Quick overview

It starts fairly innocent, with an app called Metrics.Me and it has a pretty standard malware permissions, as can be seen on a screenshot below. It uses a VKontakte icon, probably to pose as a kind of social media app. The main and only screen of this app is shown above.









Let's start with the usual place: the SMSReceiver . And now things get a little complicated. There are a lot of references to the "monodroid". It turns out that this is actually a Mono (.NET) implementation in Android. So, presumably, this is written in Mono. There are also some references to the Runtime.register native functions (shown below). How does it all work?









The register function accepts three parameters: first one is the string defining the DLL and .NET class which will be used to load the native functions. In this example Metrics is the DLL name and Z.Core.SMSReceiver is the class. Second parameter is the class to which this functions will be applied, in this case it's the same class, namely SMSReceiver . Last parameter is a string which defines a mapping between a .NET function and the native function declaration in the class.



And if you look at the sample, all of the classes in z.core package use this .NET class loading methods.

Mono and the mkbundle

So, first you need to register a method using the native-implemented Runtime class, which is a part of the Monodroid native library. In this way you can almost transparently use the .NET code in your Android app. However, if a DLL file on Android is still a little too transparent for you, you can go a little further with the obfuscation. Just use the mkbundle tool! It's a tool that combines all of the DLL files to a native .so library, e.g. for ARM processor. This is usually called libmonodroid_bundle_app.so and contains gziped DLLs (all of them) with their appropriate file names. You can see it by disoplaying the exports of the .so file, as pictured below.





mono_mkbundle_init export and a couple of exports called assembly_data_ which are just gziped DLLs. So, you probably want to extract them. You don't have to do it manually now! You can As you can see there is aexport and a couple of exports calledwhich are just gziped DLLs. So, you probably want to extract them. You don't have to do it manually now! You can use my script to extract all of the files , as I did. So now we have files and we can look at them and see what this malware does.

.NET code & Lua

onReceive method below and experience the weird cognitive dissonance by reading a .NET code using Android libraries. For the .NET code I used a free dotPeek decompiler , which I cannot recommend enough. You can see themethod below and experience the weird cognitive dissonance by reading a .NET code using Android libraries.









And when you dig a little deeper, you can find a very interesting sets of functions. Like for example the GetScriptFromServer function which does the following.