Analysis Report on Malicious Apps Using Advanced Detection and Evasion Techniques
1. Overview
Malware developers are using increasingly diverse techniques to evade anti-virus (AV) products.
In the past, it was common for a single malicious app to implement all malicious behaviors. However, recently, apps have been discovered in which features are separated and need to be downloaded additionally, or encrypted files need to be decrypted and loaded.
There are also a number of apps that set triggers to execute only when certain conditions are met, and remain in a waiting state otherwise.
The recently discovered app is a case in point that applies numerous latest techniques. At the time of discovery, most AV products could not detect the app.
The app that performs malicious behaviors has strong packing and obfuscation applied. It is designed so that users cannot enter the area where additional malicious payloads are generated unless they perform a simple operation on their own.
They also customized the Package Installer used when installing apps, making it easier to install malicious apps and harder to detect them.
This shows that the app is malicious and developed with advanced strategies.
This document provides an overview of the packing and obfuscation techniques applied to the app, the malicious behavior processes, and analysis information on the DEX file that performs the malicious behaviors.
2. Analysis
2.1. Malicious File Decryption and Drop Flow
Malicious apps use a multi-stage drop payload technique to hinder analysis and evade detection.
The actual behavior of stealing personal information is implemented in the final stage of the Split APK, and other major malicious behaviors are performed in the native code area of the ELF (.so) file.
Some of the dropped payloads download and execute files for coin mining. These payloads use a custom package installer created to bypass the default Package Installer provided by the system.
2.2. Drop Reference File
The drop file that performs malicious behaviors exists in an encrypted form within the assets folder, and most of the functions defined in the actual Entry Point (EP) are executed through native code.
Among them, the native code implementation of the parent APK is implemented in the encrypted file located at the path assets/818boyhzxe3twb63/cnhprgtf. The logic to decrypt this is defined in the lib/arch*/libluxzulh.so file.
Figure 1. Encrypted file in the assets folder
2.3. Execution Screen
To evade anti-virus (AV) detection, the malware does not perform malicious behaviors immediately upon execution. Instead, it prompts users to enter the displayed word on the screen.
Figure 2. Screen upon launching the app
If the entered word matches, a fake Google Play Store screen prompting the user to update the app is displayed.
Figure 3. Screen of the fake Play Store
