During a recent threat hunt, Cyble Research Labs identified a malware sample from MalwareBazaar. The app poses as a “FlashPlayer” to deceive users and targets the global user community.
Our investigation reveals that the malicious app shares code and encrypted strings with the UBEL Android botnet, a descendant of the OSCORP malware. OSCORP was developed to attack global banking organizations. When the OSCORP malware is successfully installed on a victim’s device, the Threat Actor (TA) connects to the device remotely via the Web Real-Time Communication (WebRTC) protocol.
The UBEL Android botnet is a new variant of the OSCORP botnet that includes a few minor alterations in the code implementation and is advertised for sale on several cybercrime forums.
The malware internals of OSCORP has several features, the majority of which are obtained by abusing the Android Accessibility services, a well-known technique utilized by other malware families such as Anubis, Cerberus.
The “bot id” string format, which consists of an initial “RZ-” substring followed by random alphanumeric characters, exposes the link between OSCORP and UBEL.
The application has various functionalities such as:
- Keylogger – Capture keystrokes
- Virtual Network Computing (VNC) – Control the bot screen (remote mouse and clicks)
- Send/Intercept/Delete SMS
- Call forwarding – Start/Stop forwarding calls
- Open link in browser – Open specific link in the browser
- Send SMS – Send SMs with specific text to the target number
- Unstructured Supplementary Service Data (USSD) – Execute a USSD request
- SMS interception – Intercept incoming SMS
- Installed Applications – Fetch Installed applications from the device
- Start Application – Launch the application
Technical Analysis
Cyble Research Labs’ detailed analysis establishes that the malware is a variant of UBEL. The malicious app has encrypted strings and patterns along with Command & Control (C2) paths like those present in the UBEL samples analyzed earlier.
APK Metadata Information
Figure 1 represents the metadata information of the application.
- App Name: FlashPlayer.apk
- Package Name: hrevxqea.hgistuqw
- SHA256 Hash: 486d6a713d8c907df70a919729ac685328ab91a8977c2e352165640c4bd4d507
- Delivery Method: Distributed via web download
- Delivery URL: hxxps://ttneiv[.]com/927515/nuevo_files/FlashPlayer.apk
Manifest Data
The malware requests multiple dangerous permissions. Table 1 shows this list of hazardous permissions.
| Permissions | Description |
| INTERNET | Allows applications to open network sockets |
| READ_PHONE_STATE | Read-only access to phone state |
| ACCESS_SUPERUSER | Declared by the Superuser app. Android 5.0 onward was deprecated |
| SEND_SMS | Allows an application to send SMS messages. |
| WRITE_SMS | Allows the app to write to SMS messages stored on your phone or SIM card |
| READ_SMS | Allows an application to read SMS messages. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| WRITE_EXTERNAL_STORAGE | Allows an application to read from external storage. |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialler |
| CAMERA | Required to be able to access the camera device. |
| RECORD_AUDIO | Allows an application to record audio. |
| INJECT_EVENTS | To Inject events into a separate process |
| REQUEST_DELETE_PACKAGES | Allows an application to request deleting packages |
| DISABLE_KEYGUARD | Allows applications to disable the keyguard if it is not secure. |
“hrevxqea.hgistuqw.MainActivity” is the main entry point of the app that loads initially.
The application also uses the permission SYSTEM_ALERT_WINDOW. This permission grants an app the ability to overlay on background apps. Very few apps use this permission; these windows are meant for system-level interaction with the user. During the installation phase, OSCORP utilizes this permission to prompt the user to accept the Accessibility permission.
The application additionally makes use of services like the BIND ACCESSIBILITY SERVICE. Accessibility services should only serve to help impaired Android users operate their devices and apps. They run in the background and detect when the system launches AccessibilityEvents. Such events indicate a change in the user interface’s state when the focus is shifted, or a button is pressed. Optionally, such a service can ask for the ability to query the content of the active window. On the other hand, the malicious app abuses this permission to monitor and retrieve data from the affected device.
It captures the victim’s device screen height and width and frequently used apps and dimensions by analyzing the launcher activity of the application that opens when clicking the app icon. To enable Overlay permissions, it also checks for the building manufacturer and package details.
Post enabling the overlay access, the method “a()” as highlighted in Figure 4 removes the application launcher icon from visibility to stay hidden within the victim’s device.
The application reads the incoming SMSs and collects the data from the SMS like originating address, and message body.
The malicious app also gains the device administrator access through enabled accessibility services by prompting the user to add a new device as administrator to the system.
The device administrator check is also performed in other classes like “hrevxqea.hgistuqw.Lukas” & “hrevxqea.hgistuqw.PJService” but doesn’t have any cross-references.
The app can send text messages using SMSManager API and delete SMS and contacts data, as shown in the below figure.
The application also uses accessibility services to protect itself from uninstallation and control other applications by checking for application packages, as shown in Figure 9.
The application has a code to query the list of installed packages from the infected devices and collects the installed app data and then stores it in shared preferences.
The application employs several approaches to slow down static analysis. For example:
- All strings are obfuscated using an open-source method, which is encrypted using AES and base64 encoding.
- On top of HTTP, the network connection to the C2 is encrypted using the AES algorithm and base64 encoding.
Encryption methods and techniques used in the app are listed below in Figure 12.
WebRTC – Web Real-Time Communication
WebRTC (Web Real-Time Communication) is a free and open-source project that enables real-time communication (RTC) between web browsers and mobile applications using application programming interfaces (APIs).
It enables audio and video communication within web pages by allowing the direct peer-to-peer connection, removing the requirement for plugins or native programs to be downloaded.
WebRTC technologies are implemented as an open web standard and are available in all major browsers as ordinary JavaScript APIs. In addition, a library is available for native clients, such as Android and iOS apps, that provides the same capabilities.
Using WebRTC and Android Accessibility Service the TA can take control of the whole device such as controlling the screen, interacting with App, etc.
Figure 13 depicts the code implementation of WebRTC, often used for remote VNC.
C2 Communication:
The collected data is sent to the Command-and-control server (C2) found in the class “o.Qh.a.” Upon decrypting the encrypted strings using the technique identified in Figure 12, the app developer has hidden the C2 host address in strings.xml file.
On decrypting the host address present within the app, the host communicates to various C2 paths using an if-else case verifying with the random strings.
Identified C2 Links:
- hxxps://leevinsbots[.]xyz
- hxxps://leevinsbots[.]xyz/api/trashcan/billboard/find
- hxxps://leevinsbots[.]xyz/api/trashcan/billboard/rhino
While analyzing the C2 interaction, we have also identified a list of bot commands used by the TA.
Below is the list of some of the bot commands:
| Bot Commands | Description |
| send_message | Send an SMS message |
| stock_injection | Save the injections (phishing HTML payload) provided by C2 in the Jedi / Injections.txt file |
| forward_call | Call forwarding through the code *21* + number + ## |
| run_application | Run an application |
| enab_sil | Mute the device (set to 0 the volume level of the device) |
| switch_sms | Change the default SMS application with Oscorp (through android.provider.Telephony.ACTION_CHANGE_DEFAULT) |
| remove_injection | Remove an injection |
| make_call | Perform a call to someone |
| dev_admin | Set itself as admin app |
| run_ussd | Allows itself to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
| block | Save the apps to be blocked in Jedi / block.txt and start MyService |
| launch_url | Launch and URL |
| fetch_applications | Get the list of installed apps |
| delete_message | Remove an SMS |
| delete_application | Remove an application |
| batt_opt | Insert Oscorp app to a list of apps that ignore optimization battery |
| url_injection | Start the “ramp” class used to perform stream video of the screen and audio of the compromised device |
| screencap | Start to record the audio and video through the WebRTC and STUN protocols (the stun server are embedded in the code) |
Conclusion:
The bankbot/botnet malware family has always used a simple coding style and introduces new campaigns regularly. The difficulty with this variant’s malware is that the code’s modification is compared to the older versions to execute a complex attack.
Interestingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account to commit fraud.
The objective of the threat actor in employing this functionality is to avoid a ‘new device enrolment,’ thus dramatically minimizing the risk of being reported ‘as suspicious’.
Users should be wary of activating the required permissions even in apps distributed through well-known app portals like Google Play Store – since we have observed banking malware increasingly exploiting the Accessibility Service on Android devices.
Our Recommendations:
We have listed some essential cybersecurity best practices that create the first line of defense against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app portals such as Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions on the devices.
- If you find any suspicious applications on the device, uninstall, or delete them immediately.
- Keep your anti-virus software updated to detect and remove malicious software.
- Use strong passwords and enable two-factor authentication.
Adobe has stopped providing support to Flash Player beginning January 2021. We recommend users to uninstall Flash Player immediately to help secure their systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Collection/Credential Access | T1412 | Capture SMS Messages |
| Discovery | T1421 | System Network Connections Discovery |
| Discovery/Collection | T1430 | Location Tracking |
| Discovery | T1426 | System Information Discovery |
| Collection | T1429 | Capture Audio |
| Collection | T1507 | Network Information Discovery |
| Network Effects | T1449 | Exploit SS7 to Redirect Phone Calls/SMS |
| Command and Control | T1571 | Non-Standard Port |
| Impact | T1448 | Carrier Billing Fraud |
Indicators Of Compromise (IOCs)
| Indicators | Indicator type | Description |
486d6a713d8c907df70a919729ac685328ab91a8977c2e352165640c4bd4d507 | SHA256 | Malicious APK |
| hxxps://ttneiv[.]com/927515/nuevo_files/FlashPlayer.apk | URL | Delivery URL |
| hxxps://leevinsbots[.]xyz/api/trashcan/billboard/find | URL | Communicating URL |
| hxxps://leevinsbots[.]xyz/api/trashcan/billboard/rhino | URL | Communicating URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
