KAD.JEMPUTAN_MAJELIS.apk
Analysis of the Android Package Kit widely used in wedding e-invitation phishing scam campaign. This is a very delayed side project, the information might be outdated.
As weird as it sounds, one day at a food court, I obtained this malware sample from a fruit seller. Throughout my free time, I analyzed the sample. Fyi, this is my first time doing mobile malware analysis so any feedbacks and comments (+/-) are welcomed.
Look familiar? This is not the typical wedding e-invitation that you normally get from your uncles, aunts, cousins, friends or ex-girlfriend. Although it might look the same, this is not an actual wedding e-invitation.
Dynamic Analysis
The goal is for recipients to click install or download on the file KAD.JEMPUTAN_MAJELIS.apk. Once downloaded, users will be prompted with a Google Play Protect “Harmful app blocked”. For the sake of the analysis, I clicked “Install anyway”.
Once installed, the app will ask users permission to send and receive messages. So far, it looks normal although the app name is not what you would expect an e-invitation app to have.
Then, the app will request for your phone number and will send a notification asking users to wait for 24 hours (I don’t know for what) before crashing.
To better comprehend the behavior, I decompiled the app and sifted though the source code.
Static Analysis
The first few lines of the manifest contains information regarding the Android namespace, code and SDK version, etc. The following lines contains system permissions that the application requires:
· android.permission.READ_SMS
· android.permission.RECEIVE_SMS
· android.permission.INTERNET
· android.permission.ACCESS_NETWORK_STATE
· android.permission.READ_PHONE_STATE
· android.permission.READ_CALL_LOG
· android.permission.SYSTEM_ALERT_WINDOW
· android.permission.WAKE_LOCK
· android.permission.RECEIVE_BOOT_COMPLETED
· android.permission.FOREGROUND_SERVICE
At this stage, it is obvious that there is something “phishy” with this application. For instance, why would an e-invitation app require control to our phone’s power state?
To simplify, the notable capabilities of the app includes:
- SMS and Call Monitoring
- Phone and network state access
- Call log access
- Wake lock; it can keep the device awake
- Foreground Service; it can run a foreground service
- Job Scheduling
From AndroidManifest.xml, I found the class that I believe is the entry point of the application — IntroActivity. This class will check whether it’s a first launch or not. First launch will call another class named MainActivity. Otherwise, it will start a method from MainActivity and display a custom dialog. This class is also responsible to request for permission to receive SMS which could likely be used as a pathway to more scam messages.
The MainActivity class is leveraged to collect device information like device brand, model and phone number (optional). Then, the information collected will be exfiltrated using a class named SendIntro.
SendIntro is used to send the information collected using the MainActivity class to a Telegram bot in the background.
In this part of the SendIntro class, a URL of a telegram bot is included. Some additional digging using Telegram API methods revealed the information of the bot.
This finding of the Telegram bot URL led me to search for other Telegram-related links because it seems like it might be their communication channel of choice. Yup, a URL pointing to a Telegram user is found in one part of the code.
Then, another notable class known as SMSmonitor which is defined as a receiver in the manifest and will be called when SMS message is received. It monitors incoming SMS messages and sends the message data to a server using a work request. This will allow the threat actor to remotely monitor and process SMS messages and allegedly allowing threat actors to intercept confidential SMS which could contain TAC number.
Besides SMSmonitor, a few other classes that were defined as receivers are:
- CallMonitor
- keypadListener
- jobScheduler
Conclusion
In conclusion, the KAD.JEMPUTAN_MAJELIS.apk is a piece of malware disguised as a wedding e-invitation. Through both dynamic and static analysis, it was revealed that the app requests numerous permissions that are unnecessary for a legitimate e-invitation, such as access to SMS, call logs, and phone state. The app’s primary function appears to be collecting sensitive information and sending it to a Telegram bot, potentially enabling further malicious activities like intercepting confidential SMS messages.
Recommendation
- Verify the Source: Always verify the authenticity of any app or file before downloading and installing it, especially if it comes from an unexpected or unfamiliar source. Check the sender’s details and confirm with them directly if necessary.
- Use Security Tools: Ensure that your device has up-to-date security software and enable features like Google Play Protect. These tools can help detect and block potentially harmful apps before they can cause damage.
- Limit Permissions: Be cautious about the permissions you grant to apps. If an app requests access to sensitive information or functions that seem unnecessary for its purpose, it’s a red flag. Deny such permissions and uninstall the app if it seems suspicious.