The app icon is hidden using the p.setComponentEnabledSetting method. The value 2 corresponds to COMPONENT_ENABLED_STATE_DISABLED, and the third argument represents the DONT_KILL_APP flag. After hiding the app icon, the application starts the service com.example.dat.a8andoserverx.MainService.
As soon as the onStartCommand method of the service is called, the service acquires a partial wake lock with the tag MyApp::MyWakelockTgggag. In case of partial wake locks, the screen and keyboard backlight are allowed to go off but the CPU continues to run. The broadcast receiver com.example.dat.a8andoserverx.InterceptCall is triggered in case of incoming and outgoing calls. By the help of this receiver, the application reads and stores the phone numbers involved in the conversation.
The current time is recorded in the format SimpleDateFormat("yyyy_MM_dd_HH_mm_ss"). The directory /sdcard/DCIM/.dat is created if it doesn’t exist. In case of incoming calls, a file In_<pno>_<timestamp>.mp3 is created in the /sdcard/DCIM/.dat directory where pno is the incoming phone number. In case of outgoing calls, a file Out_<pno>_<timestamp>.mp3 is created where pno is the outgoing phone number. After that it records the call and saves it in the created file.
1 2 3 4 5 6 7 8 9 10
calls.this.recorderx = null; calls.this.recorderx = newMediaRecorder(); calls.this.recorderx.setAudioSource(1); // MIC (using microphone as audio source) calls.this.recorderx.setOutputFormat(2); // MPEG4 media file format calls.this.recorderx.setAudioEncoder(3); // AAC Low Complexity (AAC-LC) audio codec calls.this.recorderx.setOutputFile(calls.this.audiofilex.getAbsolutePath()); calls.this.recorderx.prepare(); calls.this.recorderx.start();
// All these recordings will be saved in the /sdcard/DCIM/.dat directory
The application creates a hidden file named .csp within the DCIM directory on the SD card and initiates the com.example.dat.a8andoserverx.calls service. We can see that two tasks task and taskx are scheduled to run each second, starting after a delay of one second.
taskx is used to increase the value of pasterx by 1 every second. After 600 seconds, the connection to the socket so is closed which is handled by task.
The onStartCommand method is run after the onCreate method finishes its execution. Here, an empty notification is generated. After generating the empty notification, the spyware creates a reference-counted WifiLock. By acquiring a WifiLock, the application ensures that the Wi-Fi radio remains active, even when the user becomes inactive. Reference-counted Wifilocks ensure the the Wi-Fi radio sleeps only when the number of calls to acquire() have been balanced by the number of calls to release(). Subsequently, the application acquires a WAKE_LOCK. Acquiring wake lock ensures that the device remains active and doesn’t go into sleep mode /standby for saving power. A repeating alarm is setup that runs every 3 minutes. Whenever the alarm runs, the onReceive method of the broadcast receiver AlarmReceiver is called which checks whether the MainService is already running or not. If the service is not running, it will be started.
After completing all these steps to ensure persistence, the spyware starts its actual task. To establish a connection with the C2 server and listen for commands, it initiates a new thread.
Once the thread begins its execution, the application promptly creates a new socket and establishes a connection to the IP address 192.168.43.34 on port 4234. It listens for various commands sent by the server and reacts accordingly. First of all it sends a string to the C2.
this.buildx => The manufacturer of the device this.m0del => The end-user-visible name for the device. this.prox => The name of the overall product this.apilev => The SDK version of the software running on the device
Once the device information is sent, the application actively awaits incoming commands from the C2. Below is a comprehensive list of various commands involved:
Let’s explore the potential for misuse by examining the malicious activities that can be carried out through the execution of some of these commands. We’ll notice that in multiple instances, the C2 sends some supplementary data, such as the name of the file to be read/deleted, etc. along with the issued command.
Opens the screen of details about the application.
Calculates the size of the file /sdcard/DCIM/.dat/<filename> and sends it to the C2.
Starts the service com.example.dat.a8andoserverx.calls if it is not running else terminates it.
Deletes the file /sdcard/DCIM/.csp and stops the service com.example.dat.a8andoserverx.calls.
Starts the service MainService if it’s not running. It also writes the value 1 into the file /sdcard/DCIM/.csp,indicating the status of MainService.
Takes a screenshot and sends it to the C2.
Checks the battery status i.e the current battery level, whether the device is plugged in or not.
Sends the device’s last known location to the C2.
Checks whether facebook can be launched or not.
Reads the file /sdcard/DCIM/.fdat and sends the data to the C2.
Launches a fake facebook login page and stores the credentials in the file /sdcard/DCIM/.fdat
Launches any app according to the package name sent by the C2.
Creates a list of all available packages on the device and sends it to the C2.
Creates a gzipped tarball of the /sdcard/DCIM/.dat directory and sends it to the C2.
Utilize the AccountManager to retrieve all the accounts currently available on the device.
Opens the camera and takes a picture of the victim. The captured image is stored at /sdcard/DCIM/.im8.jpg and then it is sent to the C2.
Sends information about all the cameras present in the device to the C2.
Captures audio, stores it in a temporary file named sound.mp3 and sends it to the C2.
Deletes a file from the sdcard according to the filename sent by the C2.
It opens a file from /sdcard based on the supplied filename by the C2. It then checks whether the exif data contains latitude and longitude information. If present, it sends the coordinates back to the C2.
It opens a file from /sdcard based on the supplied filename by the C2. It then reads it and sends the read data to the C2.
Creates a list of all non-hidden files present at /sdcard/DCIM and sends them to the C2.
It checks whether a file is present in /sdcard/ based on the filename provided by the C2. It then reads the file and sends the data back to the C2.
Reads call logs and sends the name, number, duration and call type to the C2.
Retrieves a list of files in the directory /sdcard/<dirname> based on the provided directory name received from the C2, and sends the name and type (file or directory) to the server.
Executes a shell command within the specified working directory. The command and directory are provided by the C2, stored in the variables mssashel2 and mssashel22 respectively.
Deletes the directory /sdcard/DCIM/.dat.
Receives a message from the C2 and display it as a toast.
Throughout this blog, I’ve examined the intricate mechanisms employed by the spyware, including its persistent backdoor capabilities, and ability to easily perform malicious actions on user’s behalf. These findings emphasize the urgent need for robust cybersecurity measures, proactive threat detection, and prompt patching of software vulnerabilities.