Threat Intelligence - Tracing a malicious Android Application

In this blog post, I'm going to walk through some of the methodology that I recently used to gather intelligence from a malicious link that was sent to me via SMS. Quick disclaimer - I'm no expert , so if you find any information that is incorrect please feel free to reach out, that said, lets begin:

The fake Gumtree app

A few weeks back I listed some items for sale on Gumtree and I included my personal mobile number for people to get in contact. About a week after submitting the advert, I received a text:

Chris i send you prepayment: my-gumtree.org/9315659

Two things immediately stood out - prepayment and the URL. For those that don't know Gumtree, prepayment is not possible, typically goods are bought and sold on a face to face basis, there is no option to prepay for items. Secondly, the URL - my-gumtree.org didn't seem legit, knowning at the correct URL is Gumtree.com.

Usually I would delete such messages, however I decided to do a little digging. First off, I visited the URL and was met by a cloned version of my original advert:

Screenshot_1
(During my initial visit Chrome had yet to mark the site as Dangerous.) Also included on the page was a section for claiming my prepayment:

Screenshot_2

Clicking continue, I wasn't surprised to find instructions relating to how to download and install the fake application, shown below:
Screenshot_20191031-204659Screenshot_20191031-205539

So, I did just that - I downloaded the application but didn't install it, instead I uploaded the APK file to VirusTotal.

VirusTotal

VirusTotal allows you analyse suspicious files and URLs to detect types of malware, it will then automatically share them with the security community. Once uploaded, I wasn't surprised to find that the APK was flagged as being malicious:

Screenshot_20191031-212119>

Quickly looking through the details section, we can see the application is asking for access to a set of dangerous permissions.

  • android.permission.CALL_PHONE
  • android.permission.CHANGEWIFISTATE
  • android.permission.GET_TASKS
  • android.permission.INTERNET
  • android.permission.READPHONESTATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.SYSTEMALERTWINDOW
  • android.permission.BINDACCESSIBILITYSERVICE

Dangerous permissions cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps. Further information on permissions can be found on the Android Developers Website.

Digging Deeper with VT Graph

VT Graph is a tool that allows you to explore datasets visually within VirusTotal. Over the last few weeks, I've been experimenting with the tool and have found it to very helpful when trying to understand the relationships between files, URLs, domains and IP addresses. VT Graph is available for free however there are some limitations (unable to save or share graphs), however I have found it can really bring an investigation into life.

Lets walk through the fake Gumtree application to see what other intelligence we can gather. If you wish to follow along, you will need to create a basic account with VirusTotal and you will need the SHA-256 hash below which was generated during the initial .apk file submission.

SHA-256 Hash 47b4d5bd9a9f3ee390e4d0dc3125dfc244e851574ecbe4974bb678a22a180cf3

Enter the hash in the search field to create the initial graph:
vtgraph

vtgraph_1

A VTGraph is then created (as shown above)with a number of branches coming off the central APK file that was submitted - com.elchapo. Each node that we can see represents an entity, with each entity having its own icon. There is an excellent walk through guide explaining each of these icons on the VTGraph site, I suggest going through that in order to fully understand then all.

Let's examine each entity of our graph. In the top right, we have the bundled files (box icon) of the packaged APK file, as shown below:
vtgraph5

Furthermore, inside the bundled files, we have two ELF files and an APK file. These entity icons are coloured red to give us a visual indication that each of these files has been detected in VirusTotal more than three times.

At the bottom right of the graph, we have contacted domains. These are the domains contacted by the file being studied upon execution, as shown below:
vtgraph3

At the bottom left of the graph, we have contact IP addresses. These are the IP addresses which are contacted by the file, as shown below:
vtgraph4
As you can see, these IP addresses have been identified as being located in Holland.

Finally, the top left of the graph, we have URL's contacted by the APK file. Note that these are red, indicating they have been noted more than three times in VirusTotal.
vtgraph6

Around the majority of the nodes, a grey background is present. This means further information is available and the node can be expanded to reveal further information, this is done by double clicking on the node, also hovering your mouse over a node will provide you further information:

vtgraph7

Photo by Taskin Ashiq on Unsplash