Android App capable of stealing sensitive credentials
While conducting our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter post wherein researchers mentioned a malware named “Adalet,” which has an icon/logo similar to the Turkish Ministry of Justice (TĂĽrkiye Cumhuriyeti Adalet Bakanlığı).
During our analysis of this malware, we observed that the package name of the malicious app was com.language.task. Further research revealed that this malware pretends to be the official app of the Turkish Ministry of Justice and primarily targets Turkish citizens.
Cyble Research Labs has identified several sophisticated features in this malicious app, such as keylogging, stealing data from Google Authenticator, Gmail, and TeamViewer, as well as recording microphone audio, sending SMSs, etc.
Technical Analysis
APK Metadata Information
- App Name: Adalet
- Package Name: com.language.task
- SHA256 Hash: 3aa982b5078d60217ba961a2d79e2930d9bbeb24f21e794eb5a96212bfca4e74
Figure 1 shows the metadata information of an application.
The figure below shows the application icon and name displayed on the Android device.
Manifest Description
The malware requests users for 40 different permissions, of which it abuses over 13. These dangerous permissions are listed below.
| Permissions | Description |
| READ_SMS | Access SMSs from the victim’s device. |
| RECEIVE_SMS | Intercept SMSs received on the victim’s device |
| READ_CONTACTS | Access phone contacts |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which has the potential to be misused by attackers |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. |
| ACCESS_FINE_LOCATION | Allows the device’s precise location to be detected by using the Global Positioning System (GPS). |
| SEND_SMS | Allows an application to send SMS messages. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
Source Code Review
Our static analysis indicated that the malware steals sensitive data such as Google Authenticator data, Gmail credentials, recording microphone audio, sending SMSs, grabbing pattern lock, etc., from the infected device based on the commands received from the C&C server.
The malware uses the code snippet shown below to grab the device pattern lock using Accessibility overlay.
The malware uses the code shown in Figure 4 to grab Gmail credentials using Accessibility overlay.
The malware opens the TeamViewer application on the device and steals credentials using Accessibility overlays, as shown in Figure 5. It also disables security apps warning pop-ups from programs such as the Samsung KLMS agent.
The code snippet below depicts the malware’s ability to record audio based on commands from the TAs C&C server.
The malware tries to obtain all the necessary permissions without any user interaction, as shown below.
The malware steals Google Authenticator codes using Accessibility overlays based on commands sent from the TA’s C&C server, as shown below.
The malware can also push notifications to the device, as shown in Figure 9. Using this, the Threat Actors (TAs) can push any notifications into victims’ devices and perform several malicious activities. These include luring the victims to click on the notifications that redirect them to phishing pages or malicious websites.
Figure 10 demonstrates the malware’s ability to send text messages from the victim’s machine. The TA’s C&C server will provide the number and SMS content.
Figure 11 showcases the code that illustrates the malware’s ability to steal key logs.
The code in the below snippet depicts the malware’s tendency to forward the victim’s incoming calls to any number specified by the TA.
The malware also disables the device administrator and takes full control of the device, as shown below.
In both our static as well as dynamic analysis, we identified the TA’s C&C communication with the device. The malware uploads contact data to the server, as shown below.
We have listed the commands used by the TAs to control the infected device below:
| Command | Description |
| grabbing_lockpattern | Grabs Pattern Lock |
| run_record_audio | Records Audio |
| get_all_permission | Allow Permissions by self |
| access_notifications | Read Incoming Notification Contents |
| grabbing_google_authenticator2 | Steal Google Authenticator codes |
| notification | Push Notifications |
| grabbing_pass_gmail | Gets Gmail Password |
| remove_bot | Delete itself |
| send_sms | Sends SMS |
| call_forward | Forward Calls |
Conclusion
The volume of Cyberattacks on Government organizations is increasing every day; furthermore, these attacks are growing more sophisticated. This malware is one such example of an Android application that pretends to be the official app of the Turkish Ministry of Justice (Türkiye Cumhuriyeti Adalet Bakanlığı).
According to our research, these types of malicious apps and malware are only distributed via sources other than Google Play Store. As a result, practicing cyber-hygiene across mobile devices and online banking applications is a good way to prevent malware such as this from compromising your systems.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS about malicious apps and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1433 | Access Call Log |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contact List |
| Collection | T1429 | Capture Audio |
| Collection | T1512 | Capture Camera |
| Collection | T1533 | Data from Local System |
| Collection | T1430 | Location Tracking |
| Command and Control | T1436 | Commonly Used Por |
Indicators of Compromise (IOCs)Â Â
| Indicators | Indicator Type | Description |
| 3aa982b5078d60217ba961a2d79e2930d9bbeb24f21e794eb5a96212bfca4e74 | SHA256 | Adalet APK |
| 36d9a4956eb95d125e4e24a1cc40eb0147771f11 | SHA1 | Adalet APK |
| baea707ad27c85c922215ed947752151 | MD5 | Adalet APK |
| hxxp://sanatatolyesii[.]com | URL | C&C URL |
