Joe Security's Blog
Deep Analysis of Android Ransom Charger
Published on: 27.01.2017
A couple of days ago, Checkpoint discovered
a nice new Android malware (MD5: 2b83bd1d97eb911e9d53765edb5ea79e), you can find
the full blog post here. While the find is interesting, their analysis
lacks depth, important details being left out. That’s why we thought giving
it a shot and analyze it with Joe Sandbox Mobile to share more technical details that will help us
better understand the malware's behavior. We will focus here on the technical aspect rather
than talk about the "Charger" app itself.
Our initial analysis shows that the sample was detected as bad with a strong chance to be related to ransomware:
From the signature overview we can see that the method names are obfuscated and often uses reflection:
What is Reflection?
Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.
To be more precise, with Reflection you can dynamically call Android methods (including APIs). Thus during static analysis it's not clear what method is being called, making static analysis very difficult:
However thanks to dynamic analysis the APIs are executed (we call this technique resolving reflective invocations) are becoming visible:
Looking at all the reflective invokes, we realize that there are many file system related APIs, like getDir, getAbsolutePath etc. Thus a look at the created file section is advisable:
As we can see, two files have been dropped, a dex file plus a jar file. Those files are part of the initial APK but are encrypted, the decryption will occur only during runtime. How are the files loaded? Dynamically loading dex files on Android requires access to the class loader:
Access to the class loader is often used for detection, therefore it is hidden again via Reflection.
Since the app loads new parts it is key to focus now on the newly loaded code:
Looking closer at the new code it reveals the following behavior:
Anti Analysis techniques and getting device admin status has become standard for malicious Android applications. This malware tries to get device administrator rights very intrusively. If you click "Cancel" it will just ask you again (endless).
Finally we also spot the following strings in the new code:
Is this really RANSOMWARE or just a scam? It is really ransomware and accesses your:
- Phone number
- All your stored SMS
- Location (GPS)
- Photos
- Emails
What is also interesting is that the app has "Camera permission" and contains code to take photos (check method onPictureTaken). So even if you do not have sensitive photos on your phone the app still makes one for you (silently):
Or even several photos:
Curious to find out more? Then check-out the full analysis report of Android Ransom Charger:
Dropped files (pw: infected):