Skip to content

Latest commit

 

History

History
127 lines (64 loc) · 6.54 KB

README.md

File metadata and controls

127 lines (64 loc) · 6.54 KB

DISCLAIMER: THIS REPOSITORY CONTAINS MALWARE - BE VERY CAREFUL ABOUT WHAT YOU DOWNLOAD AND RUN

The file ./malware_apk/lClCl-BANK.apk is a malicious data stealing APK masquerading as an ICICI Bank Application.

Do NOT download or run it on any real android device. Do NOT enter any true information into it.

Reverse Engineering an Android Scam Application

A few weeks ago, I recieved a message over WhatsApp from an unknown number telling me that my ICICI bank account would be blocked unless I update my PAN card details through an APK they provided.

The Scam Message

Now, this really threw me off, since Banks usually email you and ask you to log into their website to edit your details, or ask you to visit your nearest bank branch.

It looks like I've just been targeted for a phishing attack, where an attacker tricks me into entering personal information into a platform they control so they can use it to impersonate me.

Let's try to use this as an opportunity to learn about how Android Reverse Engineering works by taking apart the application.

Decompiling the App

The easiest thing to do right now would be to decompile the app using jadx-gui:

JadXGUI Display

Amusingly, we see that the file isn't even named ICICI-Bank.apk - the scammer's replaced the I with l since they look similar on sans-serif fonts.

We notice that the App is built with Kotlin, and also see that the scammer has named their application by smashing their fingers down on the keyboard. Clearly they don't want anything identifiable to be on the app.

Let's open up their source folder and see if we can decipher anything:

Opening The Application Source

We immediately see that they've obfuscated the names of their Classes. However, it still isn't too hard to decipher - they just seem to be inserting consecutive natural numbers after every character of the original name. Let's try undoing this. For example, the first class C1o2n3t4a5n6t7s8 becomes Constants - so this is probably where the app draws all constants from. Let's do this for all Class names:

Rename Sensibly

Of all these, Constants, MainActivity and SMSReciever seem like the most interesting candidates for determining who the developers of this app might be, which would be very useful for reporting purposes.

Let's see what we can find in Constants:

Constants

This is good! We see that the scammer has listed down URLs that are most likely under their control. Law enforcement might be able to use this to track down the scammers!

Let's visit the URL and see if we can glean any information from there:

They use InfinityFree

It looks like they use InfinityFree for their hosting. We can fire off an email to InfinityFree's abuse reporting address to inform them of this obvious breach of their Terms and Conditions.

Let's do a WHOIS lookup to see who registered the domain xyzon.in:

Raw WHOIS Data

It seems the Domain Name wasn't registered by an individual, but by the registrar ownregistrar.com. Their contact information has been provided, so it may be worth reporting this to them as well.

Okay, back to the decompilation. Looking at MainActivity, we see another great lead:

MainActivity

We see that the Application sends an SMS to a phone number, presumably the phone number of the scammer.

Armed with this information, we can make a report on the government's cybercrime reporting portal, which, for India, is at https://cybercrime.gov.in/.

Running the App and Analysing Requests Safely

But what exactly does this app do? It's obviously a bad idea to download and install this app on your own phone, but perhaps using an Android Emulator such as Genymotion will help. In fact, let's see if we can analyse the network requests it makes through Burpsuite.

Let's fire up Genymotion and open a vanilla Google Pixel VM:

Genymotion Menu

We can follow the Genymotion's instructions here to install Burpsuite's certificates as a trusted system CA.

We can then drag and drop the scam app into Genymotion and then install it and run it:

ScamAppLogin

So it is an attempt at impersonating a bank to obtain information.

Let's key in some obviously false information to see what happens:

Test Info Enter

On burpsuite, we see that the /add.php scammer's server is sent a request with our information!

Burpsuite Sees Info Sent

We go back to the emulator to see that now the app asks us for all our credit/debit card information!

Asks For Card Info

We key in random stuff and look at burpsuite:

Card Info on Burpsuite

It seems to be sending all of this info to the aptly named /greed.php endpoint on the scammer's server.

Back on the emulator, we see that the app now asks us for our account number.

Keying in something random, we then look at burpsuite:

Burp User Account

We find that it's sent our account number to the /atmac.php endpoint.

Back on the emulator, we find that the app is now asking us for our username and password - a textbook phishing example.

Asks Username and Password

On burpsuite, we find that it has sent this information to the /atm.php endpoint:

AccInfoOnBurpsuite

This seems to be the input recieved by the app. After this, the app shows this "Important Note", desparately pleading with the user to only use this app, and not the official bank app from the Play Store.

FinalPageInEmulator

On exiting from the app, and trying to re-enter it, we find that it takes us to the Application Management page for the app.

Application Management Page

Outcomes

Armed with all this information, we're in a much better position to inform law enforcement authorities of the scammer.

We also learned quite a bit about reverse engineering an Android Application and monitoring it's network traffic by running it on an emulator and hooking it up to burpsuite, which are highly useful skills when testing and analysing Android Applications.