The document analyzes the Code4HK Android malware, detailing its distribution through phishing messages targeting Hong Kong activists. It outlines the extensive permissions and data the malware can access, its capabilities, and a reverse engineering methodology for analyzing such malware. Emphasis is placed on prevention strategies for users to avoid installing harmful applications from untrusted sources.

1. TetCon Saigon 2015
Phạm Trần Minh Triết <minhtrietphamtran@gmail.com>
&
Nguyễn Văn Ngôn <computerline1z@gmail.com>
Analyze Code4HK Android
Malware aka mRat

2. Who am I?
● Malware Analyst
● Reverse Engineer
Phạm Trần Minh Triết
Nguyễn Văn Ngôn
● Programmer

3. Agenda
● Introduction
● Android Reverse Engineering Intro
● Fake Code4HK Static Analysis

4. Part I
Introduction

5. ● Hong Kong activists receive
Whatsapp phishing
messages from an unknown
phone number containing a
link to download and install
app
● Phishing message: “Check
out this Android app
designed by CODE4HK, for
the coordination of
OCCUPYCENTRAL!”.
How was fake Code4HK
Distributed?

6. Fake Code4HK Installation
Process
● An .apk file is downloaded to device after
victim presses the link in the Whatsapp
phishing message
● If the victim select to install the apk, a list of
sensitive permissions is requested to proceed
the installation.
● A new prompt to install second apk from the
app is presented to victim with the message
“Application is updated, please click to install.”

7. Fake Code4HK Permission Request

8. What Can fake Code4HK Get from
the Device?
● Contacts: name, contact id, phones, emails
● SMS messages
● Call logs: number, name, type of call (incoming,
outgoing, missed), date, duration
● Geographic location (networkId, systemId,
baseStationId, latitude, longitude), Mac address
● Email accounts (email provider, username,
password) and email contents (display name,
sender, recipient, sending time, subject, email
body)

9. What Can fake Code4HK Get from
the Device?
● Browser bookmarks
● Telephone: phone number, device ID, telephone
provider (China Mobile, China Unicom, China
Telecom), max CPU frequency, network state
(connected, connecting), SIM serial number,
Mac address, IP address, total memory)
● Wifi passwords: SSID Name, WPA Passphrase,
Encryption Type, priority

10. What Other Capabilities does fake
Code4HK Possess?
● LIST_DIR: Get tree of files, directories and size of files in a directory
● DO_REMARK: write to log file
● DO_TOAST: show a quick little message for the user
● DO_CALL: call a phone number
● DO_SHELL: execute commands from CnC server
● DO_SET_MONITORNUM: set phone number to monitor
● DO_DOWNFILE: Download file to victim device
● DO_DELETEFILE: delete file from victim device
● DO_UPLOADFILE: upload file from victim host to CnC server
● DO_DELAY_RECORD: delay audio recording time

11. What Other Capabilities does fake
Code4HK Possess?
● DO_START_RECORD: start recording audio
● DO_STOP_RECORD: stop recording audio
● DO_XSHELL: create a thread to receive, execute commands
and send back results to CnC server
● DO_GET_ROOT_FILE: get content of a file in victim device,
save file to /data/data/com.v1/ and send back to CnC server
● DO_SAVE_ALL: get all the data Code4HK could steal from
victim device
● DO_GET_SDCARD: Get tree of files, directories in sdcard

12. Part II
Introduction to Reverse Engineering Android
Applications

13. JEB
● Disassembler
● Decompiler
● Resource viewer
● Interactive features to analyse protected
Android applications and Android malware
● JEB = IDA + Hex-Rays for Android with some
limitations

14. ProGuard Protected Android
applications

15. Reverse engineer with JEB to
deobfuscate ProGuard

16. Reverse Engineering Strategies with
JEB
● Using manifest viewer to know the essential information the app
present itself to the Android system: permission, package, names of
application/activities/services/receivers and corresponding intent-
filters,...
● Start from the main activity to traverse the app, renaming variables,
methods and classes to meaningful names
● Utilize cross-references to know how an object is used in a class and
how a method is used across the application
● Use Strings window to quickly search for interesting references while
reading the code
● Study Android APIs used in the app with the corresponding used
prototype: http://developer.android.com/reference/packages.html

17. Empty methods in JEB and IDA
● When Android app loadLibrary from native Android libraries to
use external methods, JEB doesn't know the content of the
methods. We get empty methods inside classes.
● Solution: Apktool d target.apk
: get the native libraries used in the app (in directory /lib)
● Map library: MyLibrary turned into libMyLibrary.so
● Research exported functions of Android native libraries with
IDA and Hex-Rays ARM

18. Empty methods in JEB and IDA

19. Part III
Fake Code4HK Analysis

20. Basic Android
App Information
android:versionCode="1"
android:versionName="3.2.1"
package="com.v1"
android:minSdkVersion="3"
android:targetSdkVersion="17"

21. App MD5
Hashes
code4hk.apk:
15E5143E1C843B4836D7B6D5424FB4A5
qq.xml : B9484AE3403C974DB0F721B01BD6C302

22. Digital Certificate
Type: X.509
Version: 1
Serial Number: 0xc481b832c80b4239
Issuer: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
Validity: from = Mon Mar 10 13:51:27 ICT 2014
to = Thu Jul 25 13:51:27 ICT 2041
Subject: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh

23. Required Permission
android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.ACCESS_MOCK_LOCATION (mock location sources for testing)
android.permission.PROCESS_OUTGOING_CALLS (intercept outgoing calls)
android.permission.ACCESS_COARSE_LOCATION (coarse (network-based) location)
android.permission.INTERNET (full Internet access)
android.permission.ACCESS_FINE_LOCATION (fine (GPS) location)
android.permission.INTERACT_ACROSS_USERS_FULL ()
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.WRITE_CALL_LOG (write (but not read) the user's contacts
data.)
android.permission.GET_TASKS (retrieve running applications)
android.permission.READ_CALL_LOG (read the user's call log.)
com.android.browser.permission.READ_HISTORY_BOOKMARKS (read browser's history
and bookmarks)
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.RECORD_AUDIO (record audio)

24. Required Permission
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.VIBRATE (control vibrator)
android.permission.PERMISSION_NAME (Unknown permission from android reference)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems)
android.permission.READ_SMS (read SMS or MMS)
com.android.email.permission.ACCESS_PROVIDER (Unknown permission from android
reference)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.MODIFY_AUDIO_SETTINGS (change your audio settings)

25. Infection flow
1.) Open “qq.xml” from the Assets directory.
2.) Create a new directory, “/sdcard/.qq/”
3.) Read the contents of “qq.xml” and create a file,
“/sdcard/.qq/temp.apk”
4.) Start StreamService (this will run after reboot)
5.) Display Update message
Code4hk.apk
Create /sdcard/.qq/
2
Start SteamService
4
Create /sdcard/.qq/temp.apk
3

26. qq.xml & temp.apk
qq.xml is a minor version of Code4HK which
was extracted, renamed to temp.apk and copied
to /sdcard/.qq/temp.apk on the first run.
This file will execute if victim clicks “Update” button
when the app first run.

27. C&C Address
● Primary C&C: config.dat
IP: 61.36.11.75, Port : 1430
● Backup C&C
IP: 221.226.58.202, Port: 1430

28. Register Service as Startup

29. MainActivity

30. CnC commands

31. Record Phone Received

32. Get SMS List

33. Get Contact List

34. Get Call Logs

35. List Files and file size in Directory

36. Do Call a Phone Number

37. Call Shell Command

38. Download / Delete / Upload Files

39. Get Email List

40. Prevention and Mitigation
● Don't download and install applications from
third-party Android stores or unknown sources.
● Look for homepages, information and reviews
of the application before you install it to make
sure it's legitimate and it only asks for
necessary permissions.
● Use an up-to-date antivirus software.

41. Conclusion
● Malware targets Hong Kong protesters.
● Include many specific malware features, some
of them are not implemented.
● Android users should read carefully
permissions needed while installing apps,
compare to the functionalities of the app. When
in doubt, submit the apk to Android sandbox or
reverse engineers for application audit.

42. Q & A
?