[Mal Series #15] Android Stealer Cabassous

Most of the Android Malware will request for Android’s Accessibility Services (AAS) before it execute any malicious activities.

Good read regarding to AAS -> HERE

App Source

https://twitter.com/ThreatFabric/status/1346807891152560131

Initial Phase, Gate to Open the AAS

Usually it can be find in the app’s “entry point” since it is the gate for the malicious play 👹 👺

Action & Category to look for:

<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>

Android Manifest.xml

In the class MainActivity, the app will pop out a alert dialog for user to enable the AAS.

Request Accessibility Access

Meanwhile, class IntentStarter will request for more app permission such as the on shows below and setting up things for SMS receiver/sender (e.g. change the other SMS application (Signal Messaging App) to default one (Message) based on the factory settings.

Action Involved

android.provider.Telephony.ACTION_CHANGE_DEFAULT

Request for App Permission

Constant Involved (ProgConfig.PERMISSIONS)

android.permission.READ_CONTACTS
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.READ_PHONE_STATE
android.permission.CALL_PHONE

Persistent Mechanism

By enabling the required permission, the app is allowed to execute the payload at the device boot time.

Permission Required

RECEIVE_BOOT_COMPLETED

Android’s Accessibility Services (AAS)

It need certain permission for AAS in order to work

Permission Required

android.permission.BIND_ACCESSIBILITY_SERVICE

Android Manifest.xml

What does the ASS does in the malicious App?

Hide Application Icon

Hide from the user’s plain sight

Generate Victim’s BotID via randomUUID()

Setting Up Language

Store available language in SharedPreference key value ‘c’

Available Lang Opt:be,ca,de,es,eu,gl,hy,kk,ky,mo,pl,ro,ru,tg,ua,uz

Default: en

Disable Play Protect

Open GPP Programatically -> check for the package com.google.android.gms || com.android.vending -> Disable GPP

GMS == Google Mobile Services

Flow to disable GPP via ASS

Based on my understanding, here’s the flow:

Get toogle/switch_widget component -> Click on it (Show Alert) -> Click to Parent Screen (Choose Button for Cancel / “TurnOff”) -> Click “TurnOff”

New GPP: Switch_Toggle
Turn off Button

Enable Wake Lock

Ensure App is able to run as usual even after the screen is locked.

Permission Required

android.permission.WAKE_LOCK
android.permission.FOREGROUND_SERVICE

Enable PARTIAL_WAKE_LOCK

Wake lock level: Ensures that the CPU is running; the screen and keyboard backlight will be allowed to go off.

If the user presses the power button, then the screen will be turned off but the CPU will be kept on until all partial wake locks have been released.

Disable Battery Optimization

Enable App keeps running when battery health is low.

Permission Required

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

App will get suspend by GP if they detect it requests for this permission.

Sos Code

The ASS will automatically disable it by first scanning the battery status of the app’s package name and passing the <action> via intent. Screenshot below for better reference 😉:

References <action> & <package>

Prevent Manually Uninstall by Victim

Conditions to trigger it:

  1. Haven’t allow required permission yet + “permission check” & app_name found in node given.

2. When getRootInActiveWindow() found the component, “accessibility_service_description” (might be vary)

3. If the rootWindow’s app_name equals to the string value that points to:

com.android.settings:id/entity_header_title
com.android.settings:id/app_detail_title
com.android.settings:id/app_name
android:id/title

4. Found value of accessibility_service_description in com.android.settings from accessibilityEvent.getPackageName()

5. Open Google Play App Scan Window. These Spanish strings will gets detected Activar análisis de Play Protect
& Ajustes de Play Protectin the getRootInActiveWindow() node.

Web Injection

Gather Apps installed by getting package name -> Inject interesting App based on the C2 responce.

Permission Required (App Enumeration)

android.permission.QUERY_ALL_PACKAGES

Gather app installed in the device fpackage

Inject with Js & HTML

Code Snippet for Web Injection

Overlay Attack

Create Custom Windows View
requestWindowFeature(1); // 0x1 == FEATURE_NO_TITLE

Some Validation for Name, Card Number, ExpMonth, ExpYear & CVV

Validation Code Snippet

There will have a general validation for Credit Card Number which is Luhn Check.

Luhn Check

Sending Data to C2

Permission Required

android.permission.INTERNET

DGA for C2

Loop for 2000 times to look for available C2 connection

C2 connection made up of of [a-z]{15}[.ru|.com|.cn]

DGA code snippet

SMS Send & Intercept

TA can intercept important SMS such as one-time-password (OTP) for financial/banking access

Permission Required

android.permission.READ_CONTACTS
android.permission.WRITE_SMS
android.permission.READ_SMS
android.permission.SEND_SMS
android.permission.READ_PHONE_STATE
android.permission.CALL_PHONE
android.permission.SEND_RESPOND_VIA_MESSAGE

Code Snippet For Handling Sending/Handling Sent SMS
Code Snippet For Handling incoming SMS
Send Contact List to C2

Remove App

Permission Required

android.permission.REQUEST_DELETE_PACKAGES

Remove Package / Uninstall App

Command Available

These commands will be handle by the custom socket created by the TA

UNINSTALL_APP
CARD_BLOCK
SMS_INT_TOGGLE
BLOCK
SOCKS
OPEN_URL
RUN_USSD
DISABLE_PLAY_PROTECT
RELOAD_INJECTS
SEND_SMS
GET_CONTACTS
RETRY_INJECT

There are still a few functionalities that didn’t cover in this story feel free to check them out :D

Sha256

d9cf1d7392079b3c52e8e66a2293a0731a9db95aef801a542490f5ec79e88f6c

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store