by RSS Axelle Apvrille  |  Mar 07, 2016  |  Filed in: Security Research

Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace.

Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious

The malware is an application whose name translated to "Phone Mirror". Because it is malicious, we have dubbed it 'BdMir'. 

The malware sends loads of information to its remote CnC (phone number, MAC adddress, list of installed applications...) - see Figure 2 - but it also has the capability to execute a few commands such as "app" (download an APK) or "page" (display a given URL).

Figure 2: Android/BadMirror reports the list of apps installed on the phone to its remote server.

The malware hides its CnC URLs and configuration by a home-made obfuscation mechanism which consists in a combination of DES, PKZip and Base64. Precisely, it does the following:

  1. Encrypt the string with DES-CBC. The key is hard-coded ("dfctbbjg") and the IV is "12345678"
  2. Base64 encode the result
  3. Zip the base64 encoded output
  4. Re-base64 encode the zipped result!

We have implemented our decryptor:

 


$ java DecryptStrings

...

Url : hxxp://silent.googlestatistics.net:10055/api/sys

Url : hxxp://silent.800t.net:10055/api/sys

Url : hxxp://googlestatistics.net:10055/boxgame/appmore/

Url : hxxp://bg.800t.net:10055/appmore/

...

 

The SHA256 of samples we identified are listed below:

835c14d38926c88ee9a51a0b6d8c7893a76e3bf4e8d1978b650e178c88b1e07e
ba56136e88e398a8e7f7c3c398b21550d17beb3ae533b579d6a1abf5de6d4d5c
171ccb5ef9ff1bbeb65912b7fbaa30724aa17f949e4ac75738d4fbf74ad6577c
4393b8d81d6ccd5be5aa2652180dfb7213dca8a9f089c70edf4b2b1711aadeba
bad6b2f190c042e85c18fab79f3008bc167dd20a37a2382089e8c50910b2d8bb
c17e327c1b35589317ad4f9f877fb260eac7fc4d1d8647bf1335348ce7ba1564
c684f0d3a87b8bc1f69291fa526ccad2fa71a4701cf55531b23509a985a36210
8721d98ef053e6f429cbc07a710b87b8048c8b8bb9788651f20e90281bb37ac5
f45fc90d1f2818c72ece2b1a88d6dad6f6065a7a6e1b366e919c8fc85c1391f6
86e48e907a412f110db908234899037e6890872452b260274e03c5c736537932
a839afe5b67de0d7500f30cd787abfbcaf268c2684b8e247381e28e4bb18e551

References:

Technical description of Android/BdMir.A!tr

Latest presentation on SherlockDroid / Alligator 

-- the Crypto Girl, and HoMing Tay

by RSS Axelle Apvrille  |  Mar 07, 2016  |  Filed in: Security Research