Wednesday, September 7, 2016

Analyzing Gugi Android Banker



Today we are going to take a look at Gugi, an Android banker which has been heavily spread on August. Although it was released on 2015, this latest month has been the one most seen. As Kapersky labs points, this sample distributed through SMS which lead to fraud pages where the APK was downloaded. The downloaded APK was indeed a banker, which once installed blocked the usage of the device in case the asked permissions weren’t given.

The first thing we see is that when it’s installed it asks for overlay authorization, as well as device administration rights. It will also ask for extra permissions on the fly:

if (checkSelfPermission("android.permission.READ_PHONE_STATE") != 0) {
      ((ArrayList)localObject).add("android.permission.READ_PHONE_STATE");
    }
    if (checkSelfPermission("android.permission.READ_SMS") != 0) {
      ((ArrayList)localObject).add("android.permission.READ_SMS");
    }185.93.185.14
    if (checkSelfPermission("android.permission.SEND_SMS") != 0) {
      ((ArrayList)localObject).add("android.permission.SEND_SMS");
    }

We can also see that it creates a database where received/sent SMS will be stored, as well as content, its type (MMS/SMS), numbers, date…

There’s also a check about the existence of an app, named “ru.sberbankmobile”. After a quick search, it’s a Russian bank application, more specifically: www.sberbank.ru (This is the target bank)


We also have extra information of what it gathers:



In order to communicate with the remote host, it uses websockets. As we will be able to see, it will connect through port 3000 to tele2-rf. com, although if we chose to enter through port 80, we will see the c&c login page.




We can see the “Lime!” panel which matches the banker’s package name, where all the victim’s data is stored.

In conclusion, this trojan is affecting russian clients mostly, though it’s not discarded that future variants aimed to other banks will be spread.



UPDATE: A new (very heavily obfuscated) one can be seen using 185.93.185.14 as c2.

Malicious url: https://www.virustotal.com/en/url/3cae9744b0313d5a5bc0ddc784e6a4809626be2fc149a0633dcf2786d0e86968/analysis/
Dropped file: https://www.virustotal.com/zh-tw/file/42be79893969815e1b4cf2206bcda1bb42043203730afb75304d351b7e698219/analysis/1473410137/

No comments:

Post a Comment

2023

Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...