Uncovering Trojans in 5'
The Need For Speed
Maybe the rest of the audience need some context regarding the paragraph title, but I am pretty sure that most of the malware analysts know exactly what I am talking about. Soā¦yes, speed is a critical factor when it comes to malware analysis especially when you have pile up a big number of apps in your queue and you have to identify potential malware activity for each one of them.
This need was my motivation when I started MEDUSA which was created taking under consideration the day-to-day tasks of a malware analyst. In this write-up, grabbing the chance that was generated from this post, I am going to show some basic workflows of this tool and how to use it in order to uncover a malicious behaviour.
Trojan on Google Play
Tatyana was probably right since I wasnāt able to find the app on Google Play (not much) after her post. So, I downloaded the app from here in order to do the analysis.
Minute Oneā
Installation and a first āreconnaissanceā is as simple as:
./apkutils.py ocr.numscan.text.scanner_17_apktada.com.apk
Thanks to APKEnum, MEDUSA will parse the manifest file, search for URLs, IPs, S3 buckets, Activities, Services and other āGoodiesā in order to present them to the analyst:
I am staring the main medusa module alongside with the apkutils in order to load my modules:
When it comes to āJokerā apps the following four modules are my favourite:
0) modules/http_comnunications/multiple_unpinner.med (SSL pinning)
1) modules/clickers/click_toll_fraud.med (Toll Frauds)
2) modules/file_system/input_ouput.med (File Monitoring)
3) modules/helpers/unlinker.med (Prevent delete)
Use the āuse module/nameā medusa command to import the modules and set the first run:
There is some interesting stuff here ā¦ , e.g. calls to the Telephony Manager (network operator), some motion events out of the blue, but nothing solid so far. The jar is a legit google ads SDK, the motion events are not dispatchedā¦ Canāt come to a verdict for trojan with thatā¦
Minute Twoā
Back to the apkutils to get a shell and open the apk using jadx:
apkutils>shell ā $ jadx-gui ocr.numscan.text.scanner_17_apktada.com.apk
It canāt be a trojan without a DexClassLoader, so lets search for its usage:
ocr.c.a stands out of everything, so lets see whats going on there:
The flow seems pretty straightforward:
Check the files directory for a file named .num and if it doesnāt exist then create it. Open the numtextscan.png (?) from the assets, xor each byte with the value 136 and write it to the .num. Finally use the class loader to DCL the file.
What else we got here ?
The flow is triggered inside the ocr.c.a.a function which takes as a parameter a Context and an instance of ābā object.
It is obvious that I can extract the file from the assets, xor it and save it as dex in order to open it and see what it does. But, there is even a faster wayā¦e.g. just trigger the ocr.c.a.a function.
Minute Threeā
Medusa has a special module, called scratchpad and can be used for āapp specific hooksā. Lets import a ScheduleOnMainThread Frida call and do some necessary modifications:
medusa>pad
TL;DR I am creating an instance of the ocr.c.a and ocr.b.a class in order to trigger the ocr.c.a.a(Context context, ocr.b.a b) function in order to ādropā the dex file.
Minute fourā
Lets add the scratchpad to our modules and run the app:
As expected, the app drops the file to the files folder:
Back to the apkutils:
apkutils> adb ā adb: pull file ā adb: exit ā apkutils>shell
$ jadx-gui .num
I am sure this is not a png ! You know whatā¦ lets leave minute fiveā for another post but ā¦ donāt forget to save the session:
medusa>export ocr.txt
ā¦ and medusa.py -r ocr.txt to start the same session :)
