Thursday, April 27, 2017

Old Banking Trojan uses new hiding technique



Android/Gugi or Android/Spy.Banker is old news, categorized as Android banking malware since December 2015. Gugi is capable of stealing user’s mobile banking credentials as well as credit card details. 


Gugi now uses new method of hiding itself to evade detection by AV software using VirtualApp open platform.  

"VirtualApp allows you to create a Virtual Space, you can install and run apk inside. Beyond that, VirtualApp is also a Plugin Framework, the plugins running on VirtualApp does not require any constraints. VirtualApp does not require root, it is running on the local process."


Functionality


Malicious payload is encrypted in assets, once the app is launched, the payload is decrypted and executed by VirtualApp Framework.

Figure 1 Install and launch Virtual app (Android/Gugi)

Simple and easy way to install and run additional app inside Virtual Space (see above).



Shortly to sum up capabilities of Android/Gugi:
  • send text messages
  • intercept received messages
  • make calls
  • steal contacts from device
  • steal SMS from device



I have decided, I'm not going to analyze or go deeper into Android/Gugi banker because it has been already done before - Banking Trojan, Gugi, evolves to bypass Android 6 protection and Gugi: from an SMS Trojan to a Mobile-Banking Trojan
This Gugi is poorly obfuscated and easy to reverse, if you are interested I have attached link to this sample in details section ;). 


Conclusion

On the other hand, all permissions required by VirtualApp can be misused by guest app executed inside Virtual Space. VirtualApp by nature requires dozens of permissions such as SYSTEM_ALERT_WINDOW, SEND_SMS, RECORD_AUDIO, RECEIVE_SMS, READ_CONTACTS, CALL_PHONE, READ_HISTORY_BOOKMARKS, WRITE_SMS etc.

VirtualApp isn’t a new Framework, it has been available since 2015 but it’s not widely used by Android malware. In October, 2016 was VirtualApp misused by malware acting as dual instance stealing Twitter credentials. Month ago and probably the last time I heard of it, it was abused in order to spread adware on Google Play Store. The question now is – can we expect more Android malware being installed and run inside Virtual Space?


Details

VT(16 / 58)

Samples
 
C&C
hxxp://193.201.224.22:3000



No comments:

Post a Comment