{"id":1415,"date":"2022-04-01T14:28:08","date_gmt":"2022-04-01T12:28:08","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=1415"},"modified":"2022-04-01T14:28:10","modified_gmt":"2022-04-01T12:28:10","slug":"complete-dissection-of-an-apk-with-a-suspicious-c2-server","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/complete-dissection-of-an-apk-with-a-suspicious-c2-server\/","title":{"rendered":"Complete dissection of an APK with a suspicious C2 Server"},"content":{"rendered":"\n

During our analysis of the Penquin-related infrastructure<\/a> we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla.<\/p>\n\n\n\n

One threat that makes contact with the 82.146.35[.]240 address in particular caught our attention, as it was the only one that contacts against that IP and it was an Spyware for Android devices. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So in this report, we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.<\/p>\n\n\n\n

Name: <\/strong>Process Manager<\/p>\n\n\n\n

Package: <\/strong>com.remote.app<\/p>\n\n\n\n

Hash: <\/strong>e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8 (sha-256)<\/p>\n\n\n\n

Size: <\/strong>0.37 MB<\/p>\n\n\n\n

Target SDK: <\/strong>Android 14 \u2013 Android 21<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

On the Android device, the application is displayed with a gear-shaped icon.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

When the application is run, a warning appears about the permissions granted to the application. These include screen unlock attemps, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption and disable cameras.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The icon is then removed and the application runs in the background, showing in the notification bar.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

As mentioned in the previous section, the malware requests different permissions from the user. However, the number of permissions requested by the application amounts to 18:<\/p>\n\n\n\n

PERMISSIONS<\/strong><\/th>DESCRIPTION<\/strong><\/th><\/tr><\/thead>
ACCESS_COARSE_LOCATION<\/strong><\/td>Access to the phone location.<\/td><\/tr>
ACCESS_FINE_LOCATION<\/strong><\/td>Access to the location based on GPS.<\/td><\/tr>
ACCESS_NETWORK_STATE<\/strong><\/td>View the status of all networks.<\/td><\/tr>
ACCESS_WIFI_STATE<\/strong><\/td>View WIFI information.<\/td><\/tr>
CAMERA<\/strong><\/td>Take pictures and videos from the camera<\/td><\/tr>
FOREGROUND_SERVICE<\/strong><\/td>Allows to put in foreground<\/td><\/tr>
INTERNET<\/strong><\/td>Allows to create internet sockets<\/td><\/tr>
MODIFY_AUDIO_SETTINGS<\/strong><\/td>Allows to modify audio settings<\/td><\/tr>
REAL_CALL_LOG<\/strong><\/td>Allows to read a telephone call<\/td><\/tr>
READ_CONTACTS<\/strong><\/td>Allows to read contacts information<\/td><\/tr>
READ_EXTERNAL_STORAGE<\/strong><\/td>Allows to read external storage devices<\/td><\/tr>
WRITE_EXTERNAL_STORAGE<\/strong><\/td>Allows to write to the Memory Card<\/td><\/tr>
READ_PHONE_STATE<\/strong><\/td>Allows to read phone status and its id<\/td><\/tr>
READ_SMS<\/strong><\/td>Allows to read SMS stored on the SIM card<\/td><\/tr>
RECEIVE_BOOT_COMPLETED<\/strong><\/td> Allows to start the app when the device is turned on<\/td><\/tr>
RECORD_AUDIO<\/strong><\/td>Access to the audio recorder<\/td><\/tr>
SEND_SMS<\/strong><\/td>Allows to send sms<\/td><\/tr>
WAKE_LOG<\/strong><\/td>Prevents the device from locking\/hibernating<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In addition, the manifest displays additional information about the application configuration.<\/p>\n\n\n\n