This post was authored by Taqi and Rosamira
Overview
NetbyteSEC malware analyst team came across a malicious application packaging
kit (APK) file that is targeted on Malaysian Android users. The sample was
received by our team containing the details below.
MD5 Hash :
e58ffc4e23292d80916b0e19c184cdef
Filename : 5_6172262213630297202.apk
File Type : Application Packaging Kit (APK)
App Name : MY Maid
Package Name :
com.example.bio
Main Activity :
com.example.bio.MainClass
Android
Version Name : 1.0
Android Version
Code : 1
|
Table 1: Detail of the malicious APK
This Android application is embedded with certain code of malicious intents
and permission. The NetbyteSEC malware analyst team observed that the
application contains malicious classes such as SMS receivers. Victim’s
messages will be intercepted when the device is receiving messages and sent to
the attacker domain.
Figure 1: Overview modus operandi of MY Maid scam that is being targeted to Malaysian victims.
Victims saw MyMaidKL from a Facebook advertisement which said that there is Hari Raya Promotion for everyone to grab an offer for cleaning service. After the victim saw the ads from FB, they chatted with the scammer for further information. The scammer asks customers to book an appointment through their android application. The victim navigates to https://mymaidkl[.]com to download the APK file. Then, the APK file is downloaded to the victim's phone and the victim installs the apps. Upon installing the malicious application, victims will be prompted to give RECEIVE_SMS permission to the malicious application. In the application, victims will make payments on a fake online payment system website and their banking credentials are sent to the attacker. From here, attackers receive banking credential information and read the victim's SMS which potentially reads the TAC code. Attackers then make illegal transactions after receiving the victim's credentials.
Figure 2: MyMaidKL from a Facebook advertisement (Source: https://twitter.com/Fiqqq_ahmad/status/1520200146700566528?s=20&t=4e60yr_fLurrumxg5ofjlA)
In this case here, mobile banking application users have been targeted by phishing scam messages which aim to trick victims into allowing receiving SMS permission to the malicious app after the victim installs the application file from https://mymaidkl[.]com.
Figure 3: MY Maid application packaging kit flow of execution on victim devices.
The malicious mechanism of the application are listed below:
a) Force the application to allow receiving messages from the victim's devices. The application will be able to read received messages for the victim devices and send them back to the attacker server
b) Send victim to customize MYMaid website which is used for phishing
Analysis
Website Analysis
Figure 4: Landing page of MY Maid website
Upon landing on the website, victims will be browsing a very legitimate-looking website providing maid service in Malaysia. The website https://mymaidkl[.]com is being hosted using WordPress CMS can be seen providing a WhatsApp quick chat link when inspecting the view-source of the page.
Figure 5: Website containing contact scammer through WhatsApp.
The number that is being used, 0172675873, can be contacted and still
available.
Figure 6: Website hosting malicious apk that should be downloaded by victims
NetbyteSEC malware analyst team determined that the website hosted the malicious APK in the website, so the victim will download and install the file on their devices. After downloading the APK, victims have to install the APK, in order to purchase the maid services provided.
NetbyteSEC malware analyst team generated a static analysis report for the APK file to find the information about how the app connects to its backend, which can be used to perform attacks against the application server. From the static analysis, we are also able to understand the app’s permissions and intents, and other components that control how the app shares data with other apps and interacts with the operating system.
Static Analysis
NetbyteSEC malware analyst team begin the analysis by investigating the resources directory of the APK file. In the folder, the most important files that need to be analyzed are the Manifest file which is named AndroidManifest.xml, and classes.dex file which contains the DEX bytecode that is decompiled under the “Source Code” tab, and the assets/folder which contains any other files or dependencies that the APK may need to be run.
In AndroidManifest.xml, the NetbyteSEC malware analyst team starts to identify any of the application entry points described in the Application Entry Point section.
Figure 7: AndroidManifest.xml of MY Maid application.
Looking through the manifest file, NetbyteSEC malware analyst team able to see that the application has requested the android.permission.INTERNET
permission and android.permission.RECEIVE_SMS from figure 7, which
allows the application to create network sockets and listen to the
message received by victim devices.
Figure 8: Permissions requested by the application
This is a hard restricted permission which cannot be held by an
application until the installer on record whitelists the permission.
Android Permissions
|
Description |
android.permission.INTERNET
|
Allows an application to create network sockets
|
android.permission.RECEIVE_SMS
|
Allows application to receive and process SMS messages. Malicious
application may monitor your messages or delete them without showing
them to you.
|
There is an intention that was declared in the manifest file which is unusual for a streaming app as it is not related to streaming services.
Figure 9: Anomaly activity that being used by the malicious APK, ReceiverClass and MainClass
Figure 10: com.example.bio.MainClass Based on the figure above, NetbyteSEC malware analyst team concluded that the main class will request SMS accessibility of the device using android.permission.RECEIVE_SMS.
Figure 11: com.example.bio.MainClass
Figure 10 shows that the application tried to request permission before proceeding to the main page, which would be the landing page of the phishing website. If the permission is not given, the message will pop up “Please allow SMS before or reinstall the app”.
Figure 12: com.example.bio.MainClass
After the victim allows the permission, the application will send a request to the attacker domain containing a specific parameter. One of the table parameters is dID parameter which uses the ID of the victim device , as line 37 from figure 11. This is related to the figure below, ReceiverClass which will be explained later. After allowing the permission, the victim will be redirected to the website page of https://mobile666.mymaidkl[.]com.
The attacker do further phishing on specific which will be used to manipulate the victim submitting their sensitive information online.
Figure 13: com.example.bio.ReceiverClass
On this figure, ReceiverClass is set up in order to obtain any message that is received by the victim device. In line 28, NBS team conclude that whenever a message was received, this function will be triggered and the content of the SMS message will be read by this application.
Figure 14: com.example.bio.ReceiverClass After the attacker receives the message from the victim, the application will compile the message in JSON format along with some other information like the ID of the device. Then, SMS_Received will broadcast to the website https://api.lapubo[.]com/SNSDBBSJN/ISSASDS . The attacker will synchronize the data from the C2 server and the phishing server by the ID of the message, which will be the Android ID of the victim device.
Conclusion
NetbyteSEC malware analyst team concluded that the android application sample contains malicious code. The start from the boot up through android.permission.RECEIVE_SMS permission. Then the malicious android application will request to have permission that can access the victim SMS messages.
Upon receiving any SMS message, the application will read the message and pack the message in json format, then will send the packet to their C2 server along with the other data.
IOC
e58ffc4e23292d80916b0e19c184cdef
+60172675873
https://api.lapubo[.]com
https://mymaidkl[.]com
https://mobile666.mymaidkl[.]com
Figure 2: MyMaidKL from a Facebook advertisement 
Figure 7: AndroidManifest.xml of MY Maid application.
