Checking a suspicious copy of APK that contains Metasploit framework backdoor

2020-06-04 16:41:11.062

Intro

Few weeks or months ago, some guy asked for help on Discord server of r/androiddev (the subreddit that should be avoided due to moderator hostility at this time, go to /r/android_devs instead). He kept asking everyone to checkout his app without explaining the actual problem. He did not provide any explanation about the problem, nor he provided any source code. Usually, developers can only help others if they can see the actual code, but doing this blindly is out of question most of the time. Due to such odd behavior, I've decided to download and decompile it with jadx.

The first thing I've noticed were the permissions for managing SMS, camera, call logs and other stuff, you have to wonder is it really legitimate. Though, after digging a while, I've managed to find the package called "frzwk" in the package of this app. Whole package was obfuscated and it wasn't easy to understand what the hell it does. However, due to person's deceptive behavior, it's supposed to be malicious for sure.

After noticing this, someone already submitted a copy to VirusTotal with at least 18 positive results reporting as trojan downloader from Metasploit framework. After warning others about it, he decided to ragequit.

Note

This article might not be fully accurate or complete. It's mostly improvised to explain whatever I've managed to catch up as I'm not a security expert. Also, take note that some parts may contain rant as I can't stand sometimes what actions are being taken.

Source

The original is actually a legitimate notepad application. It's available on Play Store. However, if you check the features (at the time of this writing):

  • Notebook feature to write, collect and capture ideas as searchable notes, to-do checklists
  • Take quick call notes and share them easily
  • Backup and restore your notes anytime
  • Handy note search feature for the ones who take many notes
  • Real-time Caller ID: Always know who’s calling
  • Spam warning: Get warnings for millions of spam numbers worldwide

Notepad itself shouldn't have such features. Even though it's not a malicious copy, you should stay away from such apps that provide something you actually don't need in such application.

Backdoor

The Metasploit framework is a legitimate penetration testing framework, used for testing and improving security awareness in general. If I'm not wrong, the framework has an option inject backdoor to APK file.

The backdoor grants the attacker to gain access to devices where apps with actual backdoor are installed.

Permissions

These are the permissions in a malicious copy of application:

<uses-permission android:name="android.permission.READ_SMS" />*
<uses-permission android:name="android.permission.CAMERA" />*
<uses-permission android:name="android.permission.WRITE_SETTINGS" />*
<uses-permission android:name="android.permission.WRITE_CALL_LOG" />*
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />*
<uses-permission android:name="android.permission.SEND_SMS" />*
<uses-permission android:name="android.permission.RECORD_AUDIO" />*
<uses-permission android:name="android.permission.WAKE_LOCK" />*
<uses-permission android:name="android.permission.SET_WALLPAPER" />*
<uses-permission android:name="android.permission.RECEIVE_SMS" />*
<uses-permission android:name="android.permission.RECORD_AUDIO" />*
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_CALL_LOG" />
<uses-permission android:name="android.permission.WRITE_CONTACTS" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission-sdk-23 android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.ACCESS_NOTIFICATION_POLICY" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_NOTIFICATION_POLICY" />
<uses-permission-sdk-23 android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission-sdk-23 android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.BATTERY_STATS" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />

Note: Lines marked with asterisks exist only in a malicious copy of this app.

Recording audio could be used for audio notes.

There is also a so-called Caller ID feature, that doesn't match the actual purpose of this app.

Therefore, there is no reason to have so many of these permissions for a notepad.

Take note that this APK will not ask you for permissions on runtime for the following reason:

<uses-sdk android:minSdkVersion="15" android:targetSdkVersion="22" />

This application targets API 22, which is Android Lollipop 5.1. To support runtime permissions, application requires targeting at least API 23, which is Android Marshmallow 6.0. Newer versions of Android system will use compatibility mode and grant all permissions to app when it's installed. Package manager and Google Play Store will warn you about permissions before installation, though.

Some permissions are required by libraries. In this case, this application did contain the following libraries, or at least those that I have noticed:

Considering that a notepad should be used for reading and writing small text or notes, this is just low effort for profiting.

Even if you don't have the actual backdoor, for fuck sakes do you really want thousands of this shit running for whole time while using every single app that contains these libraries? No wonder that things are running slow when you bundle a bunch of bullshit.

Components

The backdoor contains at least 2 components:

<receiver android:label="Dtjya" android:name="com.ztnstudio.notepad.frzwk.Dtjya">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED" />
    </intent-filter>
</receiver>
<service android:name="com.ztnstudio.notepad.frzwk.Gudrl" android:exported="true" />

The first component is a broadcast receiver that will receive a broadcast when Android system starts up.

The second component is a service that is used to initialize actual Metasploit backdoor. It should launch through broadcast receiver or through initialization when app is launched.

Comparison

After comparing these copies, in 'MultiDexApplication' class that belongs to MultiDex support library, in constructor method there is a call to start malicious service. Besides from the malicious package itself, there isn't any other kind of special difference between these copies, except for the malicious package being bundled.

Remaining differences are plain different positions of same code, not causing any effect in general.

Demo

I've provided the video where you can see actual APK in action here.