This post was authored by Taqi and Rosamira
NetbyteSEC malware analyst team came across a malicious application packaging kit (APK) file that is targeted on Malaysian Android users. The sample was received by our team containing the details below.
MD5 Hash :
Filename : 5_6172262213630297202.apk
File Type : Application Packaging Kit (APK)
App Name : MY Maid
Package Name : com.example.bio
Main Activity : com.example.bio.MainClass
Android Version Name : 1.0
Android Version Code : 1
Table 1: Detail of the malicious APK
This Android application is embedded with certain code of malicious intents
and permission. The NetbyteSEC malware analyst team observed that the
application contains malicious classes such as SMS receivers. Victim’s
messages will be intercepted when the device is receiving messages and sent to
the attacker domain.
||Allows an application to create network sockets|
||Allows application to receive and process SMS messages. Malicious application may monitor your messages or delete them without showing them to you.|
There is an intention that was declared in the manifest file which is unusual for a streaming app as it is not related to streaming services.
Based on the figure above, NetbyteSEC malware analyst team concluded that the main class will request SMS accessibility of the device using android.permission.RECEIVE_SMS.
Figure 10 shows that the application tried to request permission before proceeding to the main page, which would be the landing page of the phishing website. If the permission is not given, the message will pop up “Please allow SMS before or reinstall the app”.
After the victim allows the permission, the application will send a request to the attacker domain containing a specific parameter. One of the table parameters is dID parameter which uses the ID of the victim device , as line 37 from figure 11. This is related to the figure below, ReceiverClass which will be explained later. After allowing the permission, the victim will be redirected to the website page of https://mobile666.mymaidkl[.]com.
The attacker do further phishing on specific which will be used to manipulate the victim submitting their sensitive information online.
On this figure, ReceiverClass is set up in order to obtain any message that is received by the victim device. In line 28, NBS team conclude that whenever a message was received, this function will be triggered and the content of the SMS message will be read by this application.
After the attacker receives the message from the victim, the application will compile the message in JSON format along with some other information like the ID of the device. Then, SMS_Received will broadcast to the website https://api.lapubo[.]com/SNSDBBSJN/ISSASDS . The attacker will synchronize the data from the C2 server and the phishing server by the ID of the message, which will be the Android ID of the victim device.
NetbyteSEC malware analyst team concluded that the android application sample contains malicious code. The start from the boot up through android.permission.RECEIVE_SMS permission. Then the malicious android application will request to have permission that can access the victim SMS messages.
Upon receiving any SMS message, the application will read the message and pack the message in json format, then will send the packet to their C2 server along with the other data.