This app has the internet, read/write external storage, the access network state and request install packages permissions. This is interesting, this app will probably try to download and install an application.

Activities — AndroidManifest.xml

This app has 2 activities: SplashActivity and MainActivity. SplashActivity is checking the connectivity and open MainActivity if a connection is present.

CheckKod AsyncTask — MainActivity.java

MainActivity is executing an AsyncTask which is downloading the “Protect Security Fix” app from http://185.243.112.188/ola.php. If you visit this page, you will see a link to http://www.meatspin.biz

It’s time to study the stage 2!

Analysis of “Protect Security Fix”

Static Analysis

By repeating the steps above, I managed to get the decompiled source code of the “Protect Security Fix” APK.

Protect Security Fix — AndroidManifest.xml

I opened the AndroidManifest.xml file and I saw 203 errors… As you can see, jadx didn’t give us all the decompiled source code. So, the code is probably loaded dynamically.

DexClassLoader hook — Debugger view

In order to find from where the code is loaded, I decided to hook the DexClassLoader class. There are multiple ways to do that and it’s a little bit out of subject for this article, it’s probably worth an article.

After opening the app, I saw that the app is dynamically loading the zjevtpt.jar file located in /data/data/com.shrqxmpehae.fywmridpa/app_files/ folder. Thanks to jadx, I decompiled zjevtpt.jar and added the decompiled source code to my previous Gradle project. Now, we have everything we need, it’s time to analyse our malware!

Protect Security Fix — AndroidManifest.xml

We can recheck the AndroidManifest.xml. As you can see the label is interesting: Protect Security Fix 10.2018.102. 10 is probably for October, 2018 the year and 102 the version? It looks like we have the latest version of this malware.

According to his permissions, this malware can read/write/send SMS, made a phone call, get the location, open the mic and record audio, read contacts, show alert windows and bypass the battery optimisations.

Finally, we can observe that some classes are still missing. We can make the hypothesis that these classes are deprecated.

Protect Security Fix — Packages structure

By briefly reading the decompiled source code, we can distinguish 4 packages:

- com.calact.supstre: A lot of unused classes. These classes declare a bunch of strings which has no sense like “rpkimu sdolcs npenen idstxrt fkerdn ertsni” for example. It’s difficult to understand this package by briefly reading the code, we will come back to it in the Part 2.

- com.ktdorp.ktdorp: Only one file in this package, lMKnYPbLKDfA.java. The use of ClassLoader.getSystemResourceAsStream suggest that this class is used to load the resource dynamically.

- com.shrqxmpehae.fywmridpa: This is where the malicious services are implemented.

- android.support.ktdorp: Weird. The obfuscation used is the same than the other classes. But it seems to be an util package written by somebody else.

As the code is not totally obfuscated, we can probably find some interesting strings.

Searching “http” returns:

- https://twitter.com/salupko

- https://ygftgdyhrgf7aiy48u3oueou8r4844.online

- http://sositehuypidarasi.com

- http://ktosdelaetskrintotpidor.com

- http://en.utrace.de

- https://support.google.com/calendar/answer/6261951?hl=en&co=GENIE.Platform=Android

Peter Salupko — Twitter

The malware is uses the Twitter account @salupko. This account has been created in October 2018 and his only tweet has been made on October 4th. The malware is getting the content between <zero></zero> and decode it. We will see how to decode it in the Part 2 article.

ygftgdyhrgf7aiy48u3oueou8r4844.online does not exist…interesting…

sositehuypidarasi.com and ktosdelaetskrintotpidor.com has been register in Russia. Scanning these websites is probably a good idea.

Searching “php” returns:

- add_inj.php

- /private/checkPanel.php

- /private/getfiles.php

- /private/set_data.php

- /private/tuk_tuk.php

- /private/settings.php

- /private/add_log.php

- /private/set_location.php

- /private/getSettingsAll.php

- /private/setAllSettings.php

- /private/getDataCJ.php

- /private/setDataCJ.php

- /private/add_inj.php

- /private/locker.php

- /private/datakeylogger.php

- /private/sound.php

- /private/playprot.php

- /private/spam.php

- /private/ratgate.php

Two things here. These PHP file names are well known, they are coming from the Maza-In malware shared in a Russian forum in 2016. So this Anubis malware derivates from the Maza-In malware.

Moreover, the file names are interesting and give us an idea of the capabilities of the malware.

Conclusion

In this article, I tried to show you my process to analyse a malware, how to get what you need and what you have to look for. I did not analyse the code in this article, this is intended. The goal of this article was to show you the number of information you can retrieve without looking at the code. In the Part 2 article, I will analyse the code and make the dynamic analysis of this malware.

Edit: I shared on GitHub the samples studied in this story

If you like this article, feel free to follow me on Twitter

APPENDIX

IOCs

APKs

- com.qwasdrqw.ital_film: 79c29b79f119a453efd27117c641f73cab4aad76f1f94d9ae538c0a4d4f85ca7

- com.shrqxmpehae.fywmridpa: dd60d79c08b5eb50de4ec47cb1e52a1a6c1a5abc25a302db9b2ab1685730203d

Jars

- deb319019ba88acf8e5fb1b594525f28487e111e6fd641c7dbb23551f7925570

Sites

- 185.243.112.188

- www.meatspin.biz

- https://twitter.com/salupko

- https://ygftgdyhrgf7aiy48u3oueou8r4844.online

- http://sositehuypidarasi.com

- http://ktosdelaetskrintotpidor.com

Strings

- add_inj.php

- /private/checkPanel.php

- /private/getfiles.php

- /private/set_data.php

- /private/tuk_tuk.php

- /private/settings.php

- /private/add_log.php

- /private/set_location.php

- /private/getSettingsAll.php

- /private/setAllSettings.php

- /private/getDataCJ.php

- /private/setDataCJ.php

- /private/add_inj.php

- /private/locker.php

- /private/datakeylogger.php

- /private/sound.php

- /private/playprot.php

- /private/spam.php

- /private/ratgate.php

Targeted apps

at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

ccom.tmob.denizbank

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

ru.sberbankmobile

ru.sberbank.spasibo

ru.sberbank_sbbol

ru.sberbank.mobileoffice

ru.sberbank.sberbankir

ru.alfabank.mobile.android

ru.alfabank.oavdo.amc

by.st.alfa

ru.alfabank.sense

ru.alfadirect.app

ru.mw

com.idamob.tinkoff.android

ru.tcsbank.c2c

ru.tinkoff.mgp

ru.tinkoff.sme

ru.tinkoff.goabroad

ru.vtb24.mobilebanking.android

ru.bm.mbm

com.vtb.mobilebank

com.bssys.VTBClient

com.bssys.vtb.mobileclient

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

finansbank.enpara

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

finansbank.enpara.sirketim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepsubesi

com.garanti.cepbank

com.garantibank.cepsubesiro

com.matriksdata.finansyatirim

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraatmobil

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

cz.sberbankcz

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.cba.android.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

de.fiducia.smartphone.android.banking.vr

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.unionbank.ecommerce.mobile.commercial.legacy

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbankingat.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

fr.laposte.lapostetablet

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.finansbank.mobile.cepsube

com.ingbanktr.ingmobil

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

com.tmob.denizbank

com.ykb.android

finansbank.enpara

tr.com.hsbc.hsbcturkey

tr.com.sekerbilisim.mbank

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.bitmarket.trader

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.btcturk

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx