Thursday, June 6, 2013

Backdoor.AndroidOS.Obad.a

Update Sept 13, 2013 
Sandbox results from Andrototal:
http://andrototal.org/sample-analysis/hash/E1064BFD836E4C895B569B2DE4700284
http://andrototal.org/sample-analysis/hash/F7BE25E4F19A3A82D2E206DE8AC979C8


Research:
Kaspersky: The most sophisticated Android Trojan
Droidnews: Самый сложный вредонос под Android 

Sample credit: Tim Strazzere (Lookout Security)

Size: 84306
MD5:  E1064BFD836E4C895B569B2DE4700284

Size: 85079
MD5:  F7BE25E4F19A3A82D2E206DE8AC979C8



Download. Email me if you need the password


The following analysis was shared by Gunther

If you simply use dex2jar+JD-GUI, you will realised that most of the methods can't be decompiled.
Furthermore, i've realised that the one which it managed to decompiled looked wrong too.
I've attached my manual approach as well

Basically for a start, i would recommend you to use apktool first.
apktool.bat d <filename>

You should see something like this after running the above command.

    C:\Users\Gunther\Desktop\apktool>apktool.bat d F7BE25E4F19A3A82D2E206DE8AC979C8
    I: Baksmaling...
    I: Loading resource table...
    I: Loaded.
    I: Decoding AndroidManifest.xml with resources...
    I: Loading resource table from file: C:\Users\Jacob\apktool\framework\1.apk
    I: Loaded.
    I: Regular manifest package...
    I: Decoding file-resources...
    I: Decoding values */* XMLs...
    I: Done.
    I: Copying assets and libs...
    C:\Users\Gunther\Desktop\apktool>

Now let’s take a look at the AndroidManifest.xml file, you should see the the permissions requested by the APK file.
It's a huge list so i won't paste it here.

From the AndroidManifest.xml, we also know the following
1.) This malware have several "service" entries.
Furthermore, if we look up http://developer.android.com/guide/topics/manifest/intent-filter-element.html we can see that it indicates to have a high priority.
2.) There is an Activity entry and under the “intent” tag of this Activity entry. It indicates to start as the main entry point according to http://developer.android.com/reference/android/content/Intent.html#ACTION_MAIN

According to the official diagram from Android, we should be looking at “OnCreate” function first.

3.) Earlier on, i've written that there are several "Service" being started by this app. According to http://developer.android.com/reference/android/app/Service.html We should be looking at “OnCreate” or “StartService” in that class file.
This “Service” is running in the background even when the user is not directly interacting with the application.

Analysis of Dalvik Code:
Let’s take a look at the onCreate function first. To have a better understanding of Dalvik byte code, it’s probably better to have either of the following 2 links:
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
http://source.android.com/tech/dalvik/dalvik-bytecode.html

Now before we go to "OnCreate", earlier on i've mentioned that Dex2Jar screwed it up right. Let's look at "cOIcOOo" in this smali file, "OclIIOlC"

Now look at the original smali code and this one with comments.
.method private static cOIcOOo(III)Ljava/lang/String;
// private static String cOIcOOo(Int paramInt1, Int paramInt2, Int paramInt3){
    .locals 6
    sget-object byteArray1, Lcom/android/system/admin/OclIIOlC;->cOIcOOo:[B
    // byte[] byteArray1 = OclIIOlC.cOIcOOo;
    add-int/lit8 p0, p0, 0x60
    // paramInt1 = paramInt1+0x60
    add-int/lit8 paramInt3, paramInt3, 0x21
    // paramInt3 = paramInt3+0x21;
    const/4 k, 0x0
    // int k = 0;
    new-instance v0, Ljava/lang/String;
    // String v0;
    new-array byteArray2, paramInt3, [B
    // byte[] byteArray2 = new byte[paramInt3];
    if-nez byteArray1, :cond_0
    // if( byteArray1==null ){
    move v2, paramInt3
    // v2 = paramInt3;
    // }
    move v3, paramInt2
    // v3 = paramInt2;
:goto_0
    add-int/lit8 paramInt2, paramInt2, 0x1
    // paramInt2 += 1;
    // or paramInt2++;
    add-int/2addr v2, v3
    // v2 += v3;
    add-int/lit8 paramInt1, v2, -0x2
    // paramInt1 = v2 + (-0x2);
:cond_0
    int-to-byte v2, paramInt1
    aput-byte v2, byteArray2, k
    // Puts the byte value in v2 into an element of a byte array. The element is indexed by k, the array object is referenced by byteArray2.
    // byteArray2[k] = v2;
    add-int/lit8 k, k, 0x1
    // k +=0x1;
    // or k++;
    if-lt k, paramInt3, :cond_1
    // if( k>=paramInt3 ){
    const/4 v2, 0x0
    // v2 = 0x0;
    invoke-direct {v0, byteArray2, v2}, Ljava/lang/String;-><init>([BI)V
    return-object v0
    // return new String(byteArray2, v2);
:cond_1
    move v2, paramInt1
    // v2 = paramInt1;
    aget-byte v3, byteArray1, paramInt2
    // Gets a byte value of a byte array into v3. The array is referenced by byteArray1 and is indexed by paramInt2.
    // v3 = byteArray1[paramInt2];
    goto :goto_0
.end method
}

Now compare it with "HelloWorld", which I've attached here. This should be the way to finally reverse it...i think.

Ok, i've also mentioned before on why AVs and some of the tools don't work.
Most of the better Android malware nowadays uses Reflection API.
Reflection can allow a program to create a "function pointer"  and invoke the target function by using it. You can see it's common usage in ExploitKits or those Java exploits.

You will see it when you start reversing "OnCreate" function.