Está en la página 1de 91

Departamento de Matemáticas

MÁSTER UNIVERSITARIO EN INVESTIGACIÓN EN


CIBERSEGURIDAD

Trabajo de Fin de Máster

Desempacando malware en Android automáticamente


con herramientas de código libre

Unpacking Android Malware automatically with Open


Source Tools

Autor: Fernando Sánchez Ortega

Tutor: Adriana Suárez Corona


UNIVERSIDAD DE LEÓN
Departamento de Matemáticas
MÁSTER UNIVERSITARIO EN INVESTIGACIÓN EN
CIBERSEGURIDAD
Trabajo de Fin de Máster
ALUMNO: Fernando Sánchez Ortega
TUTOR: Adriana Suárez Corona
TÍTULO: Desempacando un malware en Android automáticamente con
herramientas de código libre
TITLE: Unpacking Android Malware automatically with Open Source Tools
CONVOCATORIA: Julio, 2019
RESUMEN:
Desde que los dispositivos Android estas siendo más usados en la actualidad, los
desarrolladores de malware han empezado a crear mas malware sofisticado en
esta plataforma. Además, algunas de las técnicas que habían sido usadas antes
en otras plataformas como Windows o Linux están empezando a ser adaptadas
a Android. En particular las técnicas de ofuscación, las cuales hacen más difícil
a los analistas de malware conocer el comportamiento del malware analizado.
Una de esas técnicas, es ofuscar un recurso, con el uso de RC4 para prevenir
detecciones de los antivirus. De hecho, el uso de “packers” puede reducir el
tamaño de la muestra y hacer más difícil el desensamblado del código.
Durante los últimos años, un nuevo malware llamado Anubis ha aparecido y su
impacto ha crecido rápidamente, afectando principalmente a aplicaciones del
sector bancario y de criptomonedas.
En este trabajo fin de máster, hemos extraído información útil de Anubis tras
analizarlo tanto estática como dinámicamente. Una vez conocido el
comportamiento del malware, hemos desarrollado una herramienta que puede
automáticamente “unpack” el malware, detectar que aplicaciones legítimas son
están siendo suplantadas para el robo de credenciales de las victimas afectadas
y la detección de los “Command and Control” (C&C).
Además, la herramienta ha sido modificada, al ir adaptándola a las nuevas
versiones de Anubis.
Como resultado, esta herramienta nos ha permitido reportar mas de 650
muestras del malware Anubis en todas sus versiones.
ABSTRACT:
Since Android devices are currently more and more present, malware
developers have started to create more sophisticated malware over this
platform. Moreover, some techniques that have been used before over other
platforms like Windows or Linux has started to be adapted to Android. In
particular, obfuscating techniques which make more difficult malware analysts
to understand the malware behaviour.
One of those techniques is packing a file resource with RC4 in order to prevent
detections from antiviruses. In fact, using packers can reduce the size of the
malware sample and make it more difficult to disassemble the code.
During the last years a new malware called Anubis has appeared and its impact
has fastly increased, affecting mainly banking and cryptocurrency applications.
This malware uses the dex-protector packer.
In this master’s thesis, we have extracted useful information from Anubis after
a dynamic and static analysis. Once we knew the behaviour of the malware, we
developed a tool that can automatically unpack the malware, detect which
legitimate applications are spoofed to stole credentials from the victims
affected and also detect the Command and Control (C&C).
Moreover, the tool has been modified to adapt it to newer versions of the
malware family.
As a result, this tool has allowed to report more than 650 samples of Anubis
malware in its different versions.
Palabras clave: Android · malware · packer · open source detection · static
analysis · impact of malware -Anubis · bankbot.
Firma del alumno: VºBº Tutor:

(Julio, 2019)
Máster Universitario en Investigación en Ciberseguridad Página I

Index
Index I
Acknowledgement .............................................................................................................................III
Acronyms .......................................................................................................................................... IV
1 Introduction ..............................................................................................................................1
2 Problem Definition....................................................................................................................3
2.1 Research questions .............................................................................................................3
2.2 Motivation and goal ............................................................................................................3
2.3 Proposed solution ...............................................................................................................4
2.4 Methodology .......................................................................................................................4
3 Technical and theoretical background .....................................................................................6
3.1 Android................................................................................................................................6
3.2 Android as Operating System..............................................................................................6
3.3 Android Applications ...........................................................................................................8
3.4 Classification of Android application malware .................................................................14
3.5 Anubis................................................................................................................................16
3.6 Static Analysis and Dynamic Analysis ................................................................................18
3.7 Cryptographic tools ...........................................................................................................18
3.8 Malware obfuscation ........................................................................................................20
4 Solution ...................................................................................................................................22
4.1 Anubis over the platform Android and its detection ........................................................22
4.2 Information Extraction. Dynamic analysis ........................................................................24
4.3 Static Analysis....................................................................................................................30
4.4 Encryption Algorithm Identification..................................................................................38
4.5 Unpacking process ............................................................................................................39
4.6 Automatizing the unpacking process ................................................................................41
5 Results .....................................................................................................................................42
5.1 Analysis of the Anubis communication .............................................................................42
5.2 Analysis of Anubis targeted applications ..........................................................................50
5.3 Bankbot Anubis updates ...................................................................................................53
5.4 Results of samples analysed..............................................................................................56
6 Project management ..............................................................................................................58
6.1 Scheduling the work..........................................................................................................58
6.2 Resources ..........................................................................................................................60
6.3 Budget ...............................................................................................................................60
7 Conclusions .............................................................................................................................62
Future Work ..................................................................................................................................62
References.........................................................................................................................................63
APPENDIX I: Source Code ..................................................................................................................65
Sacarinfo.py...................................................................................................................................65
ArchivoProcesarAndroidManifest.py ............................................................................................67
Máster Universitario en Investigación en Ciberseguridad Página II

Unpacker.py ..................................................................................................................................68
Decrypt.java ..................................................................................................................................69
Anubis_Extractor_v2Anubis.py .....................................................................................................72
Anubis_Extractor_v2_5Anubis.py .................................................................................................77
Máster Universitario en Investigación en Ciberseguridad Página III

Acknowledgement
This thesis would not have been possible without the financial support of Innotec, which has helped
me always from an economical and emotional point of view. Moreover, I would like to mention
CracksLatinos, a reversing group that has helped me during the research in this field and has given
light to me in some moments with their knowledge in this area. Nobody has been more important
to me in the pursuit of this project than the members of my family. I would like to thank my parents;
whose love and guidance are with me in whatever I pursue.
Máster Universitario en Investigación en Ciberseguridad Página IV

Acronyms
This a little list with the Acronyms used along this Master’s Thesis.

C&C --> Command and Control


AV --> Antiviruses
GSM --> Global System for Mobile communications
UI --> User Interface
LTE --> Long Term Evolution
Wi-Fi -->wireless fidelity
GPS -->Global Positioning System
SMSs --> Short Message Service
IDE --> Integrated development environment
APK --> Android Application Package
RAT --> Remote Access Trojan
DEX --> Dalvik Executable
REGEX → Regular Expression
Máster Universitario en Investigación en Ciberseguridad Página 1

1 Introduction
Malware families that run over the Windows operating system (OS) are more
popular than malware over other platforms. However, users of mobile devices [1]
are increasingly subject to malicious activities. This is particularly dangerous,
since mobile phones deal with some of our most sensitive information, such as our
contacts, or they are frequently used as a second-factor of authentication. For
this reason, it is important to study malware that affects Android Operating
System, because in the next few years, Android will probably become the platform
where malware developers will invest the greatest amount of time and effort.
This master’s thesis focuses on how malware over Android’s platform has been
growing in recent years and explains which techniques that malware previously
used over platforms like Windows or Linux, have been used nowadays to create
new malware on Android.
Android technology, which is an OS based on the Linux kernel for mobile devices,
was launched in 2008. During these years it has become the most used operating
system in the world [2]. Over these 10 years, Android has been increasing its
characteristics and consequently, a big number of versions have appeared, from
version 1.0 (Apple pie) until the current version 9.0 (foot). This exponential
growth of use has caused that cybercriminals have found it an important market
where they can start to use their malware, and they have been incorporating
gradually new techniques to make more difficult its detection, like improving the
quality of malicious code, the creation of mutex to avoid infecting the same
device more than once, the use of code obfuscator, packers, etc [3]. These
techniques sometimes avoid Antiviruses (AV) detection, when these applications
are analysed before being uploaded to the major market of applications, Google
Play. This is one of the most coveted objectives for malware developers, because
if they publish the application in Google Play Store, their malware will be
downloaded by a higher number of victims. In the case that they do not get to
upload the malware to Google Play Store, they always have the possibility of
uploading them in some alternative markets like Aptoide, D-Droid, APKMirror. In
fact, in these markets it is difficult to delete malicious content [4]. Google Play
is also the fastest market to react when apps are flagged as malicious by AVs. It
takes ten days for Google to delete the malicious apps. On the other hand, it
usually takes alternative markets several months (in some cases more than a year)
to delete malicious apps.
The packer that we will study manages to filter more than 10.000 malicious app.
(catalogued as Bankbot Anubis) in Google Play and other samples catalogued as
Red Alert 2.0. Due to the growth of malware over this platform, antivirus
companies and some security companies have discovered that there is a great
business opportunity in this sector [5]. Consequently, many reactive and
preventive tools have been developed for the last two years, in order to reduce
the impact of malware on Android devices and able to analyse these samples and
identify their behaviour.
Máster Universitario en Investigación en Ciberseguridad Página 2

During the development of this master’s thesis, we have analysed around 650
samples and we have determined their behaviour. To achieve this, we have used
available open source tools, and we have developed a tool that allows to
automatically detect the malicious behaviour of these samples and analyse their
impact on the Spanish banking market.
Since the bankbot has been updated since we start the analysis, we have
developed different version of our tool in order to analyse samples corresponding
to the different versions of the bankbot.
Máster Universitario en Investigación en Ciberseguridad Página 3

2 Problem Definition
2.1 Research questions
This study will be guided by the following questions, which we will answer along
this document:
1. Why is Android targeted by malware authors?
2. Which kinds of malware are there? Why this malware is targeting
Android devices?
3. Which tools can analysts use to fight against these threats?
4. Can we create an automatic tool to detect a specific trendy
malware?
5. How has this malware been updated?

2.2 Motivation and goal


Malware has traditionally targeted platforms like Windows or Linux. The
malware affecting Android was not very sophisticated and furthermore,
security companies didn´t use to analyse this kind of malware because their
impact wasn´t significant for their clients.
However, at the end of 2017, a new malware family started to target
sensitive information over Android. Anubis malware family is a trojan which
has had a huge impact with attacks mainly to banking apps. It combines
features of Spyware, Keylogger, and Ransomware in the same malware
sample.
When the sensitive information attacked is related to money, an attack may
mean that the attacker is able to steal some money of the clients. Thus,
analysing Android malware became especially important.
A client of Innotec System, the company where I used to work, required
information about the features and behaviour of a sample infected provided
by one of its customers. When we received the sample and after some days
of analysis, we determined that the sample of malware was classified as
Anubis.
This malware family uses a new obfuscation technique to avoid being
detected by Antiviruses. The obfuscation techniques may be very different,
and it is needed to know how it works to be able to know whether a sample
contains malicious code and read properly its code.
One of the main objectives of this project consists of studying the malware
for Android devices that can affect Spanish banks. After studying which
malware families have appeared recently [17] we found one of the main
ones is bankbot Anubis [16]. Moreover, this malware sample had been
affecting clients of Innotec for 18 months. These reasons made us focus on
Bankbot Anubis.
Máster Universitario en Investigación en Ciberseguridad Página 4

We study the packing method used, and some features that Anubis has. The
goal of this Master’s thesis is to detect Anubis in samples to be analysed
both reactively and proactively.

2.3 Proposed solution


In order to detect Anubis malware, we will build an automatic tool that allows to
unpack the sample and extract useful information about the malware that help us
to close the domain site. This tool needs to be flexible, so that it is easy to adapt
it to be useful when the malware is updated.
To unpack the malware sample, we develop a piece of code in Python, that using
the RC4 library to decrypt the malicious payload and regex to locate where are
the key needed to apply the decrypt algorithm.
After the unpacking and the analysis of the malware’s payload, we extracted
common features, such as its communication, malware behaviour…
We realized that we could automatize the analysis process. For example, the
communication uses RC4 encryption again and the key could be extracted using
regex rules because they have almost always the same structure. The same
happened with malware’s targets.
Consequently, we decided to create a final tool in Python, that allow us to unpack
the malware sample, extract the C&C to monitor the impact in our clients and to
generate a report with information of the sample useful to close the domain and
to prevent more cases. Furthermore, we have been updated our tool in order to
keep up-to-date.

2.4 Methodology
To achieve our goal, we proceeded as follows:

1. We started our analysis with a sample received from a client, requiring us


information about its features and behaviour because one of its customers
had suffered a scam. After some days of analysis, and reading blogs of
cybersecurity analysing recent malware, we determined that it was an
Anubis malware.
2. We reviewed the literature, including scientific papers and antiviruses
blogs, regarding previous malwares in order to obtain information about
obfuscation techniques, and how sample can be statically or dynamically
unpacked.
3. We downloaded some tools that are the most popular in the sector to help
us in the analysis of the sample. Some of them were open source and we
could use other tools because Innotec has some license of use.
4. We built an Android laboratory and made a detailed analysis of the
particular sample. In our analysis we identified that in the source code
Máster Universitario en Investigación en Ciberseguridad Página 5

there is a group of legitimate applications susceptible to be spoofed were


present. We also identified the obfuscation method used and determined
how it works.
5. We downloaded more Anubis samples from VirusTotal, and we tried to find
similarities among samples in order to create an automatic tool.
6. We built an automatic tool that can help malware analyst to extract
information about this kind of malware. Our automatic tool had a static
part that allow us to extract all the information without executing the
malware sample, and a part which extracts the information about C&C and
malware’s impact.
7. We tested our tool with different samples of Anubis downloaded from
Virustotal and we verified that it worked properly, extracting useful
information about this particular malware. We knew previously that these
samples were infected by Anubis because they were categorized as such by
Antiviruses.
8. We adapted the automatic tool, each time that the malware had any
update.
Máster Universitario en Investigación en Ciberseguridad Página 6

3 Technical and theoretical background


3.1 Android
Android is a stack of software which includes and operating system for mobile
devices as well as middleware and applications and it is open source. Therefore,
any developer can contribute to this project, improve or modify it to satisfy his
needs. At the beginning, Android was developed by a business called Android Inc,
but in 2005, Google bought Android and in 2008 the first smartphone over the
Android operating system was launched, the HTC dream model [6].
Nowadays the gadgets that work over the OS Android are more used than the ones
working over its competitors, like Apple (IOs) or Windows (Windows Phone).
Android has a large number of collaborators that have worked at the code during
these years, fixing bugs or improving security measures. For this reason, there
are a lot of versions since Android appeared until now [fig 1]:

Figure 1 Android versions (https://rubentejera.com/versiones-android/)

Each new version of Android includes new features, that were not present in the
previous version. The idea is to always improve the customer’s experience and to
fix bugs or vulnerabilities discovered.

3.2 Android as Operating System


Android is a mobile operating system developed by Google. It is based on a
modified version of the Linux kernel and other open source software. It looks like
a lightweight Linux OS and was developed by Google. This operating system allows
the developers to work in Java language. Android architecture [7] consists of
core libraries, Android runtime, application framework as well as Linux kernel.
Android uses for its data storage SQLite, and supports different kinds of network
connectivity like GSM, EDGE, 3G, LTE, Wi-Fi etc. Android has all the drivers
Máster Universitario en Investigación en Ciberseguridad Página 7

preinstalled in the device. This operating system allows to run applications in a


variant of Java called Dalvik code. The operating system gives applications all the
interfaces that they need to use for accessing the phone functions, such as GPS,
calls, SMSs… in an easy way using Java language [8].
The main layers of the platform are shown in [Fig 2]:

Figure 2 Android stack components (https://www.xatakandroid.com/sistema-operativo/que-es-android )

During this master’s thesis, we will focus on the Application Framework. The
application framework is an environment that contains numerous Java libraries
specifically built for Android. The entire feature-set of the Android OS is available
through APIs written in the Java language. This layer provides numerous services
designed to simplify the reuse of components [9]. Some components that appear
in this level are [10]:
• View System – component allowing to build an app’s user interface,
including lists, grids, text boxes, buttons, and even an embeddable web
browser;
• Package Manager- Maintains information about available applications on
the device, and control the process of installing, upgrading, configuring and
removing applications on the devices.
• Windows Manager – Performs window manager, it’s the responsible for
organizing the screen, create surfaces for the application
Máster Universitario en Investigación en Ciberseguridad Página 8

• Resource Manager – component providing access to non-code resources


such as localized strings, graphics, and layout files;
• Location Manager – provides access to the location system services. It uses
both GPS and Android Network, with the following features:
- GPS – most accurate, slow, battery drain, and primarily for outdoor
use.
- Android Network provider uses cell tower and wi-fi signals.
• Notification Manager – component that enables all applications to display
custom alerts in the status bar;
• Telephony Manager – provides device’s information like the IMEI number.
• Activity Manager - component that manages the lifecycle of applications
and provide interface for the users to interact with the application.
The states are: Started, Running, Background, Killed
This component is important for this project because Anubis malware
creates a service that runs in the background in order to check when the
legitim targeted application that the malware tries to overlay is opened.
• Content Providers - enable applications to access data from other
applications, such as the contacts applications, or to share their own data.

3.3 Android Applications


Android applications are distributed in APK (application package) files. They have
ZIP format and are based in JAR (Java archive) package. This type of files must
always have a common structure, see [ Fig 3], although in some case this structure
may change.

Figure 3 Apk structure

The different parts that compose an Android APK are described below:

• Folder META-INF contains the files:


Máster Universitario en Investigación en Ciberseguridad Página 9

o )Manifest.mf → This file lists all the files included in the APK along
with their hash function value SHA1 in Base64 [Fig 4].

Figure 4 MANIFEST.MF

o *.SF→ lists the same content than the file manifest.mf, but in this
case, it applies the SHA1 hash function in base64 to the MANIFEST.MF
included for each item included in manifest.mf [Fig 5].

Figure 5 File *.SF

o *.RSA → Include the digital signature of the file CERT.SF and the
certificate used for signing the application.

• Folder lib: This folder contains shared libraries compiled and classified in
subfolders based on the processor architecture: armaby, x86,x86_64.

• Folder res: In this folder there are the resources not compiled, all these
resources must appear also in the file resources.asrc such as images, xml
files, etc.

• Folder assets, this folder contains resources that are not processed. It is
like a filesystem and provides more freedom to put there any file you would
like.
Máster Universitario en Investigación en Ciberseguridad Página 10

• AndroidManifest.xml → This XML file is always present [11] and it is


allocated in the main path of the file APK. This file contains all the
information that the operating system needs to identify which actions the
application can do, based on the permissions required [14]. Also, it must
contain all the hardware and software requirements needed for the proper
operation of the application. Therefore, it declares permissions, usage
characteristics and components in an XML format.

• Classes.dex → this file contains Java code compiled in DEX format, so that
the Virtual Machine Dalvik, an integral part of the Android software stack,
or Android Runtime (ART), can understand the format.

Resources.arsc → contains pre-compiled resources. Each file has an ID,


and the resource can be accessed easily through R.id.XX, where XX identify
each resource.

Once we have explained the structure of an Android APK, we will explain the four
main Android application components, which are:

• Activities: Activities are the responsible for all the screens in an application
and are composed by two parts:
o Logic: It is a Java file, that have been created to manipulate,
interact and collocate the code of that activity.
o Graphic: It is an XML file, that have all the elements that we see in
the mobile phone screen.
Activities extend from the Android class Activity [Fig 6] which is the base class to
build the screens of your application and it has all the lifecycle call-backs defined
by Android Framework to create activities with its method assigned. The activities
created must be defined in the file AndroidManifest.xml [Fig 7]

Figure 6 Java code of an android app


Máster Universitario en Investigación en Ciberseguridad Página 11

Figure 7 Activity declared in AndroidManifest.xml

• Services: are components of Android applications, that can perform


operations in background, and does not provide a user interface. If needed,
services can run independently of any activity, like daemons work on other
operating system. This element extends from the class service of Android
framework, as a component of the application. The service created must
be defined in the file AndroidManifest.xml [Fig 8] but unlike the activities,
it does not have a graphic representation.

Figure 8 Service declared on AndroidManifest.xml

• Content Provider: is used to manage the access to an amount of structured


data, stored on the device that is accessible by multiple applications. It
encourages you to make your own data available to other applications, as
well as your own applications [Fig 9]. They encapsulate the data and
provide mechanisms to access it and define proper data security [12]..
Máster Universitario en Investigación en Ciberseguridad Página 12

Figure 9 Content Provider managing the access to the storage


(https://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjP2abex9zgAhXwDmMBHbHz
Au0QjRx6BAgBEAU&url=https%3A%2F%2Fdeveloper.android.com%2Fguide%2Ftopics%2Fproviders%2Fcontent-
providers&psig=AOvVaw1zpkaS9LBZLDaBW7oBWwbh&ust=1551379082030618 )

The content provider, like other elements, must be present in the file
AndroidManifest.xml [Fig 10]

Figure 10 Content Provider declared in the AndroidManifest.xm

• Receiver: contains elements that enable applications to receive intents


that are broadcast by the system or by other applications, even when other
components of the application are not running. Receivers are a
BroadcastReceiver subclass. This component [13] has an important
characteristic: it can be declared in the file AndroidManifest.xml [Fig 11]
as the previous components, or in the Java code [Fig 12].

Figure 11 Receiver declared in the AndroidManifest.xml


Máster Universitario en Investigación en Ciberseguridad Página 13

Figure 12 Receiver declared in Java code

There are also additional Android application components such as:

• Intents: they are system messages that are used to notify applications about
hardware state changes (e.g., an SD card was inserted), new data (e.g., a
Short Message Service [SMS] message arrived) or application events (e.g., an
activity was launched). Not only can you respond to an intent, but you can
also create your own intent to launch other activities or to let you know when
specific situations arise.
This component is used by Anubis Malware to control whether some of its
legitimate targeted applications are opened.

• Fragments: fragments are objects that are loaded by an Activity, and their
main task is to manage the User Interface (UI) instead of letting Activity to
manage it. If we work with Fragments, a lot of memory can be saved in the
developed applications.

• Loaders: simplify asynchronous data loading in Activities or fragment.

• Application Widgets: miniature application views that can be embedded in


other applications.
Máster Universitario en Investigación en Ciberseguridad Página 14

3.4 Classification of Android application malware


In this section we make a general classification of malware that has been
developed these recent years over the Android OS [11], describing their
characteristics and objectives, and some ways in which they can be detected.

1. Phishing: this kind of malware is very frequent regardless of the platform


considered. Its main objective is to steal information from the user by
scam. This malware simulates a graphical legitimate appearance to try to
make the victim trust the service, sometimes the malware can use overlay
attacks, overlaying a fake screen over the legitimate application screen in
order to steal information of the user.
To detect this kind of malware one can compare the digital certificates of
the legitimate application and compare it to the certificate corresponding
to the suspicious application that we want to analyse. If they are different,
it could mean it is indeed a phishing attack.

2. Adware: this kind of malware is the most common over the Android
platform, due to the large number of applications that use ads as
monetization. It is complicated to identify which applications are working
in a proper or abusive way. The main characteristics of these samples are
the inclusion of API Keys in the AndroidManifest.xml file for the ad’s
services. Some examples of these ad’s services are AppLoving, Umeng or
Baidu.

3. Spyware: in this category there are malware samples whose objectives


consist of stealing information about the mobile phone. The information
that attackers mostly extract is:
a. Physical information about the mobile: Operating System version,
MAC address, etc
b. Information from the victim that use the mobile: phone number,
email account, contacts, applications executed in the mobile, calls
list, etc

4. RAT (Remote Access Tool): This kind of malware takes the control of the
device infected remotely, and implements a big amount of actions over the
infected gadget such as: data leakage, redirection to malicious web sites,
changes in the gadget settings, download and execute malicious dynamic
code, send SMS, make several calls among other things.
For doing these tasks, malware needs to communicate with a C&C
(Command and Control), which is usually a server with a public IP address
accessible online. These servers usually have panels that allow the malware
administrator to execute commands in infected victims or manage victims
as a botnet. A good method to catch these malware samples is to analyse
Máster Universitario en Investigación en Ciberseguridad Página 15

the internet connections looking for suspicious web sites that malware
connects [15].

Figure 13 Botnet example (https://elsitiooscuro.wordpress.com/2017/02/06/mazar-botnet-source-code-android-


botnet/)

5. Keyloggers: This kind of malware has as main function to register the


interaction between the user and the keyboard, registering the keys
pressed and sending the data collected to the attacker.
One of features of these malware samples is that there is always a service
running in the background with the permission BIND_INPUT_METHOD.
Therefore, if we review the file AndroidManifest.xml we will detect if this
permission is created and is associated to a service and determine which
kind of malware it is.
6. Ransomware: These malware samples try to hijack files available in our
devices, ciphering our files and requesting some money to allow victims to
recover their information. The impact of ransomware on Android devices is
less aggressive than in other technologies like Windows, because
applications only have access to the file in the application directory or
common use space as /sdcard.
However, if the gadgets are rooted, the impact of this kind of malware is
bigger because all the files of the gadget can be encrypted.
7. SMS premium: This kind of malware is very extended over the Android
platform. It consists of the automatic subscription to premium SMS services
without requiring the previous consent of the user that is using the
application.
Sometimes the malware also tries to hide the subscription deleting the
confirmation SMS about the subscription from the mobile phone before the
owner of the mobile can see it.
Once we have shown the different malware families, we will also explain
an important objective that malware developers try to achieve when they
Máster Universitario en Investigación en Ciberseguridad Página 16

develop malware samples. Most malware families use some techiniques to


achieve it.
a. Persistence: it is the capability of the malware to remain in an
infected system. To gain persistence, malware can use these
mechanisms:
i. Concealment: it is one of the mechanisms most frequently
used by the malware samples to guarantee the persistence.
They try to hide the malicious application. For using this
technique, they sometimes need to register system events
using receivers and the execution of a service in background
to be transparent to the final user.
ii. Denial of service (Dos): malware try to block the access to the
screen where the victim could erase the malware, overlapping
fake screens over the originals.

3.5 Anubis
Anubis is an Android credential-stealing malware along with additional features,
like keylogging, SMS interception, ransomware activities. This malware always
simulates another famous app and create a service with a non-suspicious name
such as: Flash player Service, Google Play Protect or Google Start Protect. The
name is changing in order to avoid detections, and repeatedly request the setting
page until the user authorise the service created.
Anubis malware depends on the Antiviruses used, could be categorized as Android-
Trojan/Banker by AhnLab-V3, APK-Dropper by Avast Mobile or Android-Banker by
Avast, AVG and Avira.
Anubis is an Android malware created as an evolution of “Marcher”, whose source
code was leaked [19]. This malware combines overlay attacks (targeted
application), and advanced features such as capturing screen contents,
keylogging, recording every keystroke when a targeted application is opened or
ransomware encrypting all the files on the mobile device( .Anubiscrypt file
extension).Moreover, were found some domains where Anubis Bankbot was
offered (MaaS) as Malware as a Service.
These features, along with the fact that the communication is encrypted, makes
Anubis one of the most used Android Banking Trojans since 2017.
This malicious payload, which contains these features explained before, is
dropped from an encrypted file in the resource folder, for that reason some
Antiviruses companies named Anubis as an APK-dropper.

A dropper is a malware family that in its code contains a piece of malicious code
and once it is executed, it extracts that malicious piece of code (usually
obfuscated ) and then it executes that malicious part.
Once executed, the malicious payload pops up an Accessibility permissions request
access, spoofing Google Protect or Flash Player Service, among others. If the user
Máster Universitario en Investigación en Ciberseguridad Página 17

enables the service requested, the malware creates a background service to get
callbacks for certain events(targeted applications) in order to steal data of the
user of the mobile phone [Fig 14] from the device.

Figure 14 Anubis malware requests a service

Considering the increasing demand for Android banking malware, that provoked a
lot of different versions of Anubis malware [Fig 15], updating features and making
more difficult the work of malware analysis.

Figure 15 Anubis malware evolution (https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html)


Máster Universitario en Investigación en Ciberseguridad Página 18

3.6 Static Analysis and Dynamic Analysis

To study a malware and understand how it works, and its potential impacts we
need to make an analysis of the sample. Usually, we started doing a dynamic
analysis to get an overview about the malware features and afterwards, if we
want to analyse it deeper, we can do a static analysis.
Dynamic Analysis involves analysing the sample by executing it. Once the sample
is executed, we can extract information about its behaviour, such as, files
accessed, whether the malware drops or download any file, the functions
executed and the communication of the sample. This kind of analysis is performed
in a sandbox environment to prevent the malware from infecting our system.
Static analysis allows us to analyse the malware sample without executing it. This
analysis requires knowledge about reverse engineering. This analysis is deeper,
and we can extract more information about the sample. To do this kind of analysis,
we need a disassembler.

3.7 Cryptographic tools


Some cryptographic tools that are mentioned along the master’s thesis are used
hash functions, in particular MD5 and SHA1 [20]. They are used to identify the
sample to be analysed and to verify its integrity.
Moreover, encryption schemes like RC4 are used by Anubis to drop the malicious
part and to encrypt the communications.

• Hash functions: A cryptographic hash function is a function which takes bit


strings of arbitrary length as input and produces a fixed-length bit string as
output. This output is called hashcode, hash value or digest.
They are mainly used to guarantee integrity of the information, and they
should be efficient and highly sensitive to any modification of the input.
Moreover, to be used they should fulfil the following security properties:

o Preimage resistant: This property guarantee that the hash function


is in “one-way”: Given y in the range of the hash function, it should
be hard to find a value x in the domain such that h(x)=y.
o Collision resistant: It should be hard to find two different values x,
y in the domain such that h(x) = h(x’)
o Second preimage resistant: It should be hard, given an element m
in the domain, to find a different m’ such that h(m) = h(m’)

• Encryption Schemes: Anubis uses a private key encryption scheme, which


consists of 3 algorithms:
o Key Generation (Gen): It is probabilistic. It outputs a key k chosen
according to some particular distribution determined by the scheme.
Máster Universitario en Investigación en Ciberseguridad Página 19

o Encryption algorithm (Enc): Given a key k and a message m, it


produces a ciphertext c.
o Decryption algorithm (Dec): Given a key k and a ciphertext c, it
produces a message m.
The encryption schemes used is the RC4 algorithm[21], a stream cipher which is
very useful and efficient in software. To generate the keystream, it uses an
internal secret state that is updated at each time unit.
The basic idea of stream cipher is to use XOR to decrypt and encrypt with solving
some previous problems in its reference, one-time pad:

• The key used to XOR is obtained using a PRG (pseudorandom generator)


• The key shared is small (it is called seed). This is the initial input for the
PRG
In 1987, Ronald Rivest designed RC4, and it became the most used stream cipher
and is used in several protocols like SSL, TLS, Skype…
RC4 works as a stream cipher but on the bytes level, it produces a keystream K
which is summed modulo 256 with the plaintext byte by byte.

To generate the keystream, RC4 uses an internal secret state that is updated at
each time unit.
The internal starts has two parts:
• A permutation S of the 256 bytes
• Two indices of bytes I and j in {0,….,255}
• RC4 has two phases [Fig 16] and [Fig 17]:
o Initialization, where is computed the initial state.
Let “k” ((1≤ “k”≤ 256, normally between 5 and 16) be the number of
bytes of the key.

Figure 16 Initialization RC4

o Key stream generator


Máster Universitario en Investigación en Ciberseguridad Página 20

Figure 17 Key stream generator RC4

RC4 is remarkable for its speed and simplicity and resisted serious attacks for
several years. Since some vulnerabilities have been found, especially if the first
bits of the keystream are used or the seed used are not random, it is not
recommended to used more.

3.8 Malware obfuscation


Obfuscation is the practice of making more difficult to understand the operation
of the software. Several malwares and official software obfuscates its code to
protect and prevent an analysis using reverse engineering [Fig 18]. Obfuscation
can be done by encrypting some or all the code, renaming useful classes and
variable names making it much harder to read and understand it.
Máster Universitario en Investigación en Ciberseguridad Página 21

Figure 18 Packing process

The unpacking process is required to be applied to packed programs, which are a


subset of obfuscated programs in which the malicious payload is compressed,
encrypted or transformed and thus, cannot be analysed. In our case the malicious
payload is a resource file encrypted with RC4 [Fig 19].

Figure 19 Unpacking method used in Anubis


Máster Universitario en Investigación en Ciberseguridad Página 22

4 Solution
4.1 Anubis over the platform Android and its detection
When we started to study this malware, we noticed that there was not too much
information about it. Researchers [18] discovered that in the official Google store,
Play Store, there were several “droppers” with appearance of legitimate
application, passing Google Play applications control.
All the victims that installed these applications in their Android devices suffered
from financial fraud, because this trojan stole their credentials for some targeted
application of an important list of banks that the malware monitored, or sites
where it is mandatory to provide the credit card number.
In the Play Store market, this malware campaign introduced 10 “droppers” in
Google Play. Although there were not a lot of droppers, each of them was
downloaded by more than 1,000 people. Therefore, the number of victims of this
malware was around 10,000 only from Google Play Market.
However, these downloaders were available in other alternative markets as
Aptoide, causing an even bigger number of victims. Actually, almost all the alerts
received in Innotec about available Anubis samples had been published in Aptoide.
We analyse how those “downloaders” can avoid the detection and security
measures that Play Store implements.
To do so, we first downloaded these malware samples from Virustotal [Fig 20],
which is the biggest repository of malware. Afterwards, we checked the detections
that antiviruses obtained from this “dropper”.

Figure 20 Anubis packed on Virustotal platform

We observed that the first time that the “dropper” was uploaded to Virustotal,
only 14 antiviruses detected this sample as malicious. Later, the fact that
antiviruses shared hash values among them, more antiviruses detected the
sample. We made a little modification to the sample (adding an empty byte “00”
Máster Universitario en Investigación en Ciberseguridad Página 23

at the end of the APK) using a hexadecimal editor [Fig 21], something that doesn’t
affect the behaviour of the sample and only changes its hash value.

Figure 21 Anubis malware open with an hexadecimal editor

After uploading the sample again, we observed that only 24 out of 61 antiviruses
can detect this modified malware [Fig 22]. Therefore, we can conclude that, there
are 6 antiviruses whose detection was probably based on the hash value of the
malware.

Figure 22 New packed Anubis in Virustotal platform

In the next section we will study the features of this “dropper”, and we will
extract its principal characteristics.
Máster Universitario en Investigación en Ciberseguridad Página 24

4.2 Information Extraction. Dynamic analysis


We used the platform “Virus Total Intelligence”, which Innotec has access to, to
download samples of malware. To do so, we choose a hash value that we know it
corresponds to one of the “droppers” mentioned before.
To do the dynamica analysis, we need to select a malware sample that is still
active. In this case, we chose the sample with hash value
9d1580583c52700a028608eb772f6f55 for the MD5 hash function, which was
detected only by 29% of the antiviruses that are present in “Virustotal”, and we
downloaded it in our work enviroment that was customized to analyse Android
malware applications.
Our work environment is Androl4b [Fig 23], an Ubuntu distribution with a suite of
tools that help us in the analysis of Android applications. Androl4b has an Android
device emulator embedded, which will help us in the dynamic analysis of the
chosen sample. The version of Android installed in this emulator is Android 4.4
(Kitkat).

Figure 23 Androl4b distribution

The first script executed was a script that we developed in order to give us static
information about the sample. It is a good as starting point when analysing an
Android application: GatherInfo.py [Appendix I: Scripts]
This script was written in Python3, and applies several tools to the sample, and
processes the Android Manifest file, making a summary of the activities, receivers,
providers, and services declared.
The script starts building directories where all the results will be saved. All the
tasks that this script performs are the following:
Máster Universitario en Investigación en Ciberseguridad Página 25

• Decompression of the APK (Android Application Package) using the Python


library Zipfile.

• Use of the tool Apktool to extract files from the APK.

• Decoding of the APK using the open source tool Jadx.

• Extraction of the certificate of the application

• Search of interesting strings that can help us detecting if any C&C is written
without obfuscation.

• Decoding of the file AndroidManifest , calling another script that we


created called ArchivoProcesarAndroidManifest.py [Appendix I:
Scripts] written in Python 2.7. We developed this script in Python 2.7 due
to some dependences in one library.
We apply our script to the malware sample an obtain the following results [Fig
24]:

➢ A file called cert.txt where there is information about the certificate of


the Android application.

➢ A folder called Icono_APP, where the icon of the application [Fig 25] is
stored in different sizes.

➢ A file called ParseoManifest.txt, which contains information about the


components declared in the Android Manifest.

➢ A file called Resultados.txt, collecting the results of running regex rules


for searching C&C in ASCII format, encoded in base 64 or in hexadecimal
format.

Figure 24 Information about the malware


Máster Universitario en Investigación en Ciberseguridad Página 26

Figure 25 Application icon

We can observe that the application is called “System Message” [Fig 26] when it
is installed in our Android emulator.

Figure 26 Malware installed on the device

After executing these scripts, we recap some information in the file


ParseoManifest.txt with all the activities, services and providers declared in the
file AndroidManifest, as follows:

Nombre de la Aplicacion : com.jwpoipv.uyogsy

Version de Android Requerida : 1.0 Version minima de SDK : 15

Servicios :
com.jwpoipv.uyogsy.zNZrAIUZeETf
com.jwpoipv.uyogsy.oIwlZDWIQmjf
com.jwpoipv.uyogsy.HXqkDBHVCqPq
Máster Universitario en Investigación en Ciberseguridad Página 27

com.jwpoipv.uyogsy.KWJRwnpCJxpE
com.jwpoipv.uyogsy.FfCFxA
com.jwpoipv.uyogsy.uclsmac.wabywtklp.RdTloUXkGM
com.jwpoipv.uyogsy.uclsmac.wabywtklp.BYLTCw
com.jwpoipv.uyogsy.KDPFIbOT
com.jwpoipv.uyogsy.LCFBpMBUQEh
com.jwpoipv.uyogsy.UpLvcwJKd
com.jwpoipv.uyogsy.uclsmac.wabywtklp.nJIyNHZMuEk
com.jwpoipv.uyogsy.NXtwPNfL
com.jwpoipv.uyogsy.arvVIpL
com.jwpoipv.uyogsy.VBGDpQsEr
com.jwpoipv.uyogsy.qpagsarx
com.jwpoipv.uyogsy.palAhFk
com.jwpoipv.uyogsy.vazaqgrye
com.jwpoipv.uyogsy.uclsmac.wabywtklp.MaTdmnqfVyWa
com.jwpoipv.uyogsy.uclsmac.wabywtklp.DhCHwQTVQSt
com.jwpoipv.uyogsy.uclsmac.ikdpykgslb.ZzWDkTXUZ
com.jwpoipv.uyogsy.XDbwItMpBs
com.jwpoipv.uyogsy.AkHsvivOKaL
com.jwpoipv.uyogsy.izJxZhp
com.jwpoipv.uyogsy.uclsmac.wabywtklp.upNtFiyOeq
com.jwpoipv.uyogsy.uclsmac.ikdpykgslb.hycBasLfWB
com.jwpoipv.uyogsy.uclsmac.wabywtklp.imPWjVSGfFQ
com.jwpoipv.uyogsy.uclsmac.ipfduyhutjob.kqvHDbTHSEUN
com.jwpoipv.uyogsy.uclsmac.ipfduyhutjob.YgPsaXkPEa
com.jwpoipv.uyogsy.exnkln.cmjMkEB
com.jwpoipv.uyogsy.qytFAM
com.jwpoipv.uyogsy.fkTExNO

Actividades :
com.google.android.gms.common.api.GoogleApiActivity
com.hnsburls.enetim.ENnHIpoE
com.jwpoipv.uyogsy.oitwzpg.zZhmZvrJtEtp
Máster Universitario en Investigación en Ciberseguridad Página 28

com.jwpoipv.uyogsy.pjkoerdgy
com.jwpoipv.uyogsy.fNuoCyLWSm
com.jwpoipv.uyogsy.oitwzpg.NWvFyjHy
com.jwpoipv.uyogsy.uclsmac.wabywtklp.LaGoFrcKjP
com.jwpoipv.uyogsy.oitwzpg.xwUonWjsyCh
com.jwpoipv.uyogsy.oitwzpg.DHeDWOiTuo
com.jwpoipv.uyogsy.oitwzpg.eEerVQZCvkMm
com.jwpoipv.uyogsy.oitwzpg.PWwMwIsnma
com.jwpoipv.uyogsy.oitwzpg.rYAMEFJwxjD
com.jwpoipv.uyogsy.oitwzpg.KzhmlAgITgLC
com.jwpoipv.uyogsy.oitwzpg.wihmouSGc
com.jwpoipv.uyogsy.oitwzpg.DjmLsnPDif
com.jwpoipv.uyogsy.oitwzpg.frYZfYsKlmB
com.jwpoipv.uyogsy.oitwzpg.kXwuqT
com.jwpoipv.uyogsy.zrpacrfbugpu
com.jwpoipv.uyogsy.oitwzpg.BnGFuKxK
com.jwpoipv.uyogsy.vwotgosdyo
com.jwpoipv.uyogsy.qmzphrek
com.jwpoipv.uyogsy.kvhwdv
com.jwpoipv.uyogsy.oitwzpg.cxpKyDQmnz
com.jwpoipv.uyogsy.oitwzpg.KbUFrjh
com.jwpoipv.uyogsy.oitwzpg.DbzlMBtkX
com.jwpoipv.uyogsy.zpjvxcuzpmh
com.jwpoipv.uyogsy.oitwzpg.vAJAyFYfG
com.jwpoipv.uyogsy.dnoyjtyo
com.jwpoipv.uyogsy.oitwzpg.SMWloEje
com.jwpoipv.uyogsy.oitwzpg.FquMCDJLUm

Receivers :
com.jwpoipv.uyogsy.pbctjvipeglp.AcsdbDhQ
com.jwpoipv.uyogsy.ugmzsekisgm
com.jwpoipv.uyogsy.pbctjvipeglp.OgwNVvRawt
com.jwpoipv.uyogsy.pbctjvipeglp.vmHfUeOPHNnP
Máster Universitario en Investigación en Ciberseguridad Página 29

com.jwpoipv.uyogsy.pbctjvipeglp.AYnZwdBVdQr

Providers :

Permisos :
android.permission.CALL_PHONE
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK
android.permission.READ_CONTACTS
android.permission.READ_SMS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.RECORD_AUDIO
android.permission.RECEIVE_SMS
android.permission.GET_TASKS
android.permission.WRITE_SMS
android.permission.SYSTEM_ALERT_WINDOW
android.permission.PACKAGE_USAGE_STATS
android.permission.SEND_SMS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_EXTERNAL_STORAGE

From all the data extracted, there is one activity which will play an important
role com.hnsburls.enetim.ENnHIpoE, since this activity is the only reference that
we will find in the Java files. The other activities are not found when the
application is decompiled.
Moreover, there are a lot of suspicious permissions that are requested by the
application.
Máster Universitario en Investigación en Ciberseguridad Página 30

4.3 Static Analysis

To do the static analysis, we opened the sample with MD5 hash value:
9d1580583c52700a028608eb772f6f55 and we renamed the file as anubis.apk. We
opened it with the tool Jadx-gui, a GUI tool to decompile dex files and APK files
into Java source code.

Figure 27 Suspicious resource from packed malware sample

Reviewing the files present in the APK, we noticed that in the folder called
“images” there is a file called “files”, and we tried to open this file with Jadx-
gui [Fig 27]. However, this file isn´t readable by the tool.

We had a look at the source code extracted from the .dex file of the Apk and we
noticed that there were different common techniques that malware developers
use to make more difficult the work of malware analysts.

In particular, over the static analysis of the sample, we noticed:


Máster Universitario en Investigación en Ciberseguridad Página 31

▪ The first technique that we observed is that malware developers used non-
intuitive names in the methods and classes that they use, making it difficult
for the analyst to have some idea about how the malware works [Fig 28].

Figure 28 Non-intuitive name of classes

▪ The second technique that we notice is the use of “overload classes”.


These classes are declared with the same name, but each one is called
depending on the inputs, parameters and typology. We can see an example
in [Fig 29], where the class qEhWVvt() is overloaded. In the first definition
qEhWVvt() receives three inputs: two integers and one string while in the
second definition it only receives two parameters: one string and one
integer.

Figure 29 Overload methods


Máster Universitario en Investigación en Ciberseguridad Página 32

▪ The third technique, which is an important feature in this application, as


we mentioned before, is that this malware is packing another code.
Therefore, we need to find references related to the code that don’t
appear when we analyse the APK [Fig 30], but which are declared in the
AndroidManifest.xml file. That means that there are some parts of the code
ciphered in the application. In our case, we can see a lot of references to
com.jwpoipv.uyogsy.oitwzpg.zZhmZvrjtEtp and this activity wasn´t in
the Java code that we extracted using the Jadx-gui tool. Thus, we’re
dealing with an encoded DEX file in this APK.

Figure 30 Activity declared that it is not present in Java code decompiled

One way to start, when we suspect that there are ciphered resources and the
application has different layers of obfuscation, is to identify in the source code
the piece of code that could correspond to the decryption process of the
obfuscated file [Fig 31], like, for example, the bitwise XOR (^).
We review the source code, and there is one array called bArr2[] that was defined
as the result of an XOR operation inside a loop, between an array of byes called
Barr[] and [qEhWVvt( int i3) + qEhWVvt( int i2) mod 255].
Máster Universitario en Investigación en Ciberseguridad Página 33

Figure 31 Searching XOR operation in the code source

We started analysing the function where the XOR was executed [Fig 32]. It appears
in the function public byte [] qEhWVvt(byte[] bArr) and if we go up a little bit
along the code, we can see that there is an “if condition” based on the variable
mgRYbI.length.
Máster Universitario en Investigación en Ciberseguridad Página 34

Figure 32 Class where XOR operation is done

We know that the variable mgRYbl must be defined as an array, because this kind
of variables have the attribute length. To identify the value of mgRYbl we search
in the source code where it was defined and we notice that in the method
EoBJzeLopg()its value was declared as jThimPL.VQYcmxRhNg [Fig 33].

Figure 33 mgRYbl declared as array


Máster Universitario en Investigación en Ciberseguridad Página 35

We looked for the value of jThimPL.VQYcmxRhNg, and we located the public


class jThimPL, where jThimPL.VQYcmxRhNg was defined as 256 [Fig 34].
Therefore, the variable mgRYbl has been initialized as an array of 256 bytes.

Figure 34 Value from jThimPL.VQYcmxRhNg

We notice that when we executed our script GatherInfo.py [Appendix I: Scripts],


there is only one reference on the file AndroidManifest.xml to a class that was
decompiled which is com.hnsbuslr.enetim.ENnHIpoE() [Fig 35].

Figure 35 Class com.hnsbuslr.enetim.ENnHIpoE() declared in AndroidManifest.xml

Thus, we are sure that the first piece of code that will be executed will start on
this class, and we see that the method OnCreated() is overwritten. This method
is the first method [Fig 36] that will be run when an activity was called.
Máster Universitario en Investigación en Ciberseguridad Página 36

Figure 36 Class com.hnsbuslr.enetim.ENnHIpoE()

In this class we see that the function eoBJzeLopg.qEhWVvt((application)this) is


called [Fig 37]. This method only admits one parameter and its type is Application.
Máster Universitario en Investigación en Ciberseguridad Página 37

Figure 37 Code eoBJzeLopg.qEhWVvt(Application application)

In eoBJzeLopg.qEhWVvt() there is a call to another function SfCuMR() where [Fig


38] the variable bArr[] is initialized as an array of bytes.

Byte bArr = new byte []{(byte) -96, (byte) -45, (byte) 3, (byte) -77, (byte)
-55, (byte) -123, (byte) -127, (byte) -21, (byte) 12, (byte) 40, (byte) 104, (byte)
32, (byte) -100, (byte) 83, (byte) -85, (byte) 19, (byte) 29, (byte) -40, (byte) 64,
(byte) 36, (byte) 67, (byte) -42, (byte) 0, (byte) -74, (byte) 84, (byte) -80, (byte)
112, (byte) 57, (byte) -80, (byte) -62, (byte) -124, (byte) -29, (byte) 45, (byte) -
8, (byte) 72, (byte) -26, (byte) 2, (byte) -58, (byte) 30, (byte) -101, (byte) 45}

In SfCuMR() the variable bArr2[] is initialized as a byte array with length 256 too,
because, as we explained before, the variable jThimPL.VQYcmxRhNg has the
value 256.
Máster Universitario en Investigación en Ciberseguridad Página 38

Byte bArr2 = [jThimPL.VQYcmxRhNg] → Byte bArr2 = [256];

Figure 38 SFCuMR() initialization of arrays

There is also a function called QEvVABz(bArr, bArr2 ). After analysing this


function, we noticed that it looks similar to the initialization of Sbox in the RC4
algorithm.

4.4 Encryption Algorithm Identification


Stream ciphers as described in 3.6 are good for fast implementations with low
resource consumption. As we explained RC4 has two parts that can be identify in
the source code:
The first part of the algorithm is called Initialization [Fig 39], Let “l” between 1
and 256 be the number of bytes of the key. We assume that the key is defined as
bArr in SFCuMR(), therefore the number of bytes of the key in our case is 41.
The internal state is computed in the following way:

Figure 39 RC4 Initialization


Máster Universitario en Investigación en Ciberseguridad Página 39

As you can see in the left part it’s the algorithm of RC4, and in the right part we
can see how that algorithm is initialized in the malware code.
The next operations that appear on the initialization [Fig 40] are reflected on the
source code of the malicious sample on the class qEhWVvt(bArr, bArr2) :

Figure 40 RC4 algorithm initialization 2

These hints give us an idea that people who develop this malware sample are
possibly using the algorithm RC4 to decipher the resource. We will assume that
the key is defined in the variable Barr[] and we will use it to decrypt the resource.

4.5 Unpacking process


Based on the information extracted from the sample analysed, we assumed that
the key used to decrypt the resource is the variable bArr[]. To do the unpacking
process we will use Python language, because it is easy to use, and at the same
time Python has a lot of libraries that can help us on this process.

bArr = (byte) -96, (byte) -45, (byte) 3, (byte) -77, (byte) -55, (byte) -123,
(byte) -127, (byte) -21, (byte) 12, (byte) 40, (byte) 104, (byte) 32, (byte) -
100, (byte) 83, (byte) -85, (byte) 19, (byte) 29, (byte) -40, (byte) 64, (byte)
36, (byte) 67, (byte) -42, (byte) 0, (byte) -74, (byte) 84, (byte) -80, (byte)
112, (byte) 57, (byte) -80, (byte) -62, (byte) -124, (byte) -29, (byte) 45,
Máster Universitario en Investigación en Ciberseguridad Página 40

(byte) -8, (byte) 72, (byte) -26, (byte) 2, (byte) -58, (byte) 30, (byte) -101,
(byte) 45
First of all, we cleaned the array and split each element getting only the value of
the key and not the format of the elements.

Key_array = bArr.split('(byte) ')


Key_string = map(lambda x: x.split(', ')[0], Key_array)
Key_int = map(int, Key_string)
Key_hex = map(lambda x: x & 0xff, Key_int)
Key = ''.join(map(chr, Key_hex))

Once we have cleaned the key, we applied the RC4 algorithm to derypt the
resource using the Crypto.Cipher Python library:

rc4 = ARC4.new(Key)
ZipFile = rc4.decrypt(resource[4:])[:500]

With these operations we obtained a zip file, after decompressing it, we extracted
a classes.dex file, were all the function and methods are not obfuscated and are
easy to read [Fig 41]. Therefore, we obtained the real piece of malware.

Figure 41 Real malware unpacked


Máster Universitario en Investigación en Ciberseguridad Página 41

In fact, in this file all the references that we saw before in the static analysis in
the file AndroidManifest.txt such as the application com.jwpoipv.uyogsy
appeared.

4.6 Automatizing the unpacking process


To create our tool, we observed a big number of samples which were using this
packer, obtained from the Virustotal database. After several analysis we noticed
some characteristics present in all the samples that could be useful for us to
automatize the unpacking process.

• The variable where the key is initialized has always more or less the same
structure. For that reason, we can create a regex rule to find the key in
each sample.
We use the regex: byte\[\] bArr2? = new byte\[\]\{(\(byte\))?

• Another characteristic of this packer is that the ciphered resource is


usually the heaviest resource.

• In new versions of the packer, to make the detection more difficult and to
try to avoid the unpacking by automatic tools, some modifications are
made in the initialization of the key using Byte.MAX_VALUE and
Byte.MIN_VALUE. To solve these modifications, we added a line in our tool
to replace these values for its value but declared as the other values of the
array.
line.replace('Byte.MAX_VALUE', ' ' (byte)
127').replace('Byte.MIN_VALUE', ' (byte) -128').split('{')[1].split('}')

With all these things taken into account we created an automatic tool that can
unpack malware that’s was packed with dexprotector, all the source code of the
tool can be found in the [Appendix I: unpacker.py]. For the correct use of the
script you need to use it as: python unpacker.py -f <path-to-file-to-unpack>.
Máster Universitario en Investigación en Ciberseguridad Página 42

5 Results
In this section we will see all the information that out automatic tool can extract.
As explained before, the tool we have built is able to unpack the obfuscated
malware so that we can see the malicious activities that the malware performs.
This tool not only unpacks the malware, but it is also able to detect the key used
to encrypt the communication, the command and control and the applications of
our customers that are targets of the malware.
With all this extracted information, an analyst can write a report to inform the
customers.

5.1 Analysis of the Anubis communication


To show the results, we need to select a malware sample that has not been
previously reported and is still alive.
We present here the observed results after analysing these samples dynamically.
The tool extracts the connections to the Command and Control (C&C). We try to
get the different paths that we found in the communication between the samples
and the C&C that malware accesses. In this case we obtained:

-)/private/set_data.php -)/private/add_log.php
-)/private/tuk_tuk.php -)/private/set_location.php
-)/private/settings.php -)/private/getSettingsAll.php
-)/private/setAllSettings.php -)/private/getDataCJ.php
-)/private/setDataCJ.php -)/private/add_inj.php
-)/private/checkPanel.php -)/private/locker.php
-)/private/datakeylogger.php -)/private/sound.php
-)/private/ratgate.php -)/private/playprot.php
-)/private/getfiles.php

These paths were not always used. Depending of the configuration that the
malware developer created for the sample, this configuration is stored in the
SharedPreferences of each malware sample. In the case of the malware sample
MD5: 9d1580583c52700a028608eb772f6f55 the shared preference file is:

<map><string name="lock_btc"/><string name="StringYes">Yes</string><string


name="uninstall1">uninstall</string><string name="str_push_fish"/><string
name="time_work">100</string><string name="RequestGPS"/><string
name="indexSMSSPAM"/><string name="getNumber">false</string><string
name="keylogger"/><string name="websocket"/><string name="foregroundwhile"/><string
name="gps">false</string><string name="save_inj"/><string name="uninstall2">to
Máster Universitario en Investigación en Ciberseguridad Página 43

remove</string><string name="key"/><string name="lock_amount"/><string


name="status"/><string name="perehvat_sws">false</string><string
name="StringAccessibility">Enable access for</string><string
name="checkStartGrabber">0</string><string name="spamSMS"/><string
name="RequestINJ"/><string name="vnc">start</string><string
name="vkladmin">include</string><string name="time_start_permission">120</string><string
name="iconCJ">0:0</string><string name="sound">start</string><string
name="StringPermis">Allow</string><string
name="VNC_Start_NEW">http://ktosdelaetskrintotpidor.com</string><string
name="straccessibility">start now</string><string name="interval">10000</string><string
name="startRecordSound">stop</string><string name="findfiles"/><string
name="straccessibility2">to start</string><string name="urlInj"/><string
name="madeSettings">1 2 3 4 5 6 7 8 9 10 11 12 13 </string><string
name="SettingsAll"/><string name="Starter">http://sositehuypidarasi.com</string><string
name="StringActivate">activate</string><string name="network">false</string><string
name="DexSocksMolude"/><string name="cryptfile">false</string><string
name="timeStartGrabber"/><string name="swspacket">com.android.mms</string><string
name="name">false</string><string name="htmllocker"/><string name="dateCJ"/><string
name="buttonPlayProtect">Сontinue</string><string
name="urls">MzA5MGMwOGE4ZjNjMzk1MGQ4OTQ2NDIwOWM3NzNkMDEwNDcyY2EyNmEzYTVhYz
BlNTNjMDlhMTBh
MDM0NDhjODIyZjM=

</string><string name="startRequest">Access=0Perm=0</string><string
name="play_protect"/><string name="recordsoundseconds">0</string><string
name="textSPAM"/><string name="del_sws">false</string><string name="textPlayProtect">The
system does not work correctly, disable Google Play Protect!</string></map>

This file stores all the settings that the malware developer can enable or disable
in the sample that he is distributing. By default, the malware has these features
activated, but when the malware is executed this characteristic can be modified.
While we executed the malware sample in the emulator, we were monitoring the
internet traffic, and we noticed that in the petition’s responses of setAllSetting,
there was information about the settings that the malware developer wanted to
each device.
We captured the traffic using our Android Emulator with a proxy called
HTTPDebuggerPro, and we observed how these responses were modifying the
feature of this malware sample. In this case the traffic is from other Anubis
malware, because the C&C (Command and Control) from the malware sample that
we were analysing was down.We can observe how several features were modified,
in the request setAllSetting.php [Fig 43] To read in clear text the communication
between malware and C&C we should decode the base64 data and afterwards
decrypt it using the RC4 algorithm. To decrypt communications, we need another
key declared in the malware [Fig 42], in this case: flash1.
The key to decrypt the communication is always present in a Twitter account or
Telegram Group that is consulted to get the real C&C.
Máster Universitario en Investigación en Ciberseguridad Página 44

Figure 42 Java code where is defined the key used between malware communications and C&C

In the following pictures there are more examples [Fig 43,44,45] of how malware sets its own
settings depending on the C&C responses:

Figure 43 SetAllSetting petition decode 2


Máster Universitario en Investigación en Ciberseguridad Página 45

Figure 44 SetAllSetting petition decode 3

Figure 45 SetAllSetting petition decode 4

After several analysis, we detected that the declaration of the key that was used
for encrypting the communication between Bankbot Anubis’s victims and the C&C,
was always in the same position. For this reason, we reused the same idea that
we used with the packer, to create a regex (Regular Expression) rule to extract
the password. In this case, we used re.search("public final String g = ", line).
Bankbot Anubis’s C&C could be written in the source code. However, it usually
accesses the C&C using a Twitter account or a Telegram group in order to
obfuscate the C&C, because the domain that contains malware is easily closed.
Therefore, if its previous C&C is down, the malware developers only need to buy
a new domain and publish a new tweet redirecting to the new C&C without
changing anything from the source code [Fig 46] of the malware sample.

Another advantage is that the URL from the C&C is not written in the source code,
only in the Twitter account. Because of that, it’s more difficult for the static tools
to extract any domain from these malware samples.
In the malware sample that we are analysing, the Twitter account has only one
tweet posted, which is the C&C, but a little obfuscated.
Máster Universitario en Investigación en Ciberseguridad Página 46

Figure 46 Java code that read the last tweet

The company Twitter has policies against fraud content and malware, and
sometimes bans accounts that redirect to real C&C. Therefore, if Twitter has
proofs that the account is publishing malicious content, it usually closes the
account. For example, the Twitter account of our sample (@Jacob17918360 ) was
suspended [Fig 47], but we chose another account [Fig 48] that was still working
to explain the behaviour.

Figure 47 Twitter account suspended

In this version of Anubis, the tweet has always the same structure:
• Tags: <zero> </zero> (Which can have spaces to avoid detections)
• A base64 of the C&C encrypted with a password. (Which can have spaces
that we should remove)
Máster Universitario en Investigación en Ciberseguridad Página 47

Figure 48 Twitter that is used to redirect to the C&C

We knew that the key to decrypt the communications was flash1, so we used a
base64 [Fig 49] decoder and the RC4 decryption algorithm [Fig 50] to extract the
real C&C.

Figure 49 Base64 decode C&C [https://www.base64decode.org/]


Máster Universitario en Investigación en Ciberseguridad Página 48

Figure 50 C&C decrypted

This was the real C&C that was redirected by the previous tweet [Fig 51], a
Ukrainian website which is contacted by the malware sample.

Figure 51 C&C Panel


Máster Universitario en Investigación en Ciberseguridad Página 49

We made a “whois” petition to the URL, to extract more information, but we


didn´t get useful information, as it can be seen below.

% Abuse contact for '92.63.197.0 - 92.63.197.255' is


'hvfopserver@protonmail.com'

inetnum: 92.63.197.0 - 92.63.197.255


netname: NVFOPServer
country: UA
admin-c: ACRO8769-RIPE
org: ORG-FHVA2-RIPE
tech-c: ACRO8769-RIPE
status: ASSIGNED PA
mnt-by: ITDELUXE-MNT
created: 2016-06-22T07:08:29Z
last-modified: 2017-09-25T14:49:34Z
source: RIPE
mnt-routes: HVFOPServer-MNT
mnt-domains: HVFOPServer-MNT

organisation: ORG-FHVA2-RIPE
org-name: FOP HORBAN VITALII Anatoliyovich
org-type: OTHER
address: 62408, KHARKIV REGION, ELITE village,
SCHOOL str. 25, AP. 26
e-mail: vetalgorban@protonmail.com
abuse-c: ACRO8769-RIPE
mnt-ref: ru-patent-media-1-mnt
mnt-by: ru-patent-media-1-mnt
created: 2017-09-01T11:52:06Z
last-modified: 2017-09-01T11:52:37Z
source: RIPE

role: Abuse contact role object


Máster Universitario en Investigación en Ciberseguridad Página 50

address: 62408, KHARKIV REGION, ELITE village,


SCHOOL str. 25, AP. 26
e-mail: hvfopserver@protonmail.com
abuse-mailbox: hvfopserver@protonmail.com
nic-hdl: ACRO8769-RIPE
mnt-by: HVFOPServer-MNT
created: 2017-08-07T13:07:29Z
last-modified: 2017-08-07T13:07:41Z
source: RIPE

route: 92.63.197.0/24
origin: AS60307
mnt-by: HVFOPServer-MNT
created: 2017-09-25T16:16:33Z
last-modified: 2017-09-25T16:16:33Z
source: RIPE
This main path in the website doesn’t look like a C&C, but Anubis malware only
makes connection to specific paths previously named.

5.2 Analysis of Anubis targeted applications


The tool also allows to list the applications of the customers that are explicitly
mentioned as targets of a particular Anubis malware sample.
The legitimate applications which are target of the samples analysed are in the
class com.jwpoipv.b, where the malware monitors the legitimate applications
based on their packageName. [Fig 52] shows the corresponding to the sample we
analysed:
Máster Universitario en Investigación en Ciberseguridad Página 51

Figure 52 List of legitimate application that Anubis try to spoof

When Anubis detects that one of these applications is open, it calls to the C&C
and downloads a HTML which overlay the real application, trying to steal the
credentials to the victims. This feature depends on whether it is included in the
setting that we mentioned before. In another sample that we have analysed, we
observe the petition that Anubis made when we open the app of Evo Banco and
the HTML code that use trying to spoof the user [Fig 53] and [Fig 54].
Máster Universitario en Investigación en Ciberseguridad Página 52

Figure 53 Phishing of Evo Banco HTML

Figure 54 Evo banco petition

Inside of the HTML code that we observe, there is a script which sends the
information introduced by the victims to the command and control.
<script>
function sentServer()
{
var oNumInp1 = document.getElementById('login');
var oNumInp2 = document.getElementById('password');
if ((oNumInp1.value.length > 5)&&(oNumInp2.value.length > 3)) {
var url='https://www.comicwalker.at';
var imei_c='3ad637264a20a0ae|us';
var login1 = document.forms["form"].elements["login"].value;
var pass = document.forms["form"].elements["password"].value;
location.replace('/private/add_inj.php?p=' +
imei_c+"|Injection_4|evobanco|"+login1+"|"+pass);
}
Máster Universitario en Investigación en Ciberseguridad Página 53

}
</script>

The structure of our tool (AnubisExtractor.py) deployed is as follows [Fig 55].

Figure 55 AnubisExtractor structure

The application starts querying the database where the legitimate applications of
the clients that we want to monitor are located, and it checks if their applications
have been spoofed in the malware sample that we analysed with our tool.
After that, our tool unpacks the malware sample with the method previously
explained, and then we extract the Twitter account which has been used as a
redirection to the web page.
Once we do these steps, we extract all the useful information and we generate a
report to our company. AnubisExtractor.py [ Appendix I].

5.3 Bankbot Anubis updates


The obfuscation of Anubis panel is evolving over time. Typically, an extra layer of
obfuscation is added, making more difficult to take down the domains.
For example, the new tweets [Fig 56], whose C&C is http://cages.space or
telegram groups [Fig 57] , whose C&C is http://ponifonibokitoni.site. This new
samples use a Chinese-ASCII dictionary to avoid previous detection techniques:
Máster Universitario en Investigación en Ciberseguridad Página 54

Figure 56 Twitter redirector

Figure 57 Telegram redirector

To extract the C&C, the new samples have introduced new Java code
Decrypt.java [Appendix I] to extract from the Chinese characters the real C&C.
Therefore, to analyse samples of this updated Anubis, we have adapted our tool
so that our tool does the same process that the Java code of the malware has to
do, but we use Python instead.
To extract the real C&C, the steps that the new tool does are the following:

• Creating a dictionary Chinese-ASCII: Making an equivalence between


characters:
s = ["Q", "W", "E", "R", "T", "Y", "U", "I", "O", "P", "A", "S", "D", "F", "G", "H", "J",
"K", "L", "Z", "X", "C", "V", "B", "N", "M", "q", "w", "e", "r", "y", "u", "i", "o", "p", "a",
Máster Universitario en Investigación en Ciberseguridad Página 55

"s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "=", "0", "1", "2",
"3", "4", "5", "6", "7", "8", "9"]

diccionario = [u"需", u"要", u"意", u"在", u"中", u"并", u"没", u"有", u"个", u"概",
u"念", u"小", u"语", u"拼", u"亡", u"及", u"注", u"鲜", u"新", u"死", u"之", u"类", u"
阿", u"努", u"比", u"拉", u"丁", u"化", u"体", u"系", u"都", u"只", u"斯", u"一", u"套
", u"用", u"恶", u"件", u"来", u"标", u"音", u"的", u"符", u"号", u"而", u"不", u"是",
u"字", u"母", u"寂", u"寞", u"肏", u"你", u"妈", u"屄", u"引", u"脚", u"吸", u"员", u"
会", u"膏", u"药"]

• Looking for a group of characters that are always present and represents
the tags that we explained before and extracting the code inside these
tags:
'苏尔的开始' and 苏尔苏尔完' are the delimiters as were <zero> and </zero>.

• Replacing the Chinese characters to ASCII characters, and once we have


extracted the code inside, making the same steps than in the previous
versions:
o Making a base64 decode
o Decrypting using the RC4 decryption algorithm and the key that the
malware has declared in the sample.

The structure of the updated version of the tool is depicted in [Fig 58].

Figure 58 AnubisExtractorv2.5 structure


Máster Universitario en Investigación en Ciberseguridad Página 56

Because of these updates mentioned above, we decided to adapt our code, in


order to enhance the tool, and help other malware Analysts to use the malware
samples in the newest version of the Anubis malware.
The tool is adapted to the version 2.5, where the samples have obfuscated code
and it is also more difficult to extract the command and control from the Twitter
and Telegram Account.
In this version of the tool, we added new features in order to discover the new
C&C. To discover the real C&C and another fraud URL, we automatized the TCP
Petition and after extract all the useful information we write an automatic report.
Anubis_Extractor_v25Anubis.py [Appendix I]
Also, we added new features to our script such as the ability to send an email with
the report automatically and store the malware sample analysed in our database,
to get statistics about the number of samples that we have analysed.

5.4 Results of samples analysed


Since we develop this tool, in our company we have detected around 650 cases of
Anubis which affected Innotec’s clients.
A graphic showing the impact of the malware in our clients during my work in the
company appears in [Fig. 59].

Figure 59 Number of Anubis detected with the tool

Anubis was a threat across the world and has impact in different countries. The
following graphic [Fig 60] presents the impact by country in the samples analysed.
Máster Universitario en Investigación en Ciberseguridad Página 57

Figure 60 Targets of Anubis by countries


Máster Universitario en Investigación en Ciberseguridad Página 58

6 Project management
6.1 Scheduling the work

Task Time Spent Description


Literature review 2 weeks Getting an overview
about Android malware,
analysing which
obfuscation techniques
are used now, new
families …
Draft of plan based on 1 weeks We detect a new family
literature review which has an important
impact in Spain, called
Anubis Malware.
Laboratory preparation 2 weeks During these weeks we
extract a lot of
information from this
sample, recollect open
source tools, create our
working environment
and did a simple
analyse of the sample
Work on the analytical 4 weeks During this part we
part made a detailed
analysis about Anubis
malware, extracting
information about how
it uses obfuscation to
avoid detection.
Build an automatize 6 weeks Once we know how the
tool obfuscation method
works, we develop two
automatic tools that
help us analyse these
samples in an easy way.
This tool has been
updated due to the
different versions of
the malware family.
Máster Universitario en Investigación en Ciberseguridad Página 59

Update the tool - In my period in Innotec,


we have updated the
tool in order to adapt it
to the new features
introduced in Anubis
Bankbot.
Work on Master’s Thesis 9 weeks We build an automatic
draft unpacker to de-
obfuscate the code and
analyse easily the real
malicious code, and we
improve and adapt this
tool to a trendy Android
malware family called
Anubis.
Master’s Thesis defence 2 weeks We summarize all the
information written in
the master’s thesis in a
presentation and edit
the video to show how
my tool works on real
samples.

Graphic 1 Gantt Diagram


Máster Universitario en Investigación en Ciberseguridad Página 60

6.2 Resources
To do our master’s thesis we have used the following resources:

• We use bibliographic repositories like Google Scholar to find relevant


scientific papers about cybersecurity, and blogs where experts in this area
publish information about Anubis malware. These references appear at the
end of the document.

• Access to Virustotal Intelligence, a website that allows clients to download


malware samples and seek malware with specific features.

• Office Suite, to write this document with our conclusions and to do the
charts that help us in the explanation of our results.

• Virtual Machine with an Operating System Android x86. In our case we chose
Androl4b distribution, an Ubuntu distribution prepared to analyse android
samples.

• An IDE to analyse the malware source code. We chose jadx-gui(Dex to Java


decompiler).

• We use JEB (Android debugger ) to debug Android applications.

• Network sniffers, such as Burpsuite, HTTPDebugger and Wireshark to


register the malware network connections.

• A video tool, to record the behaviour of our automatic tools. We chose


Ezvid.

• Reversing tools such as Apktool to access to the source code.

• Python module HTTP (SimpleHTTPServer) to share digital certificates


between Ubuntu system and Android Emulator and to install the malware
samples downloaded from Virustotal on the emulator.

6.3 Budget
The Budget to develop this Project doesn’t involve a lot of private tools, because
almost all the tools and Operating System used to develop the project were open
source.
However, we need the license of some tools that we used in this project but are
Máster Universitario en Investigación en Ciberseguridad Página 61

frequently used and bought by security companies to use in different ones. Thus,
if this project is developed in a security company, they do not need to purchase
it only to develop this tool.
The licences needed in this project were:

o Burpsuite PRO license (Service Limited Annual Access) → $3,999.00


o Virustotal Intelligence (Service Limited Annual Access) → $10,000
o Around two months of consulting services: 200 hours with a price per
hour as $16.85/h → $3,371.24
TOTAL: $17.370.24
Máster Universitario en Investigación en Ciberseguridad Página 62

7 Conclusions

Anubis malware has had an important impact this year, because it stole
credentials from an amount of banks all around the world. Therefore, it is
important to be able to analyse the actions this family can do.
We have presented a tool that eliminates the obfuscation that might appear in
this malware family and extracts information about the malicious payload packed
in the sample.
Moreover, with the rapid distribution of malware over Android and its fast
evolution it is impossible to create a unique tool for all different versions of a
particular malware. Our tool, that allows us to unpack malware samples and to
analyse the features that the Anubis malware has, can be updated to analyse
malware samples packed with dex-protector, and it is also useful to extract
information about more recent Anubis malware versions that are distributed right
now.

With this tool we are able to detect C&C from different samples, detect which
legitimate application are targeted by this malware and which Twitter accounts
and Telegram groups are used to hide and change the C&C.

After analysing 650 samples, we have seen the malware has affected different
countries and has had the biggest impact in Australia and USA, each one with a
12% of the applications affected. In Spain the impact has also been high with a
6%.

Future Work
Once we have developed the automatic tool to unpack the packer used by Anubis,
we can apply this part of the tool to more families of malware. In particular, we
have also worked in an automatic tool to analyse the malware Red Alert 2.0, which
uses the same packer.
As a result, all the malware which uses the same packer are susceptible to be
unpacked using our tool. If we slightly modify our tool, we can also extract more
information about the malicious activities of the new families of malware.
Máster Universitario en Investigación en Ciberseguridad Página 63

References
[1] Sophoslabs 2019 threat report [Online]. Available: https://www.sophos.com/en-
us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf [Accessed
March 2019].
[2] Statistic, " Smartphone Market Share," 2019. [Online]. Available:
https://www.idc.com/promo/smartphone-market-share/os [Accessed December 2018].
[3] Saeed, Imtithal & Selamat, Ali & Abdelrahman, Ali. (2013). A Survey on Malwares
and Malware Detection Systems. International Journal of Computer Applications (IJCA).
Vol. 67. pp. 25-31.
[4] Martina Lindorfer , Stamatis Volanis , Alessandro Sisto , Matthias Neugschwandtner
, Elias Athanasopoulos , Federico Maggi , Christian Platzer , Stefano Zanero , and
Sotiris Ioannidis. AndRadar: Fast Discovery of Android Applications in Alternative
Markets [Accessed May 2019].
[5] Bharati Wukkadada, Ramith Nambiar, Amala Nair “Mobile Operating System:
Analysis and Comparison of Android and iOS” in IJCAT - International Journal of
Computing and Technology July 2015
[6] Developers, "About Android," Android 2019. [Online]. Available: https://actualizar-
android.com/versiones/ [Accessed December 2018].
[7] Architecture, “Android architecture," Android, 2019. [Online]. Available
https://sites.google.com/site/swcuc3m/home/android/generalidades/2-2-
arquitectura-de-android [Accessed December 2019].
[8] General Information, “Android as OS," Android 2019. [Online]. Available
https://www.xatakandroid.com/sistema-operativo/que-es-android [Accessed December
2018].
[9] Oscar Villanova Pascual (2016). Malware en Android y medidas de prevención.
University of La Rioja, Spain.
[10] General Information, “Android as OS," Android 2019. [Online]. Available
https://www.andrew.cmu.edu/course/95-702/slides/17_Android.pdf [Accessed
December 2018].
[11] Garcia del Moral, M. (2016). "Malware en Android: Discovering,Reversing &
Forensic". 0xWord.
[12] Developers, "About Android," Android 2019. [Online]. Available:
https://developer.android.com/guide/topics/providers/content-providers?hl=en-419
[Accessed December 2018].
[13] Developers, "Android receivers," Android 2019. [Online]. Available:
https://stackoverflow.com/questions/49124227/declare-receiver-in-mainactivity
[Accessed December 2018].
[14] Grant, Allen (2008). "Beginning Android 4". 0xWord.
Máster Universitario en Investigación en Ciberseguridad Página 64

[15] Malware, "Mazar Malware," Android malware 2017. [Online]. Available:


https://elsitiooscuro.wordpress.com/2017/02/06/mazar-botnet-source-code-android-
botnet/ [Accessed December 2019].
[16] https://www.itdigitalsecurity.es/actualidad/2018/07/bankbot-anubis-se-propaga-
mediante-descargadores-de-malware-en-google-play
[17] Antivirus Report , “Global Mid-Year Threat Landscape Report" Android 2018.
[Online]. Available
https://download.bitdefender.com/resources/files/News/CaseStudies/study/235/Bitd
efender-2018-Global-Mid-Year-Threat-Landscape-Report.pdf [Accessed March 2019].
[18 ] Malware, "Anubis in Google Play," Android malware 2017. [Online]. Available:
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-
anubis-banking-malware-use-motion-based-evasion-tactics/
[19] Malware, “Anubis II – malware and afterlife”, Android malware, March 2019[online]
Available: https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html
[20] Murali Krishna Reddy Danda(2007), “Design and analysis of hash functions”. Victoria
University
[21] Menezes, A. J., Van Oorschot, P. C. and Vanstone, S. A. (1997) “Handbook of
applied cryptography”. Boca Raton
Máster Universitario en Investigación en Ciberseguridad Página 65

APPENDIX I: Source
Code
Sacarinfo.py

import os
import os
import hashlib
import argparse
from functools import partial
import zipfile
import subprocess

def descomprimir(sample, Ruta_extraccion):


zipfilePath = (sample)
zip = zipfile.ZipFile(zipfilePath)
zip.extractall("./" + Ruta_extraccion)
zip.close()

def md5sum(filename):
with open(filename, mode='rb') as f:
d = hashlib.md5()
for buf in iter(partial(f.read, 128), b''):
d.update(buf)
return d.hexdigest()

def ExtractorInfoGeneral(sample):
#Sacamos Info de binario para usarlo:
IdentificativoFichero = md5sum(fichero)
print ("\x1b[1;33m" + "Fichero " + str(sample) +
str(IdentificativoFichero))
Directorio_resultados = IdentificativoFichero + "Resultados"
try:
os.mkdir(Directorio_resultados)
except Exception as err:
print ("ErroR carpeta ya creada")
print("\x1b[1;31m"+"Descomprimimos el APK")
DirectorioSalidaZip = IdentificativoFichero + "zip"
descomprimir(sample,DirectorioSalidaZip)

print("\x1b[1;31m"+"Descomprimimmos con APKTOOL")


DirectorioSalidaAPKTool = IdentificativoFichero + "apktool"
os.system("apktool d " + sample + " -o " + DirectorioSalidaAPKTool)

print("\x1b[1;31m"+"decoding with JADX")


DirectorioSalidaJADX = IdentificativoFichero + "jadx"
os.system("jadx " + sample + " -d " + DirectorioSalidaJADX)

print("\x1b[1;33m"+"Decoding AndroidManifest.xml in a file Writed in


python 2.7 PUAG!!!")
Máster Universitario en Investigación en Ciberseguridad Página 66

#Empezamos a procesar los servicios, Actividades, Receivers y Providers y


Permisos de Android Manifest.
#Para ello llamamos al archivo [lanzamiento archivo procesado] de python
27
python2_command = 'python apkParser/ArchivoProcesarAndroidManifest.py -f '
+ sample
process = subprocess.Popen(python2_command.split(),
stdout=subprocess.PIPE)
output, error = process.communicate()

print("\x1b[1;33m"+"Extracting cert info")


os.system ("keytool -printcert -file " + DirectorioSalidaZip + "/META-
INF/*.RSA > " + Directorio_resultados + "/cert.txt")
os.system ("mv " + sample +".txt " + Directorio_resultados +
"/ParseoManifest.txt")
os.system ("mv " + "com.* " + Directorio_resultados + "/Icono_APP")

print("\x1b[1;33m"+"Buscando Cadenas en el .dex : "+ DirectorioSalidaZip


+"/classes.dex")
ArchivoClasses = DirectorioSalidaZip +"/classes.dex"
if os.path.exists(DirectorioSalidaZip +"/classes.dex"):
print ("TODO OK")
os.system("echo \"Posibles C&C encontrados en classes.dex :\" >
"+Directorio_resultados+"/Resultados.txt" )
os.system ("strings "+ ArchivoClasses + " " + " | egrep
\"http:|https:\" >> "+Directorio_resultados+"/Resultados.txt")
os.system("echo \"Posibles C&C en base64 :\" >>
"+Directorio_resultados+"/Resultados.txt" )
os.system ("strings "+ ArchivoClasses + " " + " | egrep
\"aHR0cDo|aHR0cHM6\" >> "+Directorio_resultados+"/Resultados.txt")
os.system("echo \"Posibles C&C encontrados en el APK :\" >>
"+Directorio_resultados+"/Resultados.txt" )
os.system ("strings "+ ArchivoClasses + " " + " | egrep -rin
\"https?:|aHR0cDo|aHR0cHM6\" "+ DirectorioSalidaJADX +" >>
"+Directorio_resultados+"/Resultados.txt")
os.system("echo \"Posibles C&C en Hexadecimal en el APK :\" >>
"+Directorio_resultados+"/Resultados.txt" )
os.system ("strings "+ ArchivoClasses + " " + " | egrep -rin
\"%68%74%74%70%3a|%68%74%74%70%73%3a\" "+ DirectorioSalidaJADX+" >>
"+Directorio_resultados+"/Resultados.txt")

"""

findAndReportBinaryString(ClassesFile, "https?:")
findAndReportBinaryString(ClassesFile, "aHR0cDo|aHR0cHM6") #base64
findAndReportBinaryString(ClassesFile,
"%68%74%74%70%3a|%68%74%74%70%73%3a") #Hexadecimal
findAndReportBinaryString(ClassesFile, "[^;]+?;") #Enumeracion de
metodos

findAndReportBinaryString(DirectorioSalidaZip, "https?:")
findAndReportBinaryString(DirectorioSalidaZip, "aHR0cDo|aHR0cHM6") #base64
findAndReportBinaryString(DirectorioSalidaZip,
"%68%74%74%70%3a|%68%74%74%70%73%3a") #Hexadecimal
"""

#Programa Principal

#Parametros
parser = argparse.ArgumentParser(description='Aplicacion usada para una obtencion
rapida de APKs')
#parser.add_argument('-r', '--ruta', type=str, help='Ruta donde queremos guardar
los resultados', required=False)
parser.add_argument('-f', '--fichero', type=str, help='Fichero aPK que queremos
analizar (ruta absoluta)', required=False)
Máster Universitario en Investigación en Ciberseguridad Página 67

#Proceso
args = parser.parse_args()
#ruta = args.ruta
fichero = args.fichero
ExtractorInfoGeneral(fichero)

ArchivoProcesarAndroidManifest.py
from apk import APK
from apk import APK
#Necesita DEPENDENCIA M2Crypto sudo apt-get install python-m2crypto
import argparse

def procesoManifest(sample):
apkf = APK(sample)
servicios = apkf.get_services()
actividades = apkf.get_activities()
receivers = apkf.get_receivers()
providers = apkf.get_providers()
permisos = apkf.get_permissions()
nombre_app = apkf.package
md5_folder = apkf.file_md5
md5_resultados = md5_folder+"Resultados"
Version_Android = apkf.get_androidversion_name()
Sdk_Version = apkf.get_min_sdk_version()
#Guardamos el incono del archivo
apkf.parse_icon(icon_path='./')

print "\nServicios : \n "


print servicios
print "\nActividades : \n"
print actividades
print "\nReceivers : \n"
print receivers
print "\nProviders : \n"
print providers
print "\nPermisos : \n"
print permisos
print "\nSacamos el logotipo y lo guardamos en la carpeta actual"
nombre_fichero = sample+".txt"
print nombre_fichero
with open(nombre_fichero, 'w') as f:
f.write("\nNombre de la Aplicacion : ")
f.write(nombre_app+"\n")
f.write("\nVersion de Android Requerida : " + Version_Android + "
Version minima de SDK : " + Sdk_Version + "\n" )
f.write("\nServicios : \n")
for i in range(len(servicios)):
f.write(servicios[i] + "\n")
f.write("\nActividades : \n")
for i in range(len(actividades)):
f.write(actividades[i] + "\n")
f.write("\nReceivers : \n")
for i in range(len(receivers)):
f.write(receivers[i] + "\n")
f.write("\nProviders : \n")
for i in range(len(providers)):
f.write(providers[i] + "\n")
f.write("\nPermisos : \n")
for i in range(len(permisos)):
f.write(permisos[i] + "\n")
f.close()

#Programa Principal
Máster Universitario en Investigación en Ciberseguridad Página 68

#Parametros
parser = argparse.ArgumentParser(description='Aplicacion en python2 usada para
procesars los APKs')
#parser.add_argument('-r', '--ruta', type=str, help='Ruta donde queremos guardar
los resultados', required=False)
parser.add_argument('-f', '--fichero', type=str, help='Fichero aPK que queremos
analizar (ruta absoluta)', required=False)
#Proceso
args = parser.parse_args()
#ruta = args.ruta
fichero = args.fichero

procesoManifest(fichero)

Unpacker.py

def main():
parser = argparse.ArgumentParser(description='Unpack anubis sample to get the
original code.')
parser.add_argument('-f', '--file', help='Path to the packed/obfuscated apk',
required=True)

args = parser.parse_args()
if args.file and os.path.isfile(args.file):
os.system('jadx %s > /dev/null' % args.file)

for root,directories,filenames in os.walk('./%s' %


os.path.basename(args.file)[:-4]):
for filename in filenames:
if filename[-4:] == 'java':
with open(os.path.join(root,filename)) as f:
for line in f.readlines():
if re.search("byte\[\] bArr2? = new
byte\[\]\{(\(byte\))?", line):
b = line.replace('Byte.MAX_VALUE', ' (byte)
127').replace('Byte.MIN_VALUE', ' (byte) -
128').split('{')[1].split('}')[0].split('(byte) ')[1:]
#Pruebas dek naquina map(lambda x: x.split(',
'),b)
#Pruebas dek naquina map(lambda x: x.split(',
')[0],b)

c = map(lambda x: x.split(', ')[0],b)


print c
#c.insert(0, 0x7F)
#f = "".join((0x7F,c))
#En C tenemos (byte) 12
d = map(int,c)
map(lambda x: x & 0xff, d)
e = map(lambda x: x & 0xff, d)
map(chr,e)
f = ''.join(map(chr,e))
print "Tamanioo de la clave" + str(len(f))
print str(type(f)) + "la clave es" +str(f)
rc4 = ARC4.new(f)
print "La clave RC4 es:" + f
print "El tamanioo de la clave es:" + str(len(f))
break

os.system('unzip %s -d %s.unzip> /dev/null' % (args.file,


os.path.basename(args.file))) # -o modificador para que sobreescriba
Máster Universitario en Investigación en Ciberseguridad Página 69

biggest = ""
currentBiggerSize = 0
for root2, directories2, files2 in
os.walk(os.path.basename(args.file)+".unzip"):
# new subdir, so let's make a new...
for filename2 in files2:
if os.path.getsize(os.path.join(root2, filename2)) >
currentBiggerSize and filename2[-3:] != 'dex' and filename2 != 'build-
data.properties':
currentBiggerSize = os.path.getsize(os.path.join(root2,
filename2))
biggest = os.path.join(root2, filename2)
#Obtenemos Nombre de fichero sin extension y guardamos el APK desempacada
print "Archivo mas grande: " + biggest
nombre_apk, apk_extension = os.path.splitext(args.file)
nombre_apk = nombre_apk + "_desempacado.apk"
fichero = open (nombre_apk,'wb')
with open(biggest) as f:
data = f.read()
struct.unpack_from('<I', data)
salida_limpia = rc4.decrypt(data[4:])
fichero.write(salida_limpia)
fichero.close()

if __name__ == "__main__":
main()

Decrypt.java

import java.net.HttpURLConnection;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;

/* Code to decrypt twitter CC communication for Anubis */

public class decrypt{


public static final String[] s = new String[]{"Q", "W", "E", "R", "T",
"Y", "U", "I", "O", "P", "A", "S", "D", "F", "G", "H", "J", "K", "L", "Z", "X",
"C", "V", "B", "N", "M", "q", "w", "e", "r", "y", "u", "i", "o", "p", "a", "s",
"d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "=", "0",
"1", "2", "3", "4", "5", "6", "7", "8", "9"};
public static final String[] t = new String[]{"\u9700", "\u8981",
"\u610f", "\u5728", "\u4e2d", "\u5e76", "\u6ca1", "\u6709", "\u4e2a", "\u6982",
"\u5ff5", "\u5c0f", "\u8bed", "\u62fc", "\u4ea1", "\u53ca", "\u6ce8", "\u9c9c",
"\u65b0", "\u6b7b", "\u4e4b", "\u7c7b", "\u963f", "\u52aa", "\u6bd4", "\u62c9",
"\u4e01", "\u5316", "\u4f53", "\u7cfb", "\u90fd", "\u53ea", "\u65af", "\u4e00",
"\u5957", "\u7528", "\u6076", "\u4ef6", "\u6765", "\u6807", "\u97f3", "\u7684",
"\u7b26", "\u53f7", "\u800c", "\u4e0d", "\u662f", "\u5b57", "\u6bcd", "\u5bc2",
"\u5bde", "\u808f", "\u4f60", "\u5988", "\u5c44", "\u5f15", "\u811a", "\u5438",
"\u5458", "\u4f1a", "\u818f", "\u836f"};
public static final String key = "XXXX";
public static final String twitterCC = "https://twitter.com/XXXXX";
public static void main(String argv[]){
Máster Universitario en Investigación en Ciberseguridad Página 70

try{
HttpURLConnection a;
BufferedReader b;
String c;

a = (HttpURLConnection) new URL(twitterCC).openConnection();


a.setRequestMethod("GET");
a.connect();
InputStream inputStream = a.getInputStream();
StringBuffer stringBuffer = new StringBuffer();
b = new BufferedReader(new InputStreamReader(inputStream));
while (true) {
String readLine = b.readLine();
if (readLine == null) {
break;
}
stringBuffer.append(readLine);
}
//System.out.println(stringBuffer.toString());
c = stringBuffer.toString().replace(" ", "");
c = f(c, "苏尔的开始", "苏尔苏尔完");
int i = 0;
while (true) {

if (i >= s.length) {
break;
}
String str = c;
CharSequence charSequence = t[i];
c = str.replace(charSequence, s[i]);
i++;
}

// String str = new String(argv[0]);


String result = decode(c);
System.out.println(result);
}catch(Exception e ){
System.out.println(e);
}
}

public static String decode(String str){


try{
decrypt decinstance = new decrypt();
byte[] byteStr = str.getBytes();
String result = new String(decinstance.new
inner(key.getBytes()).a(b(new String(Base64.getDecoder().decode(byteStr), "UTF-
8"))));
return result;
}catch(Exception e){
return "error";
}
}
public static String f(String str, String str2, String str3) {
try {
return str.substring(str.indexOf(str2) + str2.length(),
str.indexOf(str3));
} catch (Exception unused) {
return "";
}
Máster Universitario en Investigación en Ciberseguridad Página 71

public static byte[] b(String str) {


int length = str.length();
byte[] bArr = new byte[(length / 2)];
for (int i = 0; i < length; i += 2) {
bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) <<
4) + Character.digit(str.charAt(i + 1), 16));
}
return bArr;
}

public class inner{


private int[] a;
private int b = 0;
private int c = 0;

public inner(byte[] bArr) {


this.a = c(bArr);
}

private void a(int i, int i2, int[] iArr) {


int i3 = iArr[i];
iArr[i] = iArr[i2];
iArr[i2] = i3;
}

private int[] c(byte[] bArr) {


int i;
int[] iArr = new int[256];
for (i = 0; i < 256; i++) {
iArr[i] = i;
}
i = 0;
for (int i2 = 0; i2 < 256; i2++) {
i = (((i + iArr[i2]) + bArr[i2 % bArr.length]) + 256) % 256;
a(i2, i, iArr);
}
return iArr;
}

public byte[] a(byte[] bArr) {


return b(bArr);
}

public byte[] b(byte[] bArr) {


byte[] bArr2 = new byte[bArr.length];
for (int i = 0; i < bArr.length; i++) {
this.b = (this.b + 1) % 256;
this.c = (this.c + this.a[this.b]) % 256;
a(this.b, this.c, this.a);
bArr2[i] = (byte) (this.a[(this.a[this.b] + this.a[this.c]) %
256] ^ bArr[i]);
}
return bArr2;
}
}
}
Máster Universitario en Investigación en Ciberseguridad Página 72

Anubis_Extractor_v2Anubis.py

#!/bin/python3
# -*- coding: utf-8 -*-
# python an0bisExtractor.py /home/andro/Desktop/Anubis_Herramienta/XXX.apk

# Importaciones externas
from colorama import Fore, Back , Style
import argparse
import base64
import binascii
import datetime
import hashlib
import json
import os
import re
import struct
import subprocess
import sys
from functools import reduce

import requests
from Crypto.Cipher import ARC4
import twitter
# Importaciones propias
sys.path.append(os.path.abspath('external/gmail'))
import gmail
import chino_extractor
#sys.path.append(os.path.abspath('external/informe'))
#import informe
sys.path.append(os.path.abspath('external/MongoDB'))
import MongoDB

# Variables globales
api =
twitter.Api(consumer_key='lK2HYCyXXXXpt25t1qCT5L0p',consumer_secret='jLWjwEjeyhXX
XXXEr3G5lYbVjXtAmm1ntVv012CGe8BzTX6Li',access_token_key='372XXX550-
ADH3GopNRBFOgUydUCyCXXXXX8hcrf1U0s',access_token_secret='d5NySUXaOXXXXXrCztYgoTjD
wZloqIQylsqD9pSOya')

JADX_PATH = "/usr/local/bin/jadx"
SAVE = True
clave = ""
claves = []
DISPOSITIVO_ID = "5fd33cfb66e9138d"
CORREO_TRABAJO_GMAIL = "fernandosanchezortega1993@gmail.com"
APK_FILE = ""
URL_WHITELIST = [
"digicert",
"support.twitter.com",
"twimg.com",
"support.google.com",
"www.openmobilealliance.org",
"www.w3.org",
"schemas.android.com",
"chrome-devtools-frontend.appspot.com",
"en.utrace.de"
]
CWD = os.path.join(os.getcwd(), datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-
%S'))
Máster Universitario en Investigación en Ciberseguridad Página 73

Mongo = MongoDB.getAppsOfClients()

def main():
############################
# FASE 1, DECOMPILACION, OBTENCION DE LA CLAVE RC4 Y DESCIFRADO EN EL CWD
PARA CUALQUIER MUESTRA EMPACADA CON ESTE PACKER
############################

# Descompilar APK con JADX en el CWD


os.system("{} {} -d {} > /dev/null 2>&1".format(JADX_PATH, APK_FILE,
"decompilado"))
# Obtencion de la clave RC4 para el unpacking del malware.
rc4 = __getRc4Password__(os.path.abspath("decompilado"))
# Descompresion
os.system("unzip {} -d {} > /dev/null".format(APK_FILE, os.path.join(CWD,
"apk_unzip")))
# Calculamos el fichero mas grande
biggest = __getBiggestFile__(os.path.join(CWD, "apk_unzip"))
apk_zip = os.path.join(CWD, "desempacado_{}.zip".format(APK_FILE))
# Esta es la funcion que unpack la muestra y el resultado lo guarda en el
parametro de entrada apk_zip.
__desempaquetado__(apk_zip, biggest, rc4)
os.system("7z e {}> /dev/null".format(apk_zip))
os.system("{} {} -d {} > /dev/null 2>&1".format(JADX_PATH, "./*.dex",
"./afectacion"))

############################
# FASE 2, OBTENCION DE LOS APLICACIONES LEGÕTIMAS AFECTADAS, LA URL DONDE SE
ALMACENA EL C&C, LA CLAVE DEL CIFRADO DE CONEXIONES.
############################
##Connectamos con la BBDD y sacamos el listado de applicaciones que queremos
monitorizar
clientes = __getClientes__()
afectaciones, clave, url_twitter_telegram, otras_urls =
__obtenerInformacionDeLosFicherosJava__(clientes, os.path.abspath("afectacion"))
# Eliminamos las URLS que esten en URL_WHITELIST y la de Twitter/Telegram
otras_urls = limpiarUrlsEncontradas(otras_urls, url_twitter_telegram)
descripcion = __obtenerDesc__(url_twitter_telegram)
dominio_chino = ""
if descripcion != None:
dominio_chino = obtenerCC(descripcion,clave)

print ("De nuestros clientes a monitorizar estan afectados {}".format(" &


".join(str(x) for x in afectaciones)))
print "La clave de las communicaciones RC4 son: " + clave + "\n"
print ("Algunas de las urls detectadas son {}".format(" & ".join(str(x) for x
in otras_urls)))
print "El C&C de las muestra es: " + dominio_chino

#################################################################################
###########################
# FUNCIONES privadas
#################################################################################
###########################

def limpiarUrlsEncontradas(otras_urls, url_twitter_telegram):


otras_urls = __limpiarListaBlanca__(otras_urls)
try:
Máster Universitario en Investigación en Ciberseguridad Página 74

otras_urls.remove(url_twitter_telegram)
finally:
return otras_urls

def obtenerCC(descripcion, clave):


newPath = None
dominio_chino = None
dominio_chino = (base64.b64decode(descripcion).encode("utf-8"))
rc4 = ARC4.new(clave)
dominio_chino = rc4.decrypt(binascii.unhexlify(dominio_chino))
return str(dominio_chino)

def __limpiarListaBlanca__(otras_urls):
return filter(lambda x: not __buscarEnListaBlanca__(x), otras_urls)

def __buscarEnListaBlanca__(url):
for blanca in URL_WHITELIST:
if blanca in url:
return True
return False

def __obtenerDesc__(url):
try:
name = url.split("/")[3]
t = api.GetUserTimeline(screen_name=name,count=1)
tweet= t[0].AsDict()
return tweet["text"].split("&gt;")[1].split("&lt")[0].replace(" ","")
#Limpiarmos espacios y la parte que son los delimitadores
except Exception as e:
print (Fore.RED + "Error al conectarnos al Twitter (Posible Cuenta
baneada)")
print(Style.RESET_ALL)
return None

def __obtenerInformacionDeLosFicherosJava__(clientes_afectados,
direccion_afectaciones):
afectaciones = set()
clave = ""
url = ""
url_nueva = ""
otras_urls = set()
for root, _, files in os.walk(direccion_afectaciones):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
clave = __buscarClaveRC4Comunicaciones__(line, clave)
url = __buscarUrlComunicaciones__(line, url)
return afectaciones, clave, url, otras_urls
Máster Universitario en Investigación en Ciberseguridad Página 75

def __buscarClaveRC4Comunicaciones__(line, clave):


m = re.search('public final String g = "(.*)";', line)
if m:
return m.group(1)
return clave

def __buscarUrlComunicaciones__(line, url):


m = re.search('public final String d = "(.*)";', line)
if m:
return m.group(1)
return url

def __buscarURL__(line):
urls = set()
matches = re.finditer(
r"(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)[a-z0-9]+([\-
\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/[0-9a-zA-Z\$\-
\_\.\+\!\*\'\(\)\,]+)*", line)
for match in matches:
urls.add(match.group(0))
return urls

def __buscarAfectaciones__(clientes_afectados, line):


result = []
for _, value in clientes_afectados.iteritems():
if re.search(value, line):
result.append(value)
return result

def __desempaquetado__(apk_zip, biggest, rc4):


with open(apk_zip, 'wb') as zip_f:
with open(biggest) as biggest_f:
data = biggest_f.read()
struct.unpack_from('<I', data)
salida_limpia = rc4.decrypt(data[4:])
zip_f.write(salida_limpia) #Machacamos el Zip original

def __getClientes__():
clientes = MongoDB.getAppsOfClients()
if len(clientes) == 0:
print ("Error al obtener la lista de clientes")
__error__()
return clientes

def __getBiggestFile__(directorioUnzip):
biggest = ""
currentBiggerSize = 0
for root, _, files in os.walk(directorioUnzip):
for file_ in files:
if os.path.getsize(os.path.join(root, file_)) > currentBiggerSize and
file_[-3:] != 'dex' and file_ != 'build-data.properties':
currentBiggerSize = os.path.getsize(
os.path.join(root, file_))
biggest = os.path.join(root, file_)
if biggest == "":
print ("Error al obtener el fichero mas grande")
__error__()

return biggest
Máster Universitario en Investigación en Ciberseguridad Página 76

def __getRc4Password__(directorio):
rc4 = ""
for root, _, files in os.walk(directorio):
for file_ in files:
if not __isJavaExtension__(file_):
continue
with open(os.path.join(root, file_)) as f:
for line in f.readlines():
if re.search(r"byte\[\] bArr2? = new byte\[\]\{(\(byte\))?",
line):
rc4 = __getRC4PasswordFromBytes__(line)
return rc4
print ("Error al obtener la clave RC4")
__error__()

def __getRC4PasswordFromBytes__(line):
b = line.replace('Byte.MAX_VALUE', ' (byte) 127').replace(
'Byte.MIN_VALUE', ' (byte) -
128').split('{')[1].split('}')[0].split('(byte) ')[1:]
c = map(lambda x: x.split(', ')[0], b)
d = map(int, c)
e = map(lambda x: x & 0xff, d)
f = ''.join(map(chr, e))
rc4 = ARC4.new(f)
return rc4

def __isJavaExtension__(file_):
return file_.endswith('java')

def __error__():
os.chdir(os.path.abspath(os.path.join(CWD, os.pardir)))
os.system("rm -rf {}".format(CWD))
exit(-1)

# Llama a la funcion Main


if __name__ == "__main__":
parser = argparse.ArgumentParser(
description='Unpack anubis sample to get the original code')
parser.add_argument("file", help="Enter the Path to File")
parser.add_argument("--nosave", help= "No Guardar en BBDD", action =
"store_true")
args = parser.parse_args()
if args.nosave:
SAVE = False
if not args.file or not os.path.isfile(args.file):
print ("Se necesita un fichero APK para que funcione")
exit(-1)
JADX_PATH = os.path.abspath(JADX_PATH)
os.mkdir(CWD)
apk_file_original = os.path.abspath(args.file)
os.chdir(CWD)
os.system("cp '{}' ./".format(apk_file_original))
APK_FILE = os.path.basename(args.file)
main()
Máster Universitario en Investigación en Ciberseguridad Página 77

Anubis_Extractor_v2_5Anubis.py

#!/bin/python3
# -*- coding: utf-8 -*-
# python an0bisExtractor.py /home/andro/Desktop/Anubis_Herramienta/XXX.apk

# Importaciones externas
import argparse
import base64
import binascii
import datetime
import hashlib
import json
import os
import re
import struct
import subprocess
import sys
from functools import reduce

import requests
from Crypto.Cipher import ARC4

# Importaciones propias
sys.path.append(os.path.abspath('external/gmail'))
import gmail
import chino_extractor
sys.path.append(os.path.abspath('external/informe'))
import informe
sys.path.append(os.path.abspath('external/MongoDB'))
import MongoDB

# Variables globales
JADX_PATH = "bin/jadx"
SAVE = True
clave = ""
claves = []
DISPOSITIVO_ID = "5fd33cfb66e9138d"
CORREO_TRABAJO_GMAIL = "fernandosanchezortega1993@gmail.com"
APK_FILE = ""
URL_WHITELIST = [
"digicert",
"support.twitter.com",
"twimg.com",
"support.google.com",
"www.openmobilealliance.org",
"www.w3.org",
"schemas.android.com",
"chrome-devtools-frontend.appspot.com",
"en.utrace.de"
]
CWD = os.path.join(os.getcwd(), datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-
%S'))
Mongo = MongoDB.getAppsOfClients()

def main():
############################
# FASE 1, DECOMPILACION, OBTENCION DE LA CLAVE RC4 Y DESCIFRADO EN EL CWD
PARA CUALQUIER MUESTRA EMPACADA CON ESTE PACKER
############################

# Descompilar APK con JADX en el CWD


Máster Universitario en Investigación en Ciberseguridad Página 78

os.system("{} {} -d {} >/dev/null".format(JADX_PATH, APK_FILE,


"decompilado"))
# Obtencion de la clave RC4 para el unpacking del malware.
rc4 = __getRc4Password__(os.path.abspath("decompilado"))
# Descompresion
os.system("unzip {} -d {} > /dev/null".format(APK_FILE, os.path.join(CWD,
"apk_unzip")))
# Calculamos el fichero mas grande
biggest = __getBiggestFile__(os.path.join(CWD, "apk_unzip"))
apk_zip = os.path.join(CWD, "desempacado_{}.zip".format(APK_FILE))
# Esta es la funcion que unpack la muestra y el resultado lo guarda en el
parametro de entrada apk_zip.
__desempaquetado__(apk_zip, biggest, rc4)
os.system("7z e {}> /dev/null".format(apk_zip))
os.system("{} {} -d {} > /dev/null".format(JADX_PATH, "./*.dex",
"./afectacion"))

############################
# FASE 2, OBTENCION DE LOS APLICACIONES LEGÕTIMAS AFECTADAS, LA URL DONDE SE
ALMACENA EL C&C, LA CLAVE DEL CIFRADO DE CONEXIONES.
############################
##Connectamos con la BBDD y sacamos el listado de applicaciones que queremos
monitorizar
clientes = __getClientes__()
afectaciones, clave, url_twitter_telegram, otras_urls =
__obtenerInformacionDeLosFicherosJava__(
clientes, os.path.abspath("afectacion"))
# Eliminamos las URLS que esten en URL_WHITELIST y la de Twitter/Telegram
otras_urls = limpiarUrlsEncontradas(otras_urls, url_twitter_telegram)
descripcion = __obtenerDescripcion__(url_twitter_telegram)
dominio_chino, newPath = obtenerCCYPath(descripcion, clave)

############################
# FASE 3, GENERACIÓN DEL INFORME Y CORREO
############################

__descargarYGuardarInforme__(
otras_urls, dominio_chino, afectaciones, clientes)
__generarEmail__(dominio_chino, afectaciones, newPath,
url_twitter_telegram, clientes, otras_urls)

#################################################################################
###########################
# FUNCIONES privadas
#################################################################################
###########################
def __descargarYGuardarInforme__(otras_urls, dominio_cyc, afectaciones,
clientes):
global CORREO_TRABAJO_GMAIL
ips_str = __generarUrlsParaElInforme__(otras_urls, dominio_cyc)
orderedBankStrings = __formatoClientesAfectados__(clientes, afectaciones)
if not CORREO_TRABAJO_GMAIL:
CORREO_TRABAJO_GMAIL = raw_input("Escribe tu correo del trabajo: ")

if SAVE:
url = informe.generarYAlmacenar(CORREO_TRABAJO_GMAIL.strip(),
"BankBotAnubis", APK_FILE,
"virustotal", "proactivo",
orderedBankStrings.strip(), ips_str.strip())
else:
url = informe.generar(CORREO_TRABAJO_GMAIL.strip(), "BankBotAnubis",
APK_FILE,
"virustotal", "proactivo",
orderedBankStrings.strip(), ips_str.strip())
Máster Universitario en Investigación en Ciberseguridad Página 79

if url:
__descargarInforme__(url)

def __formatoClientesAfectados__(clientes, afectaciones):


orderedBankStrings = ""
for cliente, apps in clientes.iteritems():
for app in apps:
if app in afectaciones:
orderedBankStrings += "{}\n--------------------------------------
------------------------\n{}\n\n".format(
cliente, app)
return orderedBankStrings

def __descargarInforme__(url):
r = requests.get(url)
nombre_del_analisis = url.split("/")[-1].replace("%20", " ")
with open(os.path.join(CWD, nombre_del_analisis), 'wb') as f:
f.write(r.content)

def __generarUrlsParaElInforme__(otras_urls, dominio_cyc):


ips = []
ips.extend(otras_urls)
if dominio_cyc:
ips.extend(__generarTodasLasUrls__(dominio_cyc))
ips_str = reduce(lambda x, y: "{}\n{}".format(x, y), ips)
return ips_str

def limpiarUrlsEncontradas(otras_urls, url_twitter_telegram):


otras_urls = __limpiarListaBlanca__(otras_urls)
try:
otras_urls.remove(url_twitter_telegram)
finally:
return otras_urls

def obtenerCCYPath(descripcion, clave):


newPath = None
dominio_chino = None
if descripcion:
if type(x) is list:
dominio_chino_posible = chino_extractor.descifradoDescripcion(
descripcion, claves[i])
dominio_chino_posible = re.findall('https?://(?:[-\w.]|(?:%[\da-fA-
F]{2}))+', dominio_chino_posible)
if len(dominio_chino_posible) != 0:
dominio_chino = "".join(str(x) for x in dominio_chino_posible)
clave = claves[i]
else:
dominio_chino = chino_extractor.descifradoDescripcion(
descripcion, clave)
if not dominio_chino:
print ("Error al decifrar la descripcion")
else:
newPath = __getNewPath__(dominio_chino, clave)
return dominio_chino, newPath

def __generarEmail__(dominio_chino, afectaciones, newPath, url_twitter_telegram,


clientes_afectados, otras_urls):
subject = "Análisis de Apk - {} - Anubis".format(__MD5HashFile__())
body = __report__(dominio_chino, afectaciones, newPath,
url_twitter_telegram, clientes_afectados, otras_urls)
Máster Universitario en Investigación en Ciberseguridad Página 80

gmail.send(subject, body, "correodestino@gmail.com")

def __report__(dominio_chino, afectaciones, newPath, url_twitter_telegram,


clientes_afectados, otras_urls):
report = "Buenos dÃas,\nOs enviamos un informe de análisis de un
binario.\n\nMuestra:\n\n{}\n\nC2:\n\n".format(
__MD5HashFile__())
for url in otras_urls:
report += "{}\n".format(url)
if dominio_chino:
for i in __generarTodasLasUrls__(dominio_chino):
report += "{}\n".format(i)
if newPath:
report += "\n#Urls adicionales:\n\n"
if newPath:
for afectacion in afectaciones:
report += newPath + \
"/fafa.php?f={}&p={}\n".format(afectacion, DISPOSITIVO_ID)
if re.search("t.me", url_twitter_telegram):
report += "\nTelegram:\n\n"
else:
report += "\nTwitter:\n\n"
report += "{}\n\nClientes:\n\n".format(url_twitter_telegram)
for cliente, apps in clientes_afectados.iteritems():
for app in apps:
if app in afectaciones:
report += "{}\n".format(cliente)
report += "\nTipo: BankbotAnubis\n\nUn saludo,\n"
return report.replace("http", "hxxp")

def __generarTodasLasUrls__(dominio):
return map(lambda x: "{}/o1o/a{}.php".format(dominio, x), range(1, 17, 1))

def __MD5HashFile__():
global APK_FILE
hasher = hashlib.md5()
with open(APK_FILE, 'rb') as afile:
buf = afile.read()
hasher.update(buf)
return str(hasher.hexdigest())

def __limpiarListaBlanca__(otras_urls):
return filter(lambda x: not __buscarEnListaBlanca__(x), otras_urls)

def __buscarEnListaBlanca__(url):
for blanca in URL_WHITELIST:
if blanca in url:
return True
return False

def __getNewPath__(dominio, clave):


a8 = dominio + "/o1o/a8.php"
id_ = __getCipherID__(clave)
try:
path = requests.post(a8, {"p": id_}, __generacion_cabecera__(a8))
# print "petición a {}".format(a8)
# print "cabeceras {}".format(__generacion_cabecera__(a8))
if path.status_code == 200:
respuesta_limpia = re.search('<tag>(.*)</tag>', path.text)
if respuesta_limpia:
Máster Universitario en Investigación en Ciberseguridad Página 81

rc4 = ARC4.new(clave)
str_rc4 = base64.b64decode(respuesta_limpia.group(1))
unhexlify = binascii.unhexlify(str_rc4)
descifrado = rc4.decrypt(unhexlify)
return descifrado.split("~")[-3]
else:
print (path.text)
except requests.exceptions.RequestException:
return None

def __getCipherID__(clave):
rc4 = ARC4.new(clave)
cifrado = rc4.encrypt(DISPOSITIVO_ID)
cifrado_hex = binascii.hexlify(cifrado)
return base64.b64encode(cifrado_hex)

def __obtenerDescripcion__(url):
res = None
try:
res = requests.get(url)
except requests.exceptions.RequestException:
return None
if url and re.search("t.me", url):
if res.status_code == 200:
descripcion = re.search(
'<div class="tgme_page_description">(.*)</div>', res.text)
if descripcion:
return descripcion.group(1)
elif url and re.search("twitter.com", url):
if res.status_code == 200:
descripcion = re.search(
'<p class="TweetTextSize TweetTextSize--normal js-tweet-text
tweet-text" lang="zh" data-aria-label-part="0">(.*)</p>', res.text)
if descripcion:
return descripcion.group(1)
return None

def __generacion_cabecera__(ip):
return{
'Accept-Encoding': 'gzip, deflate',
'Connection': 'Keep-Alive',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Dalvik/2.1.0 (Linux; U; Android 6.0.1; VirtualBox
Build/MOB31T',
'Host': ip[7:]
}

def __buscarClaveRC4ComunicacionesNew__(line, clave):


s = re.search(r'\((.*?)\)', line)
s = s.group(1).split(",")
s1 = re.search(r'"(.*?)"', s[0])
s2 = re.search(r'"(.*?)"', s[1])
passBase64 = base64.b64decode(s1.group(1)).decode('utf-8')
rc4 = ARC4.new(s2.group(1))
clave = rc4.decrypt(binascii.unhexlify(passBase64))
print clave
claves.append(clave)
return claves

def __buscarUrlComunicacionesNew__(line, url):


m = re.search('public final String .*twitter.com', line)
if m:
Máster Universitario en Investigación en Ciberseguridad Página 82

s = re.search(r'"(.*?)"', line)
print s.group(1)
return s
return url

def __obtenerInformacionDeLosFicherosJava__(clientes_afectados,
direccion_afectaciones):
afectaciones = set()
clave = ""
url = ""
url_nueva = ""
otras_urls = set()
for root, _, files in os.walk(direccion_afectaciones):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
clave = __buscarClaveRC4Comunicaciones__(line, clave)
url = __buscarUrlComunicaciones__(line, url)
if not (clave and url):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
url = __buscarUrlComunicacionesNew__(line, url)
if (url_nueva != url or contador != 0):
print type(url)
contador = contador + 1
if contador == 5:
claves =
__buscarClaveRC4ComunicacionesNew__(line,clave)
contador = 0
url_nueva = url
url = url.group(1)
for i in range(len(claves)):
print "clave :" + str(claves[i])
return afectaciones, claves, url, otras_urls
elif(afectaciones or clave or url or otras_urls):
print ("Error al obtener la información de los ficheros Java")
__error__()
else:
return afectaciones, clave, url, otras_urls

def __buscarClaveRC4Comunicaciones__(line, clave):


m = re.search('public final String h = "(.*)";', line)
if m:
return m.group(1)
return clave

def __buscarUrlComunicaciones__(line, url):


m = re.search('public final String d = "(.*)";', line)
if m:
return m.group(1)
return url
Máster Universitario en Investigación en Ciberseguridad Página 83

def __buscarURL__(line):
urls = set()
matches = re.finditer(
r"(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)[a-z0-9]+([\-
\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/[0-9a-zA-Z\$\-
\_\.\+\!\*\'\(\)\,]+)*", line)
for match in matches:
urls.add(match.group(0))
return urls

def __buscarAfectaciones__(clientes_afectados, line):


result = []
for _, value in clientes_afectados.iteritems():
for valor in value:
if re.search(valor, line):
result.append(valor)
return result

def __desempaquetado__(apk_zip, biggest, rc4):


with open(apk_zip, 'wb') as zip_f:
with open(biggest) as biggest_f:
data = biggest_f.read()
struct.unpack_from('<I', data)
salida_limpia = rc4.decrypt(data[4:])
zip_f.write(salida_limpia) #Machacamos el Zip original

def __getClientes__():
clientes = MongoDB.getAppsOfClients()
if len(clientes) == 0:
print ("Error al obtener la lista de clientes")
__error__()
return clientes

def __getBiggestFile__(directorioUnzip):
biggest = ""
currentBiggerSize = 0
for root, _, files in os.walk(directorioUnzip):
for file_ in files:
if os.path.getsize(os.path.join(root, file_)) > currentBiggerSize and
file_[-3:] != 'dex' and file_ != 'build-data.properties':
currentBiggerSize = os.path.getsize(
os.path.join(root, file_))
biggest = os.path.join(root, file_)
if biggest == "":
print ("Error al obtener el fichero mas grande")
__error__()

return biggest

def __getRc4Password__(directorio):
rc4 = ""
for root, _, files in os.walk(directorio):
for file_ in files:
if not __isJavaExtension__(file_):
continue
with open(os.path.join(root, file_)) as f:
for line in f.readlines():
if re.search(r"byte\[\] bArr2? = new byte\[\]\{(\(byte\))?",
line):
Máster Universitario en Investigación en Ciberseguridad Página 84

rc4 = __getRC4PasswordFromBytes__(line)
return rc4
print ("Error al obtener la clave RC4")
__error__()

def __getRC4PasswordFromBytes__(line):
b = line.replace('Byte.MAX_VALUE', ' (byte) 127').replace(
'Byte.MIN_VALUE', ' (byte) -
128').split('{')[1].split('}')[0].split('(byte) ')[1:]
c = map(lambda x: x.split(', ')[0], b)
d = map(int, c)
e = map(lambda x: x & 0xff, d)
f = ''.join(map(chr, e))
rc4 = ARC4.new(f)
return rc4

def __isJavaExtension__(file_):
return file_.endswith('java')

def __error__():
os.chdir(os.path.abspath(os.path.join(CWD, os.pardir)))
os.system("rm -rf {}".format(CWD))
exit(-1)

# Llama a la funcion Main


if __name__ == "__main__":
parser = argparse.ArgumentParser(
description='Unpack anubis sample to get the original code. If you want
add your email use the Global Variable CORREO_TRABAJO_GMAIL')
parser.add_argument("file", help="Enter the Path to File")
parser.add_argument("--nosave", help= "No Guardar en BBDD", action =
"store_true")
args = parser.parse_args()
if args.nosave:
SAVE = False
if not args.file or not os.path.isfile(args.file):
print ("Se necesita un fichero APK para que funcione")
exit(-1)
JADX_PATH = os.path.abspath(JADX_PATH)
os.mkdir(CWD)
apk_file_original = os.path.abspath(args.file)
os.chdir(CWD)
os.system("cp '{}' ./".format(apk_file_original))

APK_FILE = os.path.basename(a
gs.file)
main()