Analysis of Android.Trojan.FakeSite.A aka Perkele

Intro: What is Perkele?
Perkele is a crimeware kit used to generate Android trojans for monitoring and forwarding SMS messages containing mTANs.
Perkele, made a name for itself because it can be combined with any malicious code that executes webinject attacks in the browser. It is thus a flexible cross-platform trojan that is relatively easy to create.

‘Perkele is an alternative name of Ukko, the chief god of the Finnish pagan pantheon. In modern Finnish, the interjection “perkele!” is a common profanity, approximately equivalent to “the Devil!” in meaning and “fuck!” in intensity.’ [Wikipedia]

androidbot-perkele
ad-perkeleFig. 1: Advertisement spotted in cybercrime underground (WMZ = WebMoney; 1 WMZ = 1 USD)

Step 1: Forcing the User to Install the App
If the Windows PC of a user is compromised with Cridex (RC4-RSA variant) for example and the user tries to browse to his or another bank website a message is shown after the ‘login’ (no successful login needed) presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android security application that protects the phone’s SMS messages from being intercepted by a trojan installed on the smartphone.

Cridex - Webinject
Fig2: You can ‘login’ with everything you want…my name is Cridex…and my password is 12345

Webinject - Sourcecode
Fig. 3: First of all the webinject hides the main content of the banking website.

blank
Fig. 4: How it would look like

Webinject - Sourcecode
Fig. 5: Then follows the script that injects the new content.

Details (Pop-up)
Fig. 6: You have to choose Android…Perkele only supports Android.

Trusteer
Fig. 7: Trusteer Mobile is a mobile device security solution from the well known computer security company.

Choose your preferred way to download the app
Fig. 8: There are three ways to download the malicious app: Direct-Link, QR code, and SMS with download link

Enter your Mobile Number
Fig. 9: Let’s try SMS with download link…

Send SMS with download link
Fig. 10: The download option via SMS didn’t work in my case! I didn’t receive a SMS.

Download the malicious app directly
Fig. 11: So let’s download the malicious app directly. No need to fake the user agent!

Download started

   Download finished: Copied to clipboard Permissions

   (Malicious) Application installed Activation Code

   QR-Code Preview

The malicious application has the following characteristics:


Original name: Trusteer-Mobile.apk
Package name: com.secure.android
MD5: 727e7fc80d5658a5186f6e964a0b1401
SHA-1: 0607950fa88f2fc962f768d286bf0903b94832fe
ssdeep: 384:7XWKjGB8vxDcy3XcitOVAtvQpVJPs9l/jeCTQOen:7WkGByDf3McOVHJk9l/yCT1W
File Size: 17.295 Bytes

WinRAR


Trusteer-Mobile.apk
Submission date: 2013-10-18 14:23:14 UTC
Result: 12/47
Report


Download:
Perkele.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="2" android:versionName="2.0.6" package="com.secure.android"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
    <application android:label="@string/app_name" android:icon="@drawable/app" android:debuggable="true">
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".MainActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".UpdateActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
            </intent-filter>
        </activity>
        <receiver android:name=".MessageReceiver" android:exported="true">
            <intent-filter android:priority="12345">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <service android:name=".ServerSession" />
    </application>
</manifest>

## Requested Permissions ##
android.permission.ACCESS_NETWORK_STATE (view network status):
Allows an application to view the status of all networks.

android.permission.READ_PHONE_STATE (read phone state and identity):
Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.RECEIVE_SMS (receive SMS):
Allows an application to receive and process SMS messages.
Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.SEND_SMS (send SMS messages):
Allows an application to send SMS messages.
Malicious applications may cost you money by sending messages without your confirmation.

android.permission.INTERNET (full Internet access):
Allows an application to create network sockets.

com.android.browser.permission.READ_HISTORY_BOOKMARKS (read Browser’s history and bookmarks):
Allows an application to read (but not write) the user’s browsing history and bookmarks.

## Activities ##
From the manifest we can identify the actvities between the activity tags:

        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".MainActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".UpdateActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
            </intent-filter>
        </activity>

So the two activities are com.secure.android.MainActivity and com.secure.android.UpdateActivity.

Last but not least we can also check Receivers and Services:

## Receivers ##
com.secure.android.MessageReceiver

        <receiver android:name=".MessageReceiver" android:exported="true">
            <intent-filter android:priority="12345">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>

## Services ##
com.secure.android.ServerSession

<service android:name=".ServerSession" />

Now that we’ve analysed the Manifest, we can take a look at code.

Admin Number
Fig. 12: NUMBER = +79670478968 –> Russian Federation

Hardcoded URL’s:
http://gameserv.4zo.biz
http://gameserv.4zo.biz/?a=

DNS Requests:
gameserv.4zo.biz (37.228.92.168) –> Russian Federation

POST Requests:
id=DeviceId&net=test420&cmd=%23BOT_INSTALL%3A+2.0.6 (Check-in)
id=DeviceId&net=test420&data=%23INSTALLED_APPS%3A+XXX
id=DeviceId&net=test420&data=%23BROWSER_HISTORY%3A+XXX
id=DeviceId&net=test420&cmd=%23SMS_INTERCEPT_STOP
id=DeviceId&net=test420&m=%23SMS_GRABBED%3A+XXX

CMD:
#BOT_INSTALL
#BOT_UPDATE
#BROWSER_HISTORY
#CMD_ID
#INSTALLED_APPS
#SMS_INTERCEPT_START
#SMS_INTERCEPT_STOP
#SMS_GRABBED
#SMS_INTERCEPTED
#SMS_SEND

BOT_INSTALL

Queries list of installed packages:
com.secure.android.MainActivity – android.content.pm.PackageManager.getInstalledPackages

Accesses android OS build fields:
com.secure.android.ServerSession$BackgroundThread – android.os.Build$VERSION.RELEASE
com.secure.android.ServerSession$BackgroundThread – android.os.Build.BRAND
com.secure.android.ServerSession$BackgroundThread – android.os.Build.MODEL

Queries the SIM provider ISO country code:
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSimCountryIso

Queries the SIM provider name:
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSimOperatorName

Queries the unqiue device ID (IMEI, MEID or ESN):
com.secure.android.MainActivity –> android.telephony.TelephonyManager.getDeviceId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getDeviceId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSubscriberId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getLine1Number

Sets an intent to the APK data type (used to install other APKs):
com.secure.android.UpdateActivity – android.content.Intent.setDataAndType

MainActivity

URL Parameters
AxWFz = DeviceId
MzKwx = SubscriberId
NvMAk = Line1Number
FxEdM = SimOperatorName
MzYkF = SimCountryIso
HkFwA = Build.VERSION.RELEASE
dMxEw = Build.BRAND, Build.MODEL
uWeXd = BUILD_NET
vZeWA = BUILD_VER

POST Request

Step 2: The Trojan Action
After Perkele has been installed successfully, you have to enter the activation code to synchronize it with the trojan installed on your Windows system. From then on, Perkele intercepts all SMS that it can assign to online banking activities and forwards them to the criminals.

Fake-Code
Fig. 13: Validation of activation code

Activation
Fig. 14: Enter the activation code (Activation Code = DeviceId = IMEI)

block
Fig. 15: After synchronization the trojan blocks the access to your banking website and starts the cashout.

SMS_GRABBED

Below the callgraph:

Links:
Perkele – Krebs on Security
G Data Mobile Malware Report H1/2013
Perkele – Wikipedia, the free encyclopedia
Manifest.permission | Android Developers