Stumbling Through an APK File

montysecurity
5 min readDec 6, 2023

--

In this post, I will showcase my process of learning how to analyze an APK file. Operative word there being “learning”, going into this I did not know the first thing about android malware. By the end of it I had a basic understanding of how to enumerate IOCs and capabilities of an Android app.

The Sample

I sourced this sample from the Malware Hunter Team on Twitter/X. Looking at it’s details in VirusTotal, there is a section for Interesting Strings.

Using this, I set out to find these IOCs in the binary and work from there.

Side Note: this IOC, 89.23.98[.]16 had a hostname of WIN-LIVFRVQFMKO at the time of analysis, this hostname is seen in various IR reports, https://www.shodan.io/host/89.23.98.16

Analysis

Starting out, I used apktool to decompress the file. (Reference: REMnux Documentation)

I searched the resulting files for one of the IOCs to start off my investigation.

find -type f | xargs grep --color=always 89\.23\.98\.16

First thing I notice is this “.smali” extension, some Googling suggests this is a decompiled representation of the code that will actually be executed.

Seeing the URLs, I wanted to build a one-liner to extract all of them from all of the files. Using the same combination of find and xargs grep I came up with the following. (Please note, this regex does not grab the entire URL, just everything up to the 1st forward-slash following the domain/IP).

find -type f | xargs grep --color=always -E -o "http[s]*://\w[^\/]+" 2> /dev/null

Given that “schemas.android.com” is extremely common, I exclude it to get the URLs I actually care about.

find -type f | xargs grep --color=always -E -o "http[s]*://\w[^\/]+" 2> /dev/null | grep -v schemas\.android\.com

Looking at the “SmsService$3.smali” file for those URLs shows, what looks to be, a setup for sending a POST request inside of a function call. (Really just a hunch because it looks like “v13” is defined and then immediately called in “performPostCall”; also notice the reference to SmsService without the $3 in it).

Assuming this is calling a function from another file, I search for it the same way as before.

find -type f | xargs grep --color=always -E -o performPostCall 2> /dev/null | sort -u
grep -A 25 performPostCall ./smali/com/WSCube/ControlPanel/SmsService.smali

Sure enough it is setting up a POST request in a different file called “SmsService.smali”. Which also has a function setting up a GET request.

find -type f | xargs grep --color=always -A 10 -B 20 '"GET"'

I was unable to confidently determine what data is supplied to the GET and POST requests so I moved on to determining what data the app has access to. But it should be noted that visiting the domain seen earlier, api[.]ipify[.]org returns your current public IP.

Looking around, I found a reference that calls out how Android permissions are defined and crafted a search to find them (Reference: Exploit DB PDF).

find -type f | xargs grep --color=always -E "android\.permission\.\w+" 2> /dev/null

Now we know the capabilities of the malware. (Reference: android.com)

  • Reading and Sending SMS — READ_SMS, SEND_SMS
  • Accessing Location Data (rough and precise) — ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION
  • Access the internet — INTERNET
  • “retrieve state dump information from system services” — DUMP
  • “Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls” — READ_PHONE_STATE

Next, manually reviewing some of the files I stumbled across a function retrieving the device name.

This gave me an idea to see what other device info is accessed. Which appears to be the brand, model, manufacturer, and fingerprint.

ind -type f | xargs grep --color=always -E "Landroid/os/Build;->[^:]+" 2> /dev/null

Conclusion

This is meant to be an introductory post, from a beginner for beginners. Despite not definitively confirming what data is sent/received over the internet, I still consider this a success as I was able to extract IOCs and determine capabilities.

To make this process repeatable I made a small bash script. Just decompress the APK file and place this in the top folder in the resulting file structure.

#!/bin/bash

echo [+] URLs
find -type f | xargs grep --color=always -E -o "http[s]*://\w[^\/]+" 2> /dev/null | grep -v schemas\.android\.com
echo

echo [+] IPs
find -type f | xargs grep --color=always -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' 2> /dev/null
echo

echo [+] Android Permissions
find -type f | grep -v $0 | xargs grep --color=always -E "android\.permission\.\w+" 2> /dev/null
echo

echo [+] Device Info Referenced
find -type f | grep -v $0 | xargs grep --color=always -E "Landroid/os/Build;->[^:]+" 2> /dev/null

--

--