Xsser mRAT Code4HK
2014-10-08
Summary
Android spyware
GroDDViewer graphs:
Details
mRAT stands for Mobile Remote Access Trojan. Code4HK is a group of activist coders trying to improve government transparency in Hong Kong. When application is launched, the user is presented with an extensive permissions list that the apk needs. Then a dialog box promps the user to update with the text : Application updates, please click to install. If the user agrees the app should be updated. In our case, there is an issue when we try to update the app.An error message appears on the screen : System Thread. Application non installee. Un package portant le même nom accompagné d une signature différente est déjà installée. In fact, the malware is trying to install a second application with the same name but with a different signature. In order to go further with this malware, the apk needs to be modified and recompiled. The modification consists in changing the name of the package in the AndroidManifest.xml in order to have a name different from the new apk that the malware tries to install [AndroidManifest.java]. Package name is set to com.v2 instead of com.v1. In order to do this : 1 - disassemble the apk with apktool (apktool if myapp.apk, apktool d myapp.apk), 2 - modify the AndroidManifest.xml file as mentioned above, 3 - reassemble the apk (apktool b myapp myapp.apk, 4 - sign the application using jarsigner, 5 - install the new apk. Then the new application is installed. The app is supposed to connect to a C&C server. Unfortunately all the servers are currently down (221.226.58.202, 61.36.11.75, 112.124.47.157).
Other resources
Triggering
1 - disassemble the apk with apktool (apktool if myapp.apk, apktool d myapp.apk), 2 - modify the AndroidManifest.xml file as mentioned above, 3 - reassemble the apk (apktool b myapp myapp.apk), 4 - sign the application using jarsigner, 5 - install the new apk, 6 - launch the new apk.
Caracteristics
Malware type :
Attacks :
Infection technique :
Malicious code type :
Hidding techniques :
Triggering techniques :