A new app called Sarahah, which allows people to receive anonymous feedback messages from friends and coworkers, has been quickly gaining popularity. Though it seems like a good concept, the app has already been criticized for silently uploading users’ contacts to its servers.
As a result of its quick growth, the ThreatLabZ team was certain the Sarahah app would be a top-of-mind target for attackers. We kept a close watch for any malicious indicators and came across a remote access Trojan (RAT) portraying itself as the app.
The payload is a RAT variant created using DroidJack, a RAT builder that has been in the wild for quite a while. A few months back, we posted a blog about a fake system update on Google Play that was using traces of DroidJack. We also wrote recently about fake Pokemon GO variants, prepared using DroidJack, that were making the rounds in the wild.
DroidJack is a sophisticated piece of software that allows users to build Android Trojans with the ability to perform many invasive tasks:
- Bind malicious code with any desired APK
- Delete/Add/Modify/Download/Upload files from a victim's device
- Spy on SMS Messages
- Record phone conversations
- Read/copy a victim's contacts
- Take pictures from an infected device camera
- Listen to a live conversation using an infected device mic
- View browser history
- Steal a victim's location
- And many, many more
Technical Details
App Name : Sarahah
MD5 : 3a9c32d270f19384e148b0f24d916a5f
Pkg Name : net.droidjack.server
Once installed, the malware app portrays itself as the Sarahah app.
As soon as the victim clicks on the fake app, it asks for Admin privileges. Once admin rights are acquired, the icon disappears. The user may think the app has been removed, but it has only hidden itself.
Once hidden, the app begins running services that will later handle all the major malicious activities of DroidJack mentioned above.
The first function invoked by the malware is called MainActivity, which hides the fake app and starts an Android service called Controller.
Major activities highlighted in the top left corner of the above screenshot are as follows:
- CallListener : Handler taking care of call logging.
- CamSnap : Designed to capture photos.
- Connector : Broadcast Receiver designed to start Controller Service on every reboot.
- Controller : Contains code to make connections with Command & Control(C&C) Centre. It uses open sourced Kryonet library for setting up connections.
- GPSLocation : Contains code to capture GPS location.
- VideoCap : Designed to capture live video using victim's camera.
We also found hard-coded C&C details in the source code where the author leverages a dynamic DNS domain.
Stealing SMS Messages
DroidJack RAT is designed to read all email inbox messages as well as incoming SMS messages and send them to the C&C server. It also aborts new message notification, leaving the victim unaware of any new message received
The screenshot below shows the code responsible for fetching incoming SMS messages and aborting the notification.
'
Along with stealing SMS messages, the RAT is also capable of sending messages to any number sent by the attacker.
Upon further inspection, we found that this fake app also targets WhatsApp data
Contacts and Calls
Along with SMS stealing, the fake Sarahah app is snooping around for the victim's contact details
Fake Sarahah app is also capable of dynamically calling desired numbers.
This RAT has the ability to record calls in a file with the .amr extension, which is later sent to the C&C server. It also steals GPS locations as well as browser history and bookmarks.
After all the desired data has been snooped out, it is stored in a database locally under /data/net.droidjack.server/<database_name>. Databases are named as follows:
- SandroRat_CurrentSMS_Database - Incoming SMS
- SandroRat_RecordedSMS_Database - Inbox SMS
- SandroRat_CallRecords_Database - Call Recordings.
- SandroRat_Contacts_Database - Victim's Contact details.
- SandroRat_BrowserHistory_Database - Browser history and bookmarks
One more final precaution is taken by the fake Sarahah app while transmitting stolen data over the wire. It uses AES encryption to send the data to the C&C server. This step may be taken to prevent data from being easily detected during malware analysis through a proxy
Conclusion
Attackers will continue to target victims by embedding malicious code into any new, popular Android app, as it’s an easy way to quickly widen their attack base. This was the case with Netflix and Pokemon GO. Attackers exploit people’s appetite for new apps and their desire to be the first to have them by offering up fakes before the real versions are officially launched or by mimicking add-on functionality that is not yet available in the official app.
ThreatLabZ strongly advises users to stay away from scams like the fake Sarahah app and download apps only from official Android stores, like Google Play. As an added precaution, it is advisable to review an Android app's permissions before installing it to get a clear picture of the app’s capabilities and the developer’s motive.
ThreatLabZ will continue to monitor the use of apps for spreading malware to ensure that Zscaler customers remain protected from such attacks.