Analysis of code4HK

Published on 2014-09-29 08:00:00.

Tools

Static analysis

Code4HK is an Android spyware application which is designed to do mass surveillance. Here is a quick analysis of a Code4HK sample that we got:

fe1df17ab903979223e5eb514ffe24f72d540ad26f959201133f30a1346870df.apk

Sample name: fe1df17ab903979223e5eb514ffe24f72d540ad26f959201133f30a1346870df.apk

MD5: 15e5143e1c843b4836d7b6d5424fb4a5
SHA1: c1e9ebd0b5ac7b6c50c69af219d163393d52df99

The detection rate by AVs is still really low (2/53 on 2014-9-29):

image

Using Baksmali, we disassemble the APK:

image

Smali files:

image

Let’s have a look at the MainActivity file

image

We can see that MainActivity seem to copy a qq.xml file to another apk named temp.apk in an hidden .qq directory located on the sdcard created by the sample.

image

Look in the apk file:

image

temp.apk

A quick look at detection rate on VT

image

The same files after disassembling the temp.apk:

image

Smali files:

image

PhoneReceiver

In PhoneReceiver.smali file, a method onReceive is invoked:

image

It first starts looking when a phone call arrives, it gets the number calling in and starts a media recorder:

image

Then it gets the current date:

image

And finally saves the file in the folder /data/data/com.v1/.record/ in amr format, an audio compression format optimised for speech coding

image

StreamService

The Constructor starts a stream service to send the collected data, it tries to connect to mm.v1lady.com (112.124.47.157) on port 0x596 (1480)

image

In a private method called c, the aplication is reading a configuration file

image

Asset file:

image

It creates a text file with an explicit name : gps.txt:

image

And gets position with baidu API:

image

And gets the list of email accounts and saves it to a txt, html file and sqlitedb.

image

image

And it gets other data like SMS, Wifi list, browser history…

C&Cs are still reachable:

image

image

Dynamic test

Launching the sample in an Android emulator

image

It asks for the install of the second apk

image

image

Then the application is running in the background

C&C IP

221.226.58.202 (china) (see in other part)

61.36.11.75 (korea)

112.124.47.157 (china)

Reference: