The malware, dubbed MammothFraud from one of the logging strings МАМОНТИЗАЦИЯ! checks for the android.permission.CALL_PHONE permission and also that the SDK is greater than 26. If positive, it will attempt to introduce an USSD code to obtain the mobile phone number. For example, *111*0887# for the MTS RU provider. When the permissions are not granted by the user, it will prompt the user with a message to allow the requested permissions. In the list there are other telecom providers from Uzbekistan, Ukraine and Russia with USSD codes present.
A list of the permissions requested:
android.permission.CALL_PHONE
android.permission.READ_SMS
android.permission.READ_PHONE_STATE
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.POST_NOTIFICATIONS
In case there are active SIM cards in the device, the sample registers broadcast receivers for handling specific SMS-related events and for shutdown events. It also verifies whether the following applications are installed in the system:
com.idamob.tinkoff.android
ru.mw
ru.raiffeisennews
ru.belkacar.belkacar
com.carshering
ru.tsk.ftc.bender.qpay
ru.alfabank.mobile.android
ru.sberbankmobile
All the information is logged and sent to the following Telegram account: https://api.telegram.org/bot/bS243k2ivMi4lw2WHYEeXHEgPSQfr2/5ujbXer+5Cr+xmVU7Y7lwUTW94Rklavzu/getUpdates?offset=-1&timeout=60.
It has some available commands for sending SMS, send USSD requests, getting sent SMS, showing toasts or banning. If it receives the ban command, it will exit the application as seen on the screenshot. The screenshot also lists all the commands that can be received: sendsms|sendussd|getsms|ban|showtoast|getsentsms
The sample also downloads a raw file from pastebin and at the time of the visit it showed the following content:
If it fails to fetch the URL, it will wait until it is back online or the device has internet access.
Anti-detection measures
The sample shows a function that focuses on detecting whether the APK is running in an emulated environment or not. Before doing any more thorough checks it verifies that the sample isn’t running under QEMU by checking libc_malloc_debug_qemu.so:
If any of the following strings are found, it will return false:
google_sdk, emulator, Android SDK built for x86, Genymotion, unknown
Boards: QC_Reference_Phone
Brands: generic, Xiaomi
Product: google_sdk
There are also checks against Build.MANUFACTURER, Build.FINGERPRINT and Build.Product. If it detects the Google in Build.BRAND, it checks for specific fingerprints:
:userdebug/dev-keys
:user/release-keys
So far, I have noticed 4 samples contacting the same telegram bot. It is safe to say that all of them are likely to be from the same authors.
IOCs
https://www.virustotal.com/gui/file/1360f9cb1f0fa74b0430bdcf27a3cba0fdbffe986537bcc4eacd889220496954
https://www.virustotal.com/gui/file/34d5107a60102a54ee5c42b31e70551b16b020d0e7bcb550eddaa09467085e6b
https://www.virustotal.com/gui/file/d6f325bbd347eaaa8bbff4ca452c459397b83971e0e6cba6555094d891698ea2
https://www.virustotal.com/gui/file/e9b40c6a5333c0c76b242448cfdb8cda4dccd826947b37e15bd7fe5cee336d64
Pastebin URL: https://www.virustotal.com/gui/url/f41aa1f75355d2689feaadc7ebff2d39f9cf6d80c66df4a0230488a8c2490c25
