- The document discusses changing dynamics in Android APT malware including how they are distributed through social media and popular apps, the types of data they target like SMS, contacts and social media, and countermeasures like restricting accessibility permissions and verifying downloaded code. Specific malware campaigns discussed include Glance Love, Dark Caracal, SkyGoFree and RedDawn which targeted users in different regions through social engineering and exploited Android vulnerabilities.

1. Hide n Seek: An Investigation
into changing Dynamics of
Android APT’s
Jagadeesh Chandraiah
Threat Researcher
AVAR 2018

2. Who am I
• Threat Researcher at Sophos, UK
• Windows, Mobile Malware Analysis
• @jag_chandra
AVAR 2018

3. Agenda
AVAR 2018
• Android Malware State
• APT malware
• Infection vector and Targeted Data
• Changing Dynamics

4. Mobile OS market share
AVAR 2018
Source-https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/
Android – 88%
https://danluu.com/android-updates/
Out of date devices
Mobile OS share

5. Google play malware -2017
MilkydoorFeb
2017 2017Jan Mar Apr May Jun Jul Aug Sep
Humming
Bad
52
wks
Phase
I
Charger
Fake
apps
Stealer
Iframes
HiddenAd
Instealy
Fake
Minecraft
FlashLight
BankBot
FalseGuide
Milkydoor
FakeApp
BrainTest
XavirAd
Axent
MarsDae
SMS Stealer
Lipizzan
BankBot
Spyware
BankBot
Judy
Clicker
Expensive
Wall
DU Antivirus
WireX
BankBot
Oct
Flashlight
Feb
Sockbot
AVAR 2018
FakeApp
Miners
Nov
Fake
Whatsapp
BankBot
App
Lockers
Expensive
Wall
Dropper
Tizi

6. Google play malware -2018
Downloaders SMS Fraud Ad Clickers Fake Banking
Bankbots Coin Miners Stealers Rogueware Fake apps

7. Android Malware - APT
AVAR 2018

8. Android Malware
AVAR 2018
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
2nd most INDIA

9. Android Malware
AVAR 2018
INDIA
>19 million
https://transparencyreport.google.com/android-security/overview
>12 million

10. Glance Love
AVAR 2018

11. Glance Love
AVAR 2018

12. Glance Love
AVAR 2018
https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/
I’ll send you a picture

13. Glance Love
AVAR 2018

14. Glance Love – Device Information
AVAR 2018

15. Glance Love – Commands
AVAR 2018

16. Glance Love – Download
AVAR 2018
goldncup[.]com

17. Glance Love - Payload
AVAR 2018
• Images
• Device Info
• Location
• Record Audio
• Record Calls
• Video
• SMS Data

18. Glance Love - Payload
AVAR 2018

19. Glance Love
AVAR 2018
MQTT/HTTP

20. Dark Caracal
AVAR 2018

21. Dark Caracal
• Targeted spyware campaign
• Trojanised applications
• Both Mobile and Desktop component
AVAR 2018

22. Dark Caracal – Infection Vector
AVAR 2018
Download these apps to
communicate
Facebook Group Link
http://secureandroid<dot>info/a
ndroidapps/telegram+.html
WhatsApp message
Image courtesy - https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

23. Dark Caracal - Infection Vector
AVAR 2018
Phishing page Phishing LinksFake Facebook profiles

24. Dark Caracal – App Distribution
AVAR 2018
Image courtesy - https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

25. Dark Caracal – App Distribution
AVAR 2018
Clean Malicious

26. Dark Caracal –Permissions
AVAR 2018

27. Dark Caracal –Commands
AVAR 2018
• GALL1 – Get all data
• GFILE1 – Get File
• CAMG1 – Camera
• UPD1 – Send Update
• DelF1 – Delete File
• UPF1 – Upload File
• DWN1 – Download
• REC1 – Record and upload
• SMS1 – Send SMS
• PWS1 – Password Steal
• PRM1 – Permissions ask
• WT1 – Send WhatsApp or Tele

28. Dark Caracal
• Contacts
• Call Logs
• Install Apps
• Capture Audio
• Device Data
• Capture Images
• Location
• Text Messages
• Wi-Fi Access points
• Credentials/Files
AVAR 2018

29. AVAR 2018
Dark Caracal
Facebook groups
Fake Store
C2 server
WhatsApp Messages

30. SkyGoFree
AVAR 2018

31. SkyGoFree
AVAR 2018
• Multi Stage and Multicomponent spyware
• Targets Social Media extensively
• Has device filter/Self protection
• Uses Exploits to gain privileges

32. SkyGoFree – Distribution
AVAR 2018
• Third Party Sites pretending to be Mobile
operators.
• Social Engineering to download Configuration
update
Image Courtesy- https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

33. SkyGoFree – Exploits and Shell
AVAR 2018

34. SkyGoFree – Root
AVAR 2018

35. SkyGoFree – Commands
AVAR 2018
• Rubrica - get Contacts
• registro_chiamate – Call logs
• Reverse - reverse shell module
• wifi - Add new Wi-Fi configuration
• listapp – get apps list
• Social - Get Social media database
• whatsapp – get WhatsApp data
• history - Steal Browser history
• Install_apk -Install apk
• Camera – Get Photo/Video

36. SkyGoFree – Commands
AVAR 2018

37. SkyGoFree – Commands
AVAR 2018

38. SkyGoFree – Commands
AVAR 2018

39. SkyGoFree – Social media data
AVAR 2018

40. SkyGoFree - Data
AVAR 2018

41. RedDawn
AVAR 2018

42. RedDawn
• Campaigns targeting Korean users
• Both Google play and outside
• Distributed as health care, utility, Food ingredients and prayer
applications
• Cloud service used to upload data
AVAR 2018

43. RedDawn
AVAR 2018

44. RedDawn - Distribution
AVAR 2018
Prayer

45. RedDawn
AVAR 2018

46. RedDawn
AVAR 2018
Accessibility service
Install payload
Dropper
Dex/Commands

47. Changing Dynamics
AVAR 2018

48. How are they getting on Device ?
AVAR 2018
• Popular social media apps used for Distribution
o Facebook groups , Twitter
o WhatsApp , KaKao , Facebook Messenger
o Stolen Profiles, Social Engineering
• User Interests and Popular Trends
o Fitness Apps, World Cup
• Innocuous Utility Apps on Google Play
o Cleaners
o Backup

49. Changing Dynamics – How are they getting Data ?
AVAR 2018
• Publicly available exploits
o Android rooting tools framework
Malware on Android OS versions
Android OS Distribution

50. Changing Dynamics – Data targeted
AVAR 2018
• SMS
• Call Logs
• Contacts
• Location
• Social Media (Regional)
o Whatsapp/Facebook/Viber
o LinkedIn
o Kakao
• Images
• Installed Apps
• Wifi
• Credentials
• Text
• Installed apps
• Device Information
• Emails
• Messenger/VoIP

51. Downloaders and Accessibility Service
AVAR 2018
• Downloaders and Droppers Achilles heel of Google
play store security
• Used by Bankbots and other popular malware
• Continued abuse of Accessibility service

52. Counter Measures
AVAR 2018
• Downloaded data and code loaded at runtime
should be verified
• Social media vigilance
• Accessibility abuse should be restricted
• Push vendors to reduce Fragmentation
• Be cautious when granting permissions
• Alert about apps from non standard and non
reputable sources

53. References/Further Read
• https://www.eff.org/press/releases/eff-and-lookout-uncover-new-malware-espionage-campaign-infecting-thousands-around
• https://research.checkpoint.com/glancelove-spying-cover-world-cup/
• https://www.clearskysec.com/glancelove/
• https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/
• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
• https://securingtomorrow.mcafee.com/mcafee-labs/malware-on-google-play-targets-north-korean-defectors/
AVAR 2018