These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

EXtOrtion Banking bOT – EXOBOT!

This blog intends to describe a few new techniques used by the latest versions of Exobot, an Android Banking Trojan. These new techniques have been introduced to complicate the process of reversing engineering and to evade detection by security products.

It is only natural that, with huge increase in the number of Android smartphones users and availability of mobile banking services, cybercriminals have focused on malware targeting banking apps and other apps that enable financial transactions to embezzle funds from victims’ accounts. Devices infected with such malware would subject the users to be victims of the following (non-exhaustive):

• Financial loss
• Loss of Personally Identifiable Information (PII)
• Loss of privacy

Typically, banking Trojans await instructions from remote Command-and-Control (C&C) servers, thus allowing the attacker(s) to potentially turn compromised devices into involuntary but blissful bots. Also, the bad guys tend to keep changing their distribution mechanisms and infection routines (without compromising the severity of intended damage) to evade detection by security products. Unsurprisingly, Android banking Trojans are no exceptions in these aspects.

Exobot is an Android banking Trojan like any other. As described in our previous blog it steals users’ banking credentials from infected devices to enable the attacker(s) to siphon off their funds.

But here’s how this piece of malware is different. Our analysis revealed some interesting implementation techniques employed in recent versions for detection evasion which we have depicted in the following picture:

In case you find the above picture to be not-so-self-explanatory, please read on for a more detailed explanation on the differences between the older (Exobot V1) and newer (Exobot V2) versions.

Technique 1:

Exobot V1’s AndroidManifest.xml file contains all broadcast receivers, permissions and other privileges registered to perform malicious activities. All its eggs in one basket.

Exobot V1 Permissions

Exobot V2, on the other hand, has its requirements spread out. Basic installation and device admin registration are requested in the primary component (earlier available on the Google Play Store, but thankfully not anymore), which then downloads a secondary bot component, the requirements of which are handled within its own AndroidManifest.xml.

Exobot V2 Permissions split between parent and dropped components

The secondary component, downloaded from the URL shown in the following picture, then tries to connect to different C&C servers to receive commands from remote attacker(s).

It is noteworthy that the primary component retries downloading the secondary component multiple times (up to 5 times in the variant we analyzed) at regular intervals in case of failures when connecting to the URL specified. If all attempts to connect to this URL fail, it then tries to connect to other C&C servers from a predefined list.
Technique 2:

Exobot V1 is very trusting. It starts its malicious activities without checking the configuration of the device on which it is running. Exobot V2 is more cautious. It deploys multiple verification mechanisms before behaving badly. Here are the most interesting of such checks it carries out before proceeding with its infection routine.

Checks if device is connected to debugger

n.df + n.fv + n.eF – android.os.Debug + n.eG + n.fu – isDebuggerConnected

Verifies if device configuration does not match any of the below criteria

  • Is the malware running within a test environment, say an emulator? Does any one of the below default values of an emulator match with the extracted values from the device?
    • Build.MODEL is “google_sdk or Emulator or Android SDK built for x86″
    • Build.MANUFACTURER is “Genymotion” (“GenyMotion” is an emulator frequently  used for QA or tests)
    • Build.PRODUCT is “google_sdk or sdk or sdk_x86 or vbox86p”
    • DeviceId is like “000000000000000” or “012345678912345” or “004999010640000″
    • VERSION.RELEASE is “0”
  • Is the compromised device connected to a test network?
    • SIM operator is “android” or “emergency calls only” or “fake carrier”
If any of the above match, execution stops

Checks and sets the malicious app as the default SMSPackage

The Android OS has the flexibility to programmatically set a user app as the default app to handle SMS. Exobot V2 leverages this option to be the first to access incoming SMS, as well as to suppress the messages from other installed apps by aborting the “SMS_Received” broadcast.
Verifies if “MAIN_VERSION_REQUIRED” is less than a specific threshold value to ensure that the bot can run on the device, i.e. on that particular version of Android OS

Where n.aT maps to “Bot is not able to run that command” and n.aU maps to “Command execution system error”.

Technique 3:

Exobot V2 also mimics an anti-reversing technique from its Windows-based counterparts. All the strings in the malware’s code are obfuscated, though with a very simple logic of inserting junk characters in between. For example:

a(“start”) may be converted to something like a(“s**EJz**t**EJz**a**EJz**r**EJz**t**EJz**”)

In the above example, “**EJz**” are the junk characters.

Our lab researchers regularly track Android banking Trojans, especially for their behavioral and technical differences, in order to ensure we are able to block the malware at the earliest with new and updated detection methodologies. K7 Mobile Security users are protected against both the older and newer versions of this malware.

Exobot V1 (example sample hash: b4064f4bca2ac0780a5e557b551a3755) is detected as “Spyware ( 004fdfc01 )”.

Exobot V2: The primary component (example sample hash: 6924d51242386e3c20c84f017f1838b9) is detected as “Trojan-Downloader ( 004f07451 )”, and the secondary component (example sample hash: f66e30974435e5ef092aeb7c9e5cad7a) is detected as “Trojan ( 005243d11 )”.

As always K7 Threat Control Lab makes the following recommendations:
  • Use a highly-reputable mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store, as immediate & regular security actions are taken in emergency situations
  • Do not enable “Download from Unknown Sources”

Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Leave a Reply