Uncovering Trojans in 5'

The Need For Speed

Maybe the rest of the audience need some context regarding the paragraph title, but I am pretty sure that most of the malware analysts know exactly what I am talking about. So…yes, speed is a critical factor when it comes to malware analysis especially when you have pile up a big number of apps in your queue and you have to identify potential malware activity for each one of them.

This need was my motivation when I started MEDUSA which was created taking under consideration the day-to-day tasks of a malware analyst. In this write-up, grabbing the chance that was generated from this post, I am going to show some basic workflows of this tool and how to use it in order to uncover a malicious behaviour.

Trojan on Google Play

Tatyana was probably right since I wasn’t able to find the app on Google Play (not much) after her post. So, I downloaded the app from here in order to do the analysis.

Minute One’

Installation and a first “reconnaissance” is as simple as:

./apkutils.py ocr.numscan.text.scanner_17_apktada.com.apk

Thanks to APKEnum, MEDUSA will parse the manifest file, search for URLs, IPs, S3 buckets, Activities, Services and other “Goodies” in order to present them to the analyst:

I am staring the main medusa module alongside with the apkutils in order to load my modules:

When it comes to “Joker” apps the following four modules are my favourite:

0) modules/http_comnunications/multiple_unpinner.med (SSL pinning)
1) modules/clickers/click_toll_fraud.med (Toll Frauds)
2) modules/file_system/input_ouput.med (File Monitoring)
3) modules/helpers/unlinker.med (Prevent delete)

Use the “use module/name” medusa command to import the modules and set the first run:

There is some interesting stuff here … , e.g. calls to the Telephony Manager (network operator), some motion events out of the blue, but nothing solid so far. The jar is a legit google ads SDK, the motion events are not dispatched… Can’t come to a verdict for trojan with that…

Minute Two’

Back to the apkutils to get a shell and open the apk using jadx:

apkutils>shell → $ jadx-gui ocr.numscan.text.scanner_17_apktada.com.apk

It can’t be a trojan without a DexClassLoader, so lets search for its usage:

ocr.c.a stands out of everything, so lets see whats going on there:

The flow seems pretty straightforward:

Check the files directory for a file named .num and if it doesn’t exist then create it. Open the numtextscan.png (?) from the assets, xor each byte with the value 136 and write it to the .num. Finally use the class loader to DCL the file.

What else we got here ?

The flow is triggered inside the ocr.c.a.a function which takes as a parameter a Context and an instance of ‘b’ object.

It is obvious that I can extract the file from the assets, xor it and save it as dex in order to open it and see what it does. But, there is even a faster way…e.g. just trigger the ocr.c.a.a function.

Minute Three’

Medusa has a special module, called scratchpad and can be used for “app specific hooks”. Lets import a ScheduleOnMainThread Frida call and do some necessary modifications:

medusa>pad

TL;DR I am creating an instance of the ocr.c.a and ocr.b.a class in order to trigger the ocr.c.a.a(Context context, ocr.b.a b) function in order to “drop” the dex file.

Minute four’

Lets add the scratchpad to our modules and run the app:

As expected, the app drops the file to the files folder:

Back to the apkutils:

apkutils> adb → adb: pull file → adb: exit → apkutils>shell

$ jadx-gui .num

I am sure this is not a png ! You know what… lets leave minute five’ for another post but … don’t forget to save the session:

medusa>export ocr.txt

… and medusa.py -r ocr.txt to start the same session :)

Security Researcher, former Camel Rider, developer of https://github.com/Ch0pin/medusa