mobile


In this final blog in the Rootnik series we will finish our analysis of this new variant. Let’s start by looking into the script shell rsh. Analysis of the script shell Through our investigation we are able to see how the script shell works: First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed. The following is the content of the file .ir. Next, it writes some files... [Read More]
by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research
In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis. A look into the decrypted real DEX file The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below. Figure 1. The class demo.outerappshell.OuterShellApp We will first analyze the function attachBaseContext(). The following is the function aBC() in the class... [Read More]
by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research
Part I: How to Unpack the Malware App This past January I performed a deep analysis of an Android rootnik malware variant and posted them to this blog. Since then, I have continued to monitor this Android malware family. In early June, FortiGuard Labs found a new variant of the Android rootnik malware that disguises itself as a legal app. It then uses open-sourced Android root exploit tools to gain root access on an Android device. To be clear, this malware was NOT found in Google Play. The developer of the malware app repackaged a legal app... [Read More]
by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research
For us at FortiGuard, it always sounds like a bad idea for people to share malware source code, even if it is for academic or educational purposes. For example, on GitHub we can currently find more than 300 distinct repositories of ransomware, which gives you some idea about the attention that this form of malware receives. Although ransomware has the highest profile in the threat landscape at the moment, that does not mean that other threats have disappeared. Android is the most wide spread OS on mobile devices, covering around 80% of the... [Read More]
by RSS Dario Durando & David Maciejak  |  Apr 26, 2017  |  Filed in: Security Research
During the process of analyzing android malware, we usually meet some APK samples which hide or encrypt their main logic code.  Only at some point does the actual code exist in the memory, so we need to find the right time to extract it.  In this blog, I present a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed. Note: All the following analysis is based on android-4.4.2_r1(KOT49H). Let’s start our journey! First, I open the classes.dex... [Read More]
by RSS Kai Lu  |  Apr 05, 2017  |  Filed in: Security Research
Ztorg, also known as Qysly, is one of those big families of Android malware. It first appeared in April 2015, and now has over 25 variants, some of which are still active in 2017. Yet, there aren't many technical descriptions for it - except for the initial Ztorg.A sample - so I decided to have a look at one of the newer variants, Android/Ztorg.AM!tr, that we detected on January 20, 2017. The sample poses a "Cool Video Player" and its malicious activity was so well hidden I initially thought I had run into... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
In the part 1 of this blog, we saw that Android/Ztorg.AM!tr silently downloads a remote encrypted APK, then installs it and launches a method named c() in the n.a.c.q class. In this blog post, we’ll investigate what this does. This is the method c() of n.a.c.q: This prints "world," then waits for 200 seconds before starting a thread named n.a.c.a. I'll spare you a few hops, but among the first things we notice is that the sample uses the same string obfuscation routine, except this time it is not... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
Recently, we found a new Android rootnik malware which uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device. The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered. It also uses a multidex scheme to load a secondary dex file. After successfully gaining root privileges on the device, the rootnik malware can perform several malicious behaviors, including app and ad... [Read More]
by RSS Kai Lu  |  Jan 26, 2017  |  Filed in: Security Research
Pokémon Go’s rapid rise in popularity has attracted cybercriminals to leverage its hype for their malicious intents. So far, we have seen backdoored Pokémon Go apps, lockscreen apps, scareware apps, SMS spam,s as well as Windows ransomware. This time we have seen a new attack that takes aim at Pokémon Go users themselves, in the form of a fake Windows-based Pokémon Go Bot. A Pokémon Go Bot is an application that works as a fake Pokémon trainer in order to level up a user’s account without... [Read More]
by RSS Roland Dela Paz  |  Aug 24, 2016  |  Filed in: Security Research
At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game. Versions There are two sorts of Pokémon applications: 1. The official versions, issued by Niantic. We will talk more about these later, but in brief, they are not malicious. 2. The hacked versions. These are... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research