Shulou(Shulou.com)05/31 Report--

What this article shares to you is about how to use the highly complex spyware Mandrake. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Overview

Mandrake spyware has been lurking in the wild for four years, and hundreds of thousands of user devices have been infected in the past four years. Most of the victims of Mandrake infection are in Australia, Europe, the United States and Canada. The spyware first lurks in Googleplay by pretending to be normal applications, which use other techniques to avoid GooglePlay protection in addition to masquerading as legitimate applications: they greatly delay malicious activity and work in phases. The malware hidden in Googleplay is only the first stage of the malicious attack process, after which it induces the user to download and install the payload of the second phase and download and update the core components of the third phase.

Figure 1-1 legal application of camouflage in googleplay

Malicious program loading process

The whole malware execution process is divided into three stages: users download malware disguised as normal applications from the google store. After the malware is installed and executed, download the payload in the background (disguised as androidsystem) to induce the user to install and use, and finally download and update the core components in the payload.

Figure 1-2 malware loading process

Mandrake spyware is highly complex: the spyware hides itself in the background the first time it is run, and all interfaces are launched through dynamic calls. All valid strings are encrypted and dynamically decrypted at the native layer when called. The main functions and remote control commands are hidden in the so file and loaded dynamically, and the malicious behavior is avoided by the detection engine through the cross-call between java layer and native layer functions. Mandrake gives attackers access to data such as device preferences, address books, messages, screen records, device usage and inactivity time, and the malware has complete control over the device: it can reduce the volume of the phone and block incoming calls, block private data such as user text messages, contacts, accounts, login credentials, and so on. Phishing attacks are carried out by loading web pages and injecting specially crafted JavaScript code.

Figure 1-3 Program running logic

Technical analysis hides and protects itself in many aspects

(1) set the Activity component in the manifest file to not appear in the most recent task.

Figure 1-4 setting the Activity property

(2) after the installation is started, you will step back to the background and hide the application icon.

Figure 1-5 retreats itself to the background

(3) in order for the application to run the service in the background, the Android operating system requires the application to display permanent notifications. For these cases, Mandrake uses a transparent notification icon.

Figure 1-6 shows the transparent notification icon in the red box

(4) function cross-call between Java layer and native layer.

Important functions such as dynamic decryption of string, interaction between client and server, remote command control and so on are placed in the native layer.

Figure 1-7 main function calls in the so file

Java layer functions are called through reflection in the native layer.

Figure 1-8 reflection calls java layer functions

Java layer function after decryption:

Figure 1-9 function name after decryption

(4) encrypt all valid strings and dynamically decrypt and splice them at run time.

This not only makes it more difficult for analysts, but also avoids the detection of app stores and antivirus software.

Figure 1-10 string decryption function

Decrypted part of the string and server address:

Figure 1-11 decryption file name and server address

behavior analysis

Upon launch, the application will detect the user equipment SIM card operator and the country code ISO, and if certain conditions are met, the malware will stop running: it will avoid running in low-income countries, African countries, and the former Soviet Union. It also avoids running on devices without SIM cards or on SIM issued by specific operators. It is excluded from running on the equipment in which the SIM card operator is "CMCC" (China Mobile Communications Corporation).

Figure 1-12 Simcard operator detection

Detect whether the application is running in the simulator virtual environment:

Figure 1-13 detects whether the application is in a virtual environment

After passing the device detection, the application will call the Native layer init () function for some string decryption and privacy data collection operations, but before that, the application will do some initialization operations in the JNI_OnLoad function loaded for the first time and connect to the server to interact with the server.

Figure 1-14 client-server interaction

The Init () function executes to get the information of user equipment application list, account list and address list, and check whether it is the default SMS program of the device.

Figure 1-15 init function

Execute the cmd command to get the list of user equipment applications and call the java layer 0xJ18 function through reflection to steal user equipment account information and contact information.

Figure 1-16 steal user application list, contact list, account list

Check whether it is the default SMS program, and if not, a pop-up request will pop up, and when the user rejects the request, it will notify the user that the application has stopped running. When the user grants the request, the application displays its carefully drawn view as a text message viewer (one of the most interesting parts of malware is the carefully drawn view, layout, display, and visual components that distort the application flow. to trick the user into granting dangerous permissions, this method changes what the user sees by modifying the area of the screen This enables users to get additional permissions when they click on a specific area.

The display layer has the function of sending and receiving short messages. After that, the application can completely replace the default SMS program, and has the rights of editing, deleting, changing and so on.

Figure 1-17 self-made SMS transceiver display layer

Monitor the user's phone status, lower the volume and block incoming calls. Hang up the phone, delete the call record or record the call after comparing the phone numbers in the future.

Figure 1-18 Monitoring the user's phone

(1) hang up.

Figure 1-19 hang up the phone received by the user device

(2) Delete call records:

Figure 1-20 Delete call records

Remote control

Each time the application performs an operation in the java layer, it sends an instruction to the native layer.

Figure 1-21 java layer command transmission

The Native layer remotely controls the execution of the entire instruction.

Figure 1-22 native layer remote control framework

Feature list:

SMS operation: collect and upload all SMS messages to the server, forward received SMS messages to the specified number, hide incoming SMS messages from the user, send the specified SMS message content to the specified number

Phone operation: monitor the user's phone to send the incoming call number to the server, lower the volume and block incoming calls, initiate a call to the phone number, collect and upload the contact list to the server

Application actions: collect and upload application lists, install other components or malicious applications, uninstall applications

Device and account operation: collect and upload all registered accounts of user equipment, collect device information (Android version, battery level, device model, ISO country code, SIM operator, etc.)

Espionage technology: GPS tracking, certificate theft of any account (Facebook, e-bank account) phishing through js script injection technology

Instruction list:

Instruction

Function

one thousand

Receive SMS: every time you receive a SMS, you will send a request to the server containing the content of the SMS.

1001

Block all received text messages and do not show them to the victims. And forward the text message to the specified number.

1002

At regular intervals, the client connects to the server.

1003

Operate the applications installed by the user equipment and perform different operations according to different states

1004

Stop script injection

1005

Send user equipment application list, account list, contact list to the server

1006

Send log files to the server

1007

Update server address

1008

Set Mandrake as the default SMS handler. This can block, intercept, and mid-range incoming messages

1009

Disable SMS processing function

1010

Update component

1011

Remove updated components

1012

Get all text messages received so far and send them to the server

1014

Dial the specified phone number

1015

Set call blocking switch

1016

Send the specified content to the specified phone number

1017

Send the specified content to the specified phone number

1018

WebSocket connection will be made to the URL given in the parameters

1019

Stop controlling victim equipment

1020

Record web page activity and inject malicious javascript to steal the form input of the target program.

1021

Stop browsing the web

1022

Induce users to give accessibility permissions

1023

Stop command

1025

Start an application

1026

Restart the malware component

1028

Start screencap

1029

Stop screencap

Phishing attacks are carried out by loading web pages and injecting special JavaScript code to steal the account information of the target application.

Figure 1-23 loading a web page

The malware transfers the collected privacy data to the native layer, writes it to a file, and then uploads it to the server.

Figure 1-25 Save privacy data files

4. Second stage loading

When the program payload is loaded in the second stage, the application induces the user to click by using the GooglePlay icon to update the title of the Google service.

Figure 2-1 shows the google service notification

When users click on a fake GooglePlay notification message, they will be prompted to install the AndroidSystem app (disguised as an Android app to help hide themselves), which is actually the payload that needs to be loaded in the second phase.

Figure 2-2 inducing users' Android payload

After the second phase loader is downloaded and installed, the payload (AndroidSystem) detects the user device system version and hides the icon if the system version is less than 10. Otherwise, change its icon to another application icon. The loader will mimic the Wi-Fi icon, and when clicked, the application opens to the Wi-Fi menu.

Figure 2-3 change the application icon

List of payload features:

Determine and manipulate the status of the equipment

Determine if the user is their effective target

GPS positioning and tracking

Collect and upload all registered account information of user equipment

Download the core component and load it dynamically

5. Third stage loading

The core components are mainly used to grant application sensitive permissions and transfer commands:

Grant application device administrator privileges

Grant application accessibility permissions

Grant the application permission to read notifications

Grant the application the privilege to ignore battery optimization

Set yourself as the default SMS application.

Disable Google playback protection

Allow yourself to install unknown applications

Mandrake has a very special module, just like CAD drawing to draw parts of the screen, system alerts or other visual content, by modifying the area of the screen to change what the user sees, so that they can get sensitive permissions when the user clicks on a specific area. If authorization fails, the application will pop up a Toast alert box

1. Grant accessibility permissions

First, he constructed the initial view of the list of accessibility services on the mobile device, and set the "Iagree" check box on its own switch to turn on the accessibility services. When the user clicks "Iagree", they will press the corresponding accessibility entry.

Figure 2-4 induces the granting of accessibility permissions

two。 Grant permission to ignore battery optimization

When the user runs out of power, the system will optimize the battery life by killing the background process, and granting application accessibility permissions can ensure that the application background process will not be killed by the system.

The "allow" button in the view built by the application corresponds to the button that grants ignore battery optimization permissions. This permission is granted when the user presses the "allow" button.

Figure 2-5 induced authorization to ignore battery optimization

Server list:

domain name

IP address

Country

Andro****mware.com

198.54. Thank you. 197.

America

Nfmm****gflemt.top

198.54. Thank you. 197.

America

Xjkbh****thnpl.top

198.54. Thank you. 212

America

Andro****mware.top

192.64. Thank you. 92.

America

Androi****mware.cc

Andro****mware.ir

3.125.Please do not know .66.

America

Target application list:

Application name

For the country

Capital One Canada

Canada

Desjardins mobile

Services

France

Sparkasse Ihre mobile

Filiale

Germany

Postepay

Italy

Mein ELBA-App

Austria

IKO

Poland

UOB Mighty Singapore

Singapore

ABN AMRO

MobielBankieren

Netherlands

Scotiabank Mobile

Banking

The United Kingdom

Bank of America Mobile

Banking

America

The above is how to use the highly complex spyware Mandrake. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.