Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace.
Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious
The malware is an application whose name translated to "Phone Mirror". Because it is malicious, we have dubbed it 'BdMir'.
The malware sends loads of information to its remote CnC (phone number, MAC adddress, list of installed applications...) - see Figure 2 - but it also has the capability to execute a few commands such as "app" (download an APK) or "page" (display a given URL).
Figure 2: Android/BadMirror reports the list of apps installed on the phone to its remote server.
The malware hides its CnC URLs and configuration by a home-made obfuscation mechanism which consists in a combination of DES, PKZip and Base64. Precisely, it does the following:
- Encrypt the string with DES-CBC. The key is hard-coded ("dfctbbjg") and the IV is "12345678"
- Base64 encode the result
- Zip the base64 encoded output
- Re-base64 encode the zipped result!
We have implemented our decryptor:
$ java DecryptStrings ... Url : hxxp://silent.googlestatistics.net:10055/api/sys Url : hxxp://silent.800t.net:10055/api/sys Url : hxxp://googlestatistics.net:10055/boxgame/appmore/ Url : hxxp://bg.800t.net:10055/appmore/ ...
The SHA256 of samples we identified are listed below:
-- the Crypto Girl, and HoMing Tay