The first thing we see is that when it’s installed it asks for overlay authorization, as well as device administration rights. It will also ask for extra permissions on the fly:
if (checkSelfPermission("android.permission.READ_PHONE_STATE") != 0) {((ArrayList)localObject).add("android.permission.READ_PHONE_STATE");}if (checkSelfPermission("android.permission.READ_SMS") != 0) {((ArrayList)localObject).add("android.permission.READ_SMS");}185.93.185.14if (checkSelfPermission("android.permission.SEND_SMS") != 0) {((ArrayList)localObject).add("android.permission.SEND_SMS");}
We can also see that it creates a database where received/sent SMS will be stored, as well as content, its type (MMS/SMS), numbers, date…
There’s also a check about the existence of an app, named “ru.sberbankmobile”. After a quick search, it’s a Russian bank application, more specifically: www.sberbank.ru (This is the target bank)
We also have extra information of what it gathers:
In order to communicate with the remote host, it uses websockets. As we will be able to see, it will connect through port 3000 to tele2-rf. com, although if we chose to enter through port 80, we will see the c&c login page.
We can see the “Lime!” panel which matches the banker’s package name, where all the victim’s data is stored.
In conclusion, this trojan is affecting russian clients mostly, though it’s not discarded that future variants aimed to other banks will be spread.
Sample used: https://www.virustotal.com/gui/file/2fa165d1c7d92661063385302a651615fe54e1427e9f7d802880c2a088f5b9c2
More samples: https://koodous.com/apks?search=ru.drink.lime
UPDATE: A new (very heavily obfuscated) one can be seen using 185.93.185.14 as c2.
Malicious url: https://www.virustotal.com/en/url/3cae9744b0313d5a5bc0ddc784e6a4809626be2fc149a0633dcf2786d0e86968/analysis/
Dropped file: https://www.virustotal.com/zh-tw/file/42be79893969815e1b4cf2206bcda1bb42043203730afb75304d351b7e698219/analysis/1473410137/
No comments:
Post a Comment