lab52’s private APT intelligence feed service, you can contact us through the following link

Er1c_C

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related

Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights
April 04, 2025
Tags: grandoreiro, phishing, stealer
GRU: Military Unit 54777
February 03, 2025
GRU military unit 29155
October 11, 2024
Tags: cyberwar, GRU

Footer

Copyright &copy Lab52 2019 by S2 Grupo | Legal notice | Cookie policy | Privacy policy