While trying to un-install, it gives an intimidating message like below, where in the user thinks that he should be doing something wrong and doesn’t un-install.
This is achieved by fiddling with the android:label section in the androidManifest.xml file.
From the phone dialer, its possible to check if this spyware is running or not by dailing
*#0006#, this must be added for testing purpose.
There is an XML endpoint which gets config data such as “set Master Number” etc. The alerts are sent to this number when a trigger is activated. Following are the data it collects.
A module that steals pretty much everything.
Type: Class file
The application disguises itself as an android secure patch, when installed disappears from the Android Launcher, which convinces the user to believe that the patch would be applied. The app runs as a background service and provides no GUI or App icons for a user to interact with. It monitors for calls, sms, contacts, Images and Videos in the device and connects to a CNC server over network. While reverse engineering the malware, it appears to be well structured and carefully planned.
The app requests permissions for almost all the data it needs to spy on. It also requests for certain system level permissions that would be granted if the device running the app runs an outdated version of android, since some permissions were moved to signature level recently in the latest releases of android.
– make calls and reroute calls
– read and send sms
– read Bookmark, history
– read/write to SDcard
– full network access
– run at startup
– change system settings, prevent sleep, change audio settings etc
Once the application has started, it removes itself from the Launcher Screen and starts the background activity. It achieves this by calling the below API.
Most of application logic is run within the background service. The Controller Class verifies if it’s the first run or not by reading values from shared preferences and issues intents accordingly.
OnStart Method of the MainService Class also registers an Intent Filter for two events, i.e. android.intent.action.SCREEN_ON, android.intent.action.SCREEN_OFF, which enables the application to be aware of the above events while a user turns on and off his mobile device screen.
The app then checks for the SimIMSI number, logs SIM change events and updates its internal database. It also logs the users phone number, the state of the phone etc. and also registers observers for contacts, SMS, images and video as shown below. These observers notify the application in their onChange methods, where there is code to update the new entries in the internal database and later upload it to the CNC.
The application has capabilities for camera, audio, video and call recording which it has permissions for. The data is either stored in the SDcard or within the sandbox and later uploaded to the CNC. The data uploaded is done using plain http, xml data over http as well as by an sftp module.
Most of the structured data; like incoming / outgoing call lists, contacts, SMS, GPS information etc. is stored in the database and uploaded to the CNC when a network connection is available. There are no native binaries used in the application. Shared preferences file is used to maintain the state of service that is run in the background.
Blackberry Malwares :
The group performed operations similar to the android updates for stealing Blackberry users data.
Type: Java archive
Blackberry version of the malware steals the following information.
- Media files
- MMS data
- Audio recording
- GPS location
- Installed applications
The collected data is uploaded and visualised on the same controller that is used by the android malware. The Blackberry malware uses Blackberry APIs . The code flaw and feature sets are all identical to the android malware. A more detailed analysis would be added if required in our next blog.
The group has full-fledged malware capable of spying users in almost all avenues possible. Santa-APT team doesn’t utilize any root / privilege escalation exploits, but makes use of the permissions the user granted it and quietly skims data to the CNC server. Hardcoded server addresses and API endpoints is spread in the binary and the networking module and uses both HTTP and sFTP communication to the CNC. Even though santa-APT had OSX developers and OSX applications, we have not identified any OSX malware form this group.
The target of this APT is so diverse, ranging from government officials, high profile individuals to engineers from technology companies. More attribution , victim informations and artifacts about Santa-APT could be provided on request at [theoracle (-@-) cloudsek.com ]
CloudSEK is thankful to Anto Joseph from garage4hackers for the android malware analysis.