0x1c3N

Reverse / Android / Malware


<- Home

27 August 2021

Anubis Android Malware Analysis

PDF version

Introduction

Anubis is one of the most well-known malware in the Android Malware family. It’s still popular for threat actors today, given its capabilities and the damage it has done to andorid users in the past. On the other hand, it offers many Malware Developers the opportunity to sample their abilities to create a new malware.

It is possible to find thousands of different Anubis samples produced to date on platforms such as Koodous and Abuse.ch. Basically, we can say that Anubis consist of 2 stages. Let’s take a look at these stages and what they do.

Two Stages Of Anubis

Threat actors, if they plan to present the Anubis through a legit application such as Google Play, they use the application we will call Dropper at this point. Dropper’s task is to download and install the real Anubis malware on the device from the moment it starts working. On the other hand, in scenarios where threat actors plan to spread Anubis through websites, fake campaigns or fake gifts, we can see that they share the Anubis application directly without using Dropper.

Droppers

As it seems, Droppers try to mislead their targets by imitating other popular legitimate apps on Google Play.

Dropper apps should attract as little attention and be silent as possible to evade Google Play security services. For this reason, Droppers’ abilities are very limited. It will be more than enough for threat actors to install Anubis on the target device in the safest way possible. So how can Dropper applications install Anubis on the device? Let’s take a look at this together.

REQUEST_INSTALL_PACKAGES, the first red lights that appear with the sunrise, our hero who first greeted us when we started our story.

With this permission Android applications can obtain the ability to install an external application on the device.

And thus, Anubis malware is successfully installed on the device. As we mentioned above, Droppers imitate legitimate apps on Google Play to hide themselves and gain trust. On the other hand, Anubis do nearly same things with Droppers. It uses the current pandemic process and the impact of this process on society in order to hide itself and gain trust. Application names such as Pandemic Support, COVID-19 Support, 2000 Turkish Lira Support, Pandemic Support Application and emblems of official ministries are widely used at this point.

anubis anubis2 anubis3

dropper dropper3

Checksums

App Name Her Aile’ye 2000 TL Pandemi Devlet Desteği
MD5 9e2ebf224ef23e5d01a88e6bd06d6ad0
SHA-1 defb1558ddc36fd10050f2cd65617dce7274dc01
SHA-256 a0eb4e0e7346422d18d3421d1f185fcb2b01ac3080ab3b3bc68d67aab1f4477d

Static Analysis

The first thing we need to look at in the static analysis section will of course be the permissions requested by the application in AndroidManifest.xml.

permission

Frankly, many mobile malwares are giving themselves away at this point, we can say that application permissions are just one of the cornerstones of this business. Likewise, Anubis gives us the chance to guess what it can do with so much power it wants, but in the following parts of our article, we will see that Anubis is actually a Malware that contains more than we think. If we need to give an example, we can make a few statements on RECEIVE_BOOT_COMPLETED among the permissions requested. Thanks to this reciever permission, android applications can run in the background while the device is starting up and ensure its continuity on the device, and in the scenario we see, we realize that this permission is also on the list of requests by Anubis.

One of the features we are used to seeing in many mobile malware is runtime class loading. When we continue to examine our AndroidManifest.xml file, it is possible to see that the classes that are not in the activity section are listed. From now on, it is certain that Anubis will do something to load the lost classes as it starts up.

lostclass

There are multiple ways to access our classes that will be loaded later, in our report we will refer to class loader function hooking and manual unpacking methods. For our static analysis, we will reach our classes that will be loaded later by hooking the dalvik.system.DexClassLoader function, but in the last section, we will aim to reach these classes with manual unpacking.

classloader

BINGO!!! Our dex file, which is wanted to be loaded using the DexClassLoader function, is right here, and the classes it contains are the lost classes that appear in the AndroidManifest.xml we mentioned above.

hlc

In fact, when we first open the hLc.json file, we realize that there are dozens of unnecessary enum classes added for obsfucation purposes, but eybisi’s jadx fork allows us to easily eliminate this problem with its Hide Enum Classes feature.

When we examine our loaded dex file and the classes in it, we are faced with many strings encrypted in the parrot.ski.frog.a class.

encryptedstrings

String Decryption

Looking at our encrypted strings, we see that they all go to the a(String str) function before being defined to any variable. When we examine this function and code flow, we are faced with a process that we are familiar with.

RC4+BASE64

encstr

With our decryptor function, our encrypted string is first divided into 2 parts, the first 12 characters of these parts are used as the decryption key and the remaining expression is used as chipertext.

2parts

After our string, which is divided into 2 parts, is converted to the appropriate format, it is sent to our RC4 function.

Anddd Here Is The Our RC4 Implementation Function

rc4

Anubis uses these ecrytped strings that we see in runtime by decrypting them. Come on now, let’s look at the contents using the script I wrote to decrypt all the strings here and when we look at the outputs, we can reach more detailed information about the capabilities of Anubis, each of our decrypted strings here are very important, but I marked a few of the first ones that caught my attention.

basepy basepy2 basepy3

When I examined the strings we decrypted, I realized that some of them were just defined and never used again. First, I thought that the variable that the string is connected to would be a decryption result. But I couldn’t find any function of this type, then I came across DexClassLoader in strings :D

dexloader

String str2 = this.a.du; // this.a.du = DexClassLoader

The sample we examined loads the module it received from the C&C Panel with the action=getModule&data= request in runtime using DexClassLoader and runs the class it loaded with com.example.modulebot.mod, which I encountered in strings. There are multiple unused strings inside, including those with the package names of applications such as Telegram, Whatsapp, Tencent, Ubercrab, Viber, Snapchat, Instagram, Twitter.

apppackages

Since C&C Panel is not active, I could not examine the module to be loaded in runtime, but there are many harmful activities that can be mentioned in the classes we have. To mention them in order;

2FAsteal

Anubis can steal 2FA code with using Accessibility events getText() function.

In addition, with Accessibility privileges, Anubis can also give itself any permission it wants.

giveperm

Here I would like to point out a few things about the performAction(16) function. Thanks to the accessibility permission, Android applications can click the buttons that appear on the screen.

perform actionname

After the application starts working, it makes the necessary preparations to convert the basic information about the device and critical information such as statBanks, statCard into Json format.

allcap

While examining AndroidManifest.xml file, we saw the permissions such as SEND_SMS, READ_SMS, RECEIVE_SMS in its content, but it seems that Anubis does not want to be content with them. It is thought that the purpose of Anubis, which wants to be the SMS application of the device, at this point is to delete the incoming messages in order not to leave any evidence behind.

smsapp

When Anubis first runs, it uses Shared Preferences to reuse the encrypted strings in its content.

mainn sharedbuilder

As can be seen above, certain information is kept in the key-value data format for later use.

shared2

With many functions and endless loops in Anubis content, it causes a workload on the device where it is constantly loaded. Since one of the results of this workload is high energy consumption, Anubis’ developers aimed to overcome this problem with the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission.

battery batteryintent batteryintent2

The application can reveal multiple amazing abilities with Accessibility permissions on the target device. For example, it can turn off Play Prottec to avoid being caught and prevent any attempt to delete itself from the device, again thanks to Accessibility.

Playpro2

In the code block we saw above, it can perform operations with 1 and 2 constants from the a() function and the performGlobalAction function. Well, if you were to ask what operation these 1 and 2 correspond to, here is the answer;

globalaction globalaction2 globalaction1

In addition, we need to mention that the developers of Anubis paid attention to important details such as the Build SDK version and implemented the escape function separately for lower SDK versions.

lowersdk evedonus

Anubis uses this code block against any deletion attempts of the user and returns the user directly to the main menu from where they are :D, it must be very annoying.

As an example, let’s examine the code block below

deleteaction

cE = com.android.vending:id/toolbar_item_play_protect_settings
cD = com.android.vending:id/play_protect_settings
cF = com.google.android.gms.security.settings.verifyappssettingsactivity

Thanks to its accessibility ability, Anubis can infer what the user is doing on the screen at that moment, and runs the a() function directly in any scenario that will harm it. As we can see in our example code block, if it detects any of the cE / cD / cF string constants, the escape function a() will run directly.

Dynamic Analysis

In our sample, we come across the application under the name of 2000 TL Pandemic State Support for Each Family and using the emblem of the Ministry of Health of the Republic of Turkey.

dynamic1

With Anubis running on the target system, we see that the first thing it wants from the user is Accessibility privileges. Because many simple but effective abilities (Clicking Buttos, Scorlling Pages, Reading Windows Context) that the malware basically possesses are hidden behind these powers. On the other hand, we see at the beginning of our analysis that Anubis also uses a way to hide its icon from the app launcher in order to make it difficult to remove it from the device when it starts running.

dynamic2 dynamic3 dynamic4 dynamic5

Let’s give all permissions and examine what Anubis sent to C&C. Since our C&C Panel is not active during the analysis process, Anubis cannot receive any response from the C&C Panel.

request

We talked about the JSON files created during the initialization phase in static analysis. Another detail I noticed during the static analysis was that Anubis encrypts the JSON files it prepares to send to the C&C Panel using Base64 and RC4. But I thought it would be more accurate to mention this part here. Let’s see what kind of code block Anubis uses for this process.

jsonencrypt

When I looked at the places where the RC4 implementation in the application is used, I noticed that it is used in an additional place, not just for hard-coded strings. Then I started to examine this structure.

json2

Do you think it is a coincidence that it is so close to JSON data :D ?

As we can see the function takes 2 Strings (str,str2). While str2 is used as encryption key, str has data in JSON format.

json4

Request Encryption RC4 Key = CRViysGgKzt6i

requestdecode

YAY !!!

Manual Unpacking

At the beginning of our report, we mentioned that the sample we examined loads a class in runtime. We hooked the DexClassLoader function to find this loaded class. But we can also do this manually. In this way, we will discover how packers, which are used extensively in the Android Malware world, do this job. First, let’s look at our AndroidManifest.xml file.

unpack

As we can see, all activities including MAIN are called under the parrot package, but we don’t have the parrot package in sight. How is this possible?

This packer, which is widely used among Android Malwares, loads all the lost classes by using the class under the application tag.

unpack2

Although it appears to be full of classes that we do not have, we actually have the first class that runs and takes on the unpacking task.

pigeon.theme.earth.IUhUkAkGfQxFbEwMiUtWuIuBrReSmPjPqEiWkAcJiSq

unpack3

The function 2 above the attachBaseContext(Context context) function is the unpack function used in this common packer :D

In addition, in this common packer type, the PPpYrMnQwArZqXpLlNsNj variable I marked in the image above contains the name of the file to be decrypted.

filename1 filename2 filename3 filename4

Name Of Encryted Dex = hLc.json ( filename.py )

filename5

RC4 is used when decrypting the class to be loaded in this packer type. So it’s time to find the RC4 key. When we go to the class with the liftnorth function, our goal is to find the RC4 implementation waiting for us. It would be a reasonable idea to call 256% for this, but it tried to hide this process with a variable that holds 256 in the sample we examined.

unpack4 unpack5

The integer array built before the for loop starts contains our decryption key.

unpack6 unpack7 unpacl8 unpack8 unpack9

RC4 KEY FOR LOADED CLASS = fCiUMm ( rc4.py )

unpack10

GG !!!

Conclusion

Anubis is a malware that is worth examining in every aspect and is really impressive, this application that harms tens of thousands of android users with thousands of samples around the world, is a source for future android malware. I hope you liked my post, thanks for reading. If you have any question, feel free to ask me on twitter 0x1c3N

References