Monday, November 23, 2015

Android malware drops Banker from PNG file


Meanwhile I found the same or a very similar version of this Trojan dropper and banker without obfuscation and protection by DexProtector. The dropping method and functionality is preserved. For those interested, I added hashes of infected files at the bottom.

Nowadays malware is trying to hide wherever it is possible, to get under the radar of anti-virus companies. Lately, I found Trojan dropper carrying a malicious payload, encoded by base64, embedded inside an image file. It’s nothing special these days but it is a very rare dropping technique. In most cases, malware authors are lazy enough to not even encrypt the payload file.


At the time of writing this blog post this Trojan dropper is still available to download from attacker server (hxxp:// Based on VirusTotal the detection for this Trojan dropper is very poor.

Poor detection rate of Android/Banker

Figure 1 VirusTotal detection

This malicious application masquerades itself as Adobe Flash Player. Based on alternative names I found in application resources, the malware name can be different in the other versions such as: Viber New, App4porno, CommBank, My Online Security, Viber or Whatsapp 

Implemented different application names

Figure 2 Possible Trojan dropper names

After launch, Trojan will immediately drop and request the user to install Adobe Flash Player. But first let’s take a look at the dropping technique.
In app assets there is nothing else to drop other than the image file. 

Dropped malware hidden in assets as PNG file

Figure 3 Trojan dropper assets

There is only one image of dices stored in assets, but it size is more than 3.6 MB and that’s bit suspicious.
After inspecting the code, the application wasn’t dropping this PNG file. The Trojan dropper at first opens this image file and searches for the delimiter string, in this case "12345678901234567890". Right after this delimiter, another application encoded by base64 is stored.

Malicious code dropping and decoding mobile banking malware

Figure 4 Dropping embedded malware

Delimiter dividing PNG and encoded file

Figure 5 Binary view of PNG file

Decoded data are then stored on external storage as “prefix.apk” and demand to be installed. Decoded application, prefix.apk, is a heavily obfuscated Android banker, stealing user credentials.
After installation it requests the user to activate Administrator rights for application. This is the simplest method which prevents to uninstalation of  this Trojan. 

Android/Banker manual installation requires activation Device Administrator

Figure 6 Banker install and device administrator request

If user tries to deactivate Administrator rights then he is repeatedly asked to activate it again. There are two ways how to get rid of this nasty banker. Either by going to safe mode of your device and deactivating Administrator rights and uninstall it or by using Android Debug Bridge (adb) and uninstall it from your computer.
Both apps Trojan dropper and dropped banker are the most probably obfuscated and protected by DexProtector. It’s very complicated to analyze it statically without any dynamical intervention. 

Code obfuscated and protected by Dex Protector

Figure 7 Code obfuscation

Banker can steal user login credentials or credit card information with phishing technique. When user opens his mobile banking application or just Google Play Store, malicious activity will be displayed on the top of the official application. This way, the user can be easily fooled and insert sensitive information to the banker pop-up window. 

Scam activity of mobile banking malware - Credit card, Gmail, PayPal, CommBank, St.George Bank, Westpac

Figure 8 Bankers phishing windows

User credentials are immediately sent to remote server.

Send login and password for Gmail to remote server

Figure 9 Send stolen credentials for Gmail app

Send login and password for Commbank to remote server

Figure 10 Send stolen credentials for CommBank app

Send login and password for PayPal to remote server

Figure 11 Send stolen credentials for PayPal app

This banker is very popular. Lately I tweeted about the same banker, but stored on a different server.  

More information

HASH dropper:     1F41BA0781D51751971EE705DFA307D2
HASH PNG:         575551FBC343EC8E1A1C771D81963096
HASH dropped:     90886B56372F5191A78A20DCB3F9FE6E
Remote server:

Not obfuscated samples by DexProtect:

HASH dropper:     E3CCAA1EF68CC472AB8983419BE15A49
HASH PNG:         6F394038D39F76F4475E1B98AD186A40
HASH PNG:         BEDC1B7A2ED127C5A7E5261F043CAFE4