The Donot Team APT organization (APT-C-35) is an Advanced Persistent Threat (APT) group that targets organizations having a government background. The threat group is known to carry out APT attacks against Pakistan, China, and countries in South Asia. The group mainly uses malicious programs developed in C++, python, .net, and other languages.
In addition to spreading malware via spear phishing emails with attachments containing either a vulnerability or a malicious macro, this group is particularly good at leveraging malicious Android APKs in their target attacks. These Android applications are often disguised as system tools and can be identified by scanning them through VirusTotal. In some cases, these applications may be disguised as fake apps, mobile games, and news apps. After installation, these apps perform the Trojan functions in the background. For instance, they may remotely control the victim’s system and steal confidential information from the targeted device.
In a recent tweet, a security researcher shared the digests leading to the app. Upon analysis of the digests, researchers at Cyble found all apps leading to the application package “com.update.gooqle”, a fake app disguised as a legitimate Google update application. For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application by picking one digest from among the links shared in the Tweet.
Figure 1: Information from Cyble threat intelligence platform
Sample digest used for our analysis: be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd
As shown in Fig.1, the name of the sample digest is visible as “com.update.gooqle”. It is important to note that the package name is spelled “gooqle” in an attempt to pass it off as ”Google”.
Below are the file hashes for the above digest:
Figure 2: Information on file hashes
As shown in the figure below, the scan result of the analyzed digest from VirusTotal reveals the application to be “A Variant of Android/Spy.Agent.AGY”, which falls under spyware, a type of malware.
Figure 3: VirusTotal scan result
On reviewing the static code of the digest, the malware is seen to support up to 20 remote control commands, including test operations. The remote-control commands include critical actions such as obtaining contact lists, text messages, call records, geographic locations, user files, and installed applications, etc. For these actions to be performed, the app requests the following sensitive permissions, as found in its manifest file.
Figure 4: Sensitive permissions requested by the app
In order to control the user’s mobile phone remotely, the malware obtains remote control command by reading a local database file.
Figure 5: Code used by app to get control instructions
Figure 6: Code used by app to get job details from the database
Below are the suspicious permissions, services, and receivers found from the above application:
Permissions:
- android.permission.READ_CALENDAR
- android.permission.PROCESS_OUTGOING_CALLS
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.INTERNET
- android.permission.ACCESS_FINE_LOCATION
- android.permission.SEND_SMS
- android.permission.READ_CALL_LOG
- com.android.browser.permission.READ_HISTORY_BOOKMARKS
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.RECORD_AUDIO
- android.permission.CALL_PHONE
- android.permission.READ_PHONE_STATE
- android.permission.READ_SMS
- android.permission.RECEIVE_SMS
- android.permission.READ_CONTACTS
Services:
- com.jgoogle.android.gservicekns.ten.ten
- com.jgoogle.android.gservicekns.nine.ninere
- com.evernote.android.job.v21.PlatformJobService
- com.evernote.android.job.v14.PlatformAlarmService
- com.evernote.android.job.v14.PlatformAlarmServiceExact
- com.evernote.android.job.gcm.PlatformGcmService
- com.evernote.android.job.Job RescheduleService
Receivers:
- com.jgoogle.android.gservicekns.onere
- com.jgoogle.android.gservicekns.four.fourre
- com.jgoogle.android.gservicekns.five.fivere
- com.jgoogle.android.gservicekns.twenty.twenty
- com.jgoogle.android.gservicekns.seven.PhonecallReceiver
- com.jgoogle.android.gservicekns.eight.eightre
- com.evernote.android.job.v14.PlatformAlarmReceiver
- Com.evernote.android.job.JobBootReceiver
Using the above permissions granted from users, the following data is fetched from the devices:
- The app installs an application shortcut on the screen and removes its application launcher icon to stay hidden.
Figure 7: Code used to create app shortcut on the screen
Figure 8: Code that checks packages and removes the application launcher
- Queries the device phone number and monitors outgoing and incoming phone calls
Figure 9: Code that monitors outgoing and incoming phone calls
- Creates SMS data from the protocol data unit (PDU) and monitors Incoming SMSes
Figure 10: Code that monitors incoming text message
- It also parses and Queries SMS data
Figure 11: Code that queries SMS data
- Looks for the list of installed applications
Figure 12: Gets the list of installed apps and stores it in text file
- The app gets the history of calls logs and call list from the user’s device
Figure 13: Code that fetches and stores contact list and call logs in text file
- Gets phone contact information and email messages from the victim device
Figure 14: Code that saves phone contacts and email messages in text file
- The app also accesses Android OS build fields to evade the malware analysis system
Figure 15: Code that gets Android build fields
- Along with all the above details, the app also fetches the phone location used for geo-tracking to get the last known location.
Figure 16: Code for location tracking
All the data collected from the device is saved in the “corresponding text” file. In case of the old variant of this malicious file, these files are saved in the local file, while in the case of the new variant, the files are saved in the corresponding .json file and upload to the C2 link.
Figure 17: Information fetched from the user machine stored in text files
Upon further inspection of the Android package, we found that it communicates with the domain http://www.geoip-db.com to grab the infected device’s geolocation information and external IP address. The URL https://www.geoip-db.com/json still works; however, the root of the domain is no longer operational and directs users to a new location: http://geolocation-db.com/.
Figure 18: Code that fetches the geolocation information
Safety Recommendations:
1. Use security software on smartphones.
2. It is recommended to download mobile applications only through reliable application markets and avoid downloading and installing through shared links.
3. Ensure the timely upgrading of the mobile phone operating system to reduce the possibility of attackers exploiting system vulnerabilities.
4. People concerned about the exposure of their stolen credentials in the darkweb can register at AmiBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques– for Mobile
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1418 T1406 | 1. Application discovery 2. Obfuscated files or information |
| Credential access | T1412 T1409 | 1. Capture SMSes 2. Access stored application data |
| Discovery | T1421 T1430 T1418 T1426 | 1. System network connections discovery 2. Location tracking 3. Application discovery 4. System information discovery |
| Collection | T1432 T1433 T1430 T1429 T1507 T1412 T1409 | 1. Access contact list 2. Access call log 3. Location tracking 4. Capture audio 5. Network information discovery 6. Capture SMSes 7. Access stored application data |
| Command and Control | T1573 T1071 | 1. Encrypted channel 2. Application layer protocol |
| Impact | T1448 | Carrier billing fraud |
Indicators of Compromise (IoCs):
| IOC | IOC Type |
| 288ea46d1e08fd9eca3369156b4430b1 | MD5 Hashes |
| be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd | SHA256 |
| android.accessibilityservice.AccessibilityService | Intent by Action |
| https://www.geoip-db.com/json | Interesting URL |
| 167.99.135.134 | IP address |
| /data/data/com.update.gooqle/files/accounts.txt | File path dropped |
| /data/data/com.update.gooqle/files/contacts.txt | File path dropped |
| /data/data/com.update.gooqle/files/CallLogs.txt | File path dropped |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.