Santa-APT: Android and Blackberry Malware Technical Analysis Part 2

CloudSEK is an artificial intelligence technology-based risk monitoring enterprise, which focuses on customized, intelligent security monitors.

CloudSEK’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSEK acquired from our data partner.

At CloudSEK we monitor and attribute all potential threats that affect Cloud services. In our previous blog we wrote about a group of attackers code named as Santa-APT that was functioning as a cyber crime unit as well as an APT. This team targeted Cloud servicing vendors as well.

Santa-APT team had multiple games and apps on Playstore as well as other android markets. These games never had all permissions required to do full data theft. The actual malware payloads came as updates.  They not only had Android Malware but Blackberry versions too. In this blog we will provide more technical details regarding their payloads.

Screenshot of Santa-APT mobile malware interface.

Part 1 attribution:

As mentioned before, the payloads come in the form of an Update. Here we are sharing the analysis of three different updates [2 for android and 1 for Blackberry] that are used by Santa-APT.

Android SMS stealers:

These updates are for stealing SMS information, similarly they have updates that can perform various other functionalities as mentioned in our previous article.


MD5 (remote.apk) = af543393e0d6da372cd781a928895c79

MD5 (IncomingSMSApp-1.apk) = 5bd71e7b465c1a8435ff0d4b093289e3sha256






This update steals messages from devices and sends it off to a CNC server. From the looks of it, this is just testing app which will later be integrated to a full-fledged malware.

Sending text message code:

It connects to the backend, which pushes xml. The xmlpullparser modules parses the received xml and executes the tasks in the application accordingly.

Android Call, Camera and GPS collection:


App Name : Android Care

Launcher Display name: update

SHA512(aps.apk)= 92c2979398c7f89c19d2a7e038a4fbca2dce99fc1741382b27abefb46e5fd8ed5c887ff8ca5ec0b39c15f47955e62f3f29a9cd8a6dace3509ce2bcd4975de37c

Malware Class: droidFakePatch

sha256: 21ae32e66f80e8479264163eec340732c05c1f7d7d408c7d2ff623deaba4a920

This module has the functionality to collect call, GPS and camera data. This mostly works on triggers. Like lets say the user is in a specific building , then it sends an sms to the Master number. Various other triggers like talking while driving etc is calculated . It is possible from the admin site to configure what all triggers are configured and so on. This data comes from the server in XML format which is parsed by the Spyware app. We have previously documented the controller interface that does this functionality .

While trying to un-install, it gives an intimidating message like below, where in the user thinks that he should be doing something wrong and doesn’t un-install.

This is achieved by fiddling with the android:label section in the androidManifest.xml file.


From the phone dialer, its possible to check if this spyware is running or not by dailing

*#0006#, this must be added for testing purpose.

Screen Shot 2015-12-30 at 1.10.40 PM

There is an XML endpoint which gets config data such as “set Master Number” etc. The alerts are sent to this number when a trigger is activated.  Following are the data it collects.

Screen Shot 2015-12-30 at 1.13.55 PM


Screen Shot 2015-12-30 at 1.15.55 PM


A module that steals pretty much everything. 

Name: droidFakePatch

Type:  Class file

Signatures :

sha256: 21ae32e66f80e8479264163eec340732c05c1f7d7d408c7d2ff623deaba4a920



The application disguises itself as an android secure patch, when installed disappears from the Android Launcher, which convinces the user to believe that the patch would be applied. The app runs as a background service and provides no GUI or App icons for a user to interact with. It monitors for calls, sms, contacts, Images and Videos in the device and connects to a CNC server over network. While reverse engineering the malware, it appears to be well structured and carefully planned.

Screen Shot 2015-12-30 at 1.48.33 PM


The app requests permissions for almost all the data it needs to spy on. It also requests for certain system level permissions that would be granted if the device running the app runs an outdated version of android, since some permissions were moved to signature level recently in the latest releases of android.

Permissions requested:

– make calls and reroute calls

– read and send sms

– read Bookmark, history

– read/write to SDcard

– full network access

– run at startup

– change system settings, prevent sleep, change audio settings etc

Screen Shot 2015-12-30 at 1.49.03 PM


Once the application has started, it removes itself from the Launcher Screen and starts the background activity. It achieves this by calling the below API.

Screen Shot 2015-12-30 at 1.51.07 PM

Most of application logic is run within the background service. The Controller Class verifies if it’s the first run or not by reading values from shared preferences and issues intents accordingly.


Screen Shot 2015-12-30 at 1.51.48 PM

OnStart Method of the MainService Class also registers an Intent Filter for two events, i.e. android.intent.action.SCREEN_ON, android.intent.action.SCREEN_OFF, which enables the application to be aware of the above events while a user turns on and off his mobile device screen.

Screen Shot 2015-12-30 at 1.52.50 PM

The app then checks for the SimIMSI number, logs SIM change events and updates its internal database. It also logs the users phone number, the state of the phone etc. and also registers observers for contacts, SMS, images and video as shown below. These observers notify the application in their onChange methods, where there is code to update the new entries in the internal database and later upload it to the CNC.

Screen Shot 2015-12-30 at 1.53.05 PM

The application has capabilities for camera, audio, video and call recording which it has permissions for. The data is either stored in the SDcard or within the sandbox and later uploaded to the CNC. The data uploaded is done using plain http, xml data over http as well as by an sftp module.


Application Sandbox:

Most of the structured data; like incoming / outgoing call lists, contacts, SMS, GPS information etc. is stored in the database and uploaded to the CNC when a network connection is available. There are no native binaries used in the application. Shared preferences file is used to maintain the state of service that is run in the background.

Screen Shot 2015-12-30 at 2.00.13 PM

Blackberry Malwares :

The group performed operations similar to the android updates for stealing Blackberry users data.

Name: Update.jar

Type:  Java archive

Signatures :

SHA512(Update.jar)= 0302bbf67937cffc8177511481165ab53d3cbdabfaf2cd2cdfda04633d18b5eedc49a066b593de4f822a301392817b2b047aef276ef8faee7172dc8a5d7f08e2
SHA512(Update.jar)= 73d7afeb0af7efe579ddcefa2823c5f05d4465a93df123e2c3a63fc817283b032c7ecd11e312c0ca8c90e843ebe372771032efcf6c88e1bc84a40cf3fd429449
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= e97fefb240845e2ddd234dcec13e59ef038229ea42f7bad878fc407f219ff54443b6682aea1dc58fc85d22c45cc3a97e2ec3fd294b06e1262c66fffed2acacd6
SHA512(Update.jar)= 73d7afeb0af7efe579ddcefa2823c5f05d4465a93df123e2c3a63fc817283b032c7ecd11e312c0ca8c90e843ebe372771032efcf6c88e1bc84a40cf3fd429449
SHA512(Update.jar)= 0302bbf67937cffc8177511481165ab53d3cbdabfaf2cd2cdfda04633d18b5eedc49a066b593de4f822a301392817b2b047aef276ef8faee7172dc8a5d7f08e2

Blackberry version of the malware steals the following information.

  1. Emails
  2. Media files
  3. Contacts
  4. MMS data
  5. Calendar
  6. Audio recording
  7. SMS
  8. GPS location
  9. Installed applications

Screen Shot 2015-12-30 at 4.06.56 PM


The collected data is uploaded and visualised on the same controller that is used by the android malware. The Blackberry malware uses Blackberry APIs . The code flaw and feature sets are all identical to the android malware. A more detailed analysis would be added if required in our next blog.


Screen Shot 2015-12-30 at 3.59.54 PM


The group has full-fledged malware capable of spying users in almost all avenues possible. Santa-APT team  doesn’t utilize any root / privilege escalation exploits, but makes use of the permissions the user granted it and quietly skims data to the CNC server. Hardcoded server addresses and API endpoints is spread in the binary and the networking module and uses both HTTP and sFTP communication to the CNC. Even though santa-APT had OSX developers and OSX applications, we have not identified any OSX malware form this group.

The target of this APT is so diverse, ranging from government officials, high profile individuals to engineers from technology companies. More attribution , victim informations and artifacts about Santa-APT could be provided on request at [theoracle (-@-) ]

CloudSEK is thankful to Anto Joseph from garage4hackers for the android malware analysis.

Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps

by Rahul Sasi

CloudSEK is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.

CloudSEK’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSEK acquired from our data partner.


CloudSEK monitors were researching the activities of an APT [Advanced persistent threat ] that is targeting software companies globally.What is interesting is this APT appear to conduct widespread intellectual property theft for economic gains, targeted individuals as well as performed intelligence gathering that would be useful for governments. Based on our analysis , the attacker have recently launched campaigns to target Christmas season. Malware masquerades as Santa Claus and many similar Christmas Apps.

Brief Overview :

CloudSEK was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations.

The desktop malware after successful installation proceeds to callback to its controllers located in Germany . The main attraction of this Trojan is the capability to collect data from air-gapped systems. The trojan gathers system information and disk information and sends that to the controller. The malware collects two sets of data:

  1. Files
  2. Screenshots

One of the features was a USB module that is capable of collecting data from air-gapped systems [No internet access] . This module copies important data from an infected system to a plugged-in USB device till it reaches an infect machine that has got internet access. The malware was also copying trash folder from infected system into a hidden volume on the connected USB .

CloudSEK was able to obtain more information on attackers infrastructure and was able to identify how exfiltrated data was placed on the attacker’s servers . We observed that the data collected  are stored in a folders marked by an infection id on the controllers. Each victim will has an infection id and a folder related to his/her data.

 Screen Shot 2015-12-16 at 1.53.11 AM

Controllers seemed to have almost 120 GB of data as Malware and are constantly collecting critical files from infected machines.  The collected data are kept in their respective folders.


Screen Shot 2015-12-16 at 1.41.06 AM

Even though there were folders for key-logging and voice recording no actual code for this was found within the trojan nor any data on the controllers. It is possible the Trojan is still under development.

Based on many artefacts collected from this malware, controllers as well as passive dns query, its is confirmed that a company based in South Asia is responsible for the development of this malware. This company would be referred as santa-apt from here on.   This company on its website says that they provide software development consultation as well as provides spy softwares to monitor employees. Based on the above, CloudSEK monitors were constantly tracking this hacking team and our trackers were able to find the following information.

  1. CloudSEK found that Santa-APT is recruiting for Mobile App developers.
  2. Many of the developers who are working for Santa-APT has mobile application background [IPhone and Android ].
  3. We identified Santa-APT Mobile malware are masquerading as Games and utilities.
  4. And recently attackers started pushing malware pretending to be Santa Clause games.
  5. We identified many malware controllers used by Santa-APT .
  6. One of the malware controllers managed by Santa-APT belongs to a mobile malware .
  7. The mobile malware controller had nearly 8k infections .

Screenshot of the Android and  iOS Malware used by the team:

Screen Shot 2015-12-16 at 12.54.35 AMScreen Shot 2015-12-16 at 6.04.42 AM

We were able to get more information about the controllers and how collected data was monitored on the controllers. Further in this blog we would explain in detail about the various operations performed by the Mobile malware.

CloudSEK monitors were constantly tracking this hacking team and their infrastructure . While checking the contents of many applications owned by Santa-apt, we identified their mobile malware. The mobile malware after infection connected back to a C&C server over http. This IP was in the same network range as the desktop malware and was hosted in Germany.  The application is a mobile malware admin interface code named as “top gun”. There were almost 8k infected mobile users on that control panel.

CloudSEK was able to collect more data about the internal working of the mobile malware.

The controller had admin users as well as normal users:

Screen Shot 2015-12-16 at 2.42.35 AM


Each infected user data could be viewed by logging in with a username and password on the user panel .

User Data Dashboard:

Screen Shot 2015-12-16 at 2.46.14 AM

The mobile malware had the feature to upload the following data to the control panel.

  1. Contacts
  2. SMS
  3. Call Records
  4. Location Info
  5. Calendar
  6. Camera
  7. Cam Shots
  8. Video
  9. Environment Recordings
  10. Browser History
  11. Program Info
  12. Change Sim Card
  13. Device Status

That’s pretty much everything on the phone. And like every other android malware , the user has to grant permissions for app, and our Santa request for all the possible permissions.

Screen Shot 2015-12-16 at 4.54.45 PM

It has  a feature to upload minute-by-minute location of the user.

Screen Shot 2015-12-16 at 2.56.58 AM

Stolen SMS from infected Phones:

Screen Shot 2015-12-16 at 3.06.00 AM

Attacks were capable to play recorded call messages.

View/play call records:

Screen Shot 2015-12-16 at 3.07.26 AM



Screen Shot 2015-12-16 at 3.10.36 AM

Uploaded gallery contents video/image  from infected phones:
Screen Shot 2015-12-16 at 3.44.40 AM

Environment recordings:

An interesting feature to the controller was an option to send an alert to attacker if his victims leaves a particular region on map or enters a pre set region. This way attackers could track if his victim has reached office or left office. So if victims enters/leaves a pre set location, then the attackers gets an sms notification. Triggers are also made for calls and sms from a preset individual.

Screen Shot 2015-09-24 at 2.17.17 AM

Triggers could be used to record the environment of the user and upload back to the server.

Screen Shot 2015-12-16 at 3.21.04 AM


This Christmas make sure you think about security before installing an app.Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews . And last but not the least, do not let someone else install any application on your official/personal devices.


About CloudSEK:

CloudSEK’s SaaS-based solution monitor client’s online assets from the perspective of an attacker 24/7 . CloudSEK monitor leverages modern machine learning technology to detect threats real time and provide actionable intelligence.
The target of this APT are so diverse, ranging from government officials , high profile individuals to engineers from technology companies .  More attribution , victim informations and artefacts about Santa-APT could be provided on request at [theoracle (-@-) ]