Good afternoon, dear friends. There’s a thunderstorm outside. It’s pouring like a bucket. Weather has been spoiling my mood for the last two weeks. No desire to work. But let’s try to get together and amuse ourselves with interesting activities. We will write a review of the next bot that got into our hands. Let’s meet (here’s a fanfare) android-bot called Cerberus. The official topic is https://xss.is/threads/29932/ The review is a bit off profile. I don’t usually take up android. But decided to try my hand in this area as well. Life never stands still and everything changes. So, either we are in step with the times or we are in the ranks of the laggards. Oh, well. Let’s try to keep up with the trends.
Cerberus is an android bot that has been working in the private for the last 2 years. Now we have decided to exit the private, to search for partners.
Sending SMS SMS Interception Hidden SMS Interception Device Blocking Mute Keylogger (messengers, watz app, telegrams, banks, etc., except browsers!) USSD command execution Call forwarding Open fake bank page Launch any installed application Push bank notification (Auto push defines which installed bank) Open url in browser Get all installed applications Get all contacts from phonebook Get all saved SMS Delete any application Self-destruct bot xml-p
Modularity Bot application size from 125 to 180 KB(Crypt about 1 MB) Works on versions Android 5 and higher Hidden SMS interception works on version 5 and higher Injections work on all current versions Android 5 9 Data between the server and the bot are encrypted with RC4 algorithm, random key Bot encrypted using RC4 base64 algorithm with random key Block bot removal Block disabling admin rights Block disabling Accessibility Service Can have multiple backup domains for bouncing Multi-language
Cost: 1 month $2,000 3 months $4,000 6 months $7,000 12 months $12,000
Crossing paths with the author. Thank goodness he was looking for a meeting on his own. And surprisingly quickly we agree on a review. It’s kind of weird. I didn’t have to tell him anything. Alrighty. In hand we get: 1. Access to aminka (in torus) 2. Bild (APK) 142.3 kb in size. 3. Access to builder (in torus) 4. Permission to reverse and publish content.
cerber_ovner Test Mode. The application is called Testing Mode cerber_ovner there will be disabled: to check the activity of the device, and check for banned countries (CIS) cerber_ovner activity of the device, this is in order to download the main module you have to move with the phone or holding it in your hand, waving. cerber_ovner well show that you are not an emulator cerber_ovner in the special features if anything will be the name of the application, in the Testing Mode should be included. The actual people themselves will come up with all) Tipo Steam Service, Google Protect, etc. the name. You got it cerber_ovner Works on android 5 and above.
Here we go.
Getting to know the admin panel: Fig.1 | Fig.2 | Fig.3 | Fig.4 | Fig.5 | Fig.6 | Fig.7 | Fig.8
We see one bot in the admin. The author explains that there was a deal and the buyer was testing the build on this admin. But never mind. Basically, everything else is as on the video from the author in the official thread. https://www.youtube.com/watch?v=dMu0JzyucZ0
Not that I’m thrilled with the admin. Dark. The colors are eating your eyes. It looks like it was designed for kids. Maybe I am wrong, but I do not like these admin panel. Let this be on my conscience. It is installed on the server and domain ovnera. Tenant access to it and uses it as long as pay rent. Here we should mention a good old question about abuses and change of domains/ip addresses. If the bot gets on trackers life of such domain/ip address will be extremely limited. Renters are good in this regard. All the hassle will fall on the author. But what about downloads? Who will compensate for downtime?
Ar3s Look what’s another question. Are you not giving admin to people? Is the admin hosted by you? cerber_ovner Yes, I do. This is done for security purposes. So they don’t leak the bot. Ar3s obfuscate. Wrap it up in a docker and hand it over. You’ll get blamed for 100% leakage of logs to third parties. As it was with anubis if that cerber_ovner but it was leaked cerber_ovner although badly decrypted for leak cerber_ovner but still cerber_ovner We do not give people and the main bot module, it is pulled from our server with the admin (via TOP) bot request cerber_ovner that is, we stop giving people the main module, as the lease ends
Went around, tapped icons and dropdown menus. In the admin panel, there is everything you need. We’ll figure out how convenient it is later.
I found two devices for the test. 1. Sansung Galaxy Note 4 (android 6.0.1) Fig.9 / Fig.10 2. Xiaomi Redmi 5 (android 7.1.2) Fig.11
Just to be clear, my build was called testing mode. I was not messing around with all sorts of flush, adobe and google. Naked hardcore. At the time of the tests the build was attacked by 16 anti-viruses. Fig.12 (courtesy of the author)
Fill APK on the carcasses and run: Fig.13 | Fig.14 | Fig.15 | Fig.16 | Fig.17 | Fig.18
At the start I tried to act like an inexperienced user. Well, I’m afraid of things I don’t understand. I didn’t enable the rights so required by the bot. And then the worst thing began. I just could not make screenshots. The phone was kicking like a madman. Without stopping, it kept demanding the right to one or the other. I was able to access admin, but it was impossible to use it.
Figure 19 | Figure 20 | Figure 21
I tried to give him the rights he needed, but no way. The phone did not let me enter the settings and give me the rights I needed. Attempts to kill the bot from the admin panel did not work. I could not delete the bot. Wrote to the author. He quickly checked everything and confirmed the bug. In a couple of hours mapped the fix and gave me access to builder. (about this later). I put the phone to reboot. After reboot no more requests. But the bot was still stuck to the phone. Battery burned heavily. I wanted to try cleaning the phone and delete the bot with internal means. I installed KIS from play store. Started the scan and got an alert. Tried to remove it, but no luck. Nothing worked. Gave the antivirus admin rights. No help. It detected two viruses (main body and module, as author says) but can not remove them. But I was able to tweak bot’s rights in settings. After that it was safely removed from the phone. Retry to install it did not give any results. I tried the same build and the other one. No effect.
Figure 22 | Figure 23 | Figure 24 | Figure 25
Made a new build. Everything is simple in the builder, by the way. Figure 26
A bug came up. The test admin didn’t have https configured. My build did not work. Made it without any encryption and it worked fine. The author explained that he didn’t set up white domain on demo admin and therefore didn’t configure certificate. I downloaded it on my phone and tried it again. But this time I agreed to everything and did everything the bot wanted. I didn’t like the part about issuing admin privileges. I understand that it cannot be otherwise on Android. However, this point had to be thought out. We have to make a nice lure about why the user has to look into the settings and enable everything. And you have to make a longer time interval between requests for access. You don’t have time to find the menu item you need to give permissions for as soon as the request pops up again. Another important point. At the time of installing the bot and issuing privileges in the system was not entered bank card. The bot opened the window for entering bank details. If you do not enter credentials window pops up again. If you enter it in the admin panel, the entered text appears. Without validation by the way. And in andrewshe itself the card does not appear for some reason.
Figure 27 | Figure 28 | Figure 29 | Figure 30 | Figure 31 | Figure 32
Tried and tested the admin and bot functionality. Sent notifications, enabled keylogger, robbed a coffin of contacts and sms. Everything works without any problems. Difficulty occurred with pushup notifications and opening url. I was not able to do it myself. But the author explained how and what. Everything works in general. Installed paypal app from market to check the bank module. On startup, the paypal window pops up. You enter your login information. Then the native window that was a layer below pops up immediately. There you enter it again. There is no check of correctness of input data from the first window. You can write any nonsense you want.
Figure 33 | Figure 34 | Figure 35 | Figure 36 | Figure 37 | Figure 38 | Figure 39 | Figure 40 | Figure 41 | Figure 42 | Figure 43 | Figure 44
Reverse: And here, dear friends, a number of problems arose. I needed a reverse. It was necessary to understand whether there is anubis or its parts inside. For the test on virustotal showed a response identical to that of anubis. Found the reverser. I gave the build to Prolet to unpack it. The strings were encrypted and it took me a week to analyze them. The second reverter performed the same behavior. In stock was the only modder with a bark with the nickname f20f9f. Gave the build to the man for analysis. I have got his reply rather quickly. The first pancake is a bit tricky and there isn’t much information, but let’s consider it.
When analyzed, the person didn’t do any optimization. There’s a bunch of garbage from android studio in the resources. Like pictures and so on. Some minimal knowledge of the apk could have helped to reduce its weight two times. Keeping in mind that there is only 80 Kilobytes of code in it. Well, this is the minimum size for an application. The libs are still being installed. There are English comments throughout the code. We open the manifest and see there
[CODE=java]activity android_exported=true android_name=com.wdjkx.nrqphkwz.ConfirmLockPattern // This line was added by me. /activity[/CODE]
According to the manifest analysis the bot can read and send SMS, make calls, get rights to work in the background and have access to special features. It is made for the injections. The code of the injects is not so good. The tags are charred. The strings are not encrypted. Therefore, we will have many detects. A generation or two of prog.
Crypt apk has. It encrypts the com.wdjkx.nrqphkwz.jqfnjcj.zmjotfcvb classes. At this stage of malware development this is not enough. Strings by code are not encrypted. Debugging is enabled. When the bot is running it prints a lot of useful information for reservers ^_^ Encryption is present. But more on that below.
Basically a simple code, nothing interesting. There are in all even the public bots. More likely to have problems working on android versions 8 and above. This bot costs 300 bucks for eyes. No protection from cis. Works everywhere.
f20f9f rc4 is
f20f9f decrypted strings f20f9f both apk encrypted by proguard f20f9f otilchie strange f20f9f in 2 bytes) f20f9f then it seems it is not rc4 but caesar)) f20f9f shorter look
f20f9f start class f20f9f no checks anything to stop activiti
Ar3s So what about the presence of pieces of anubis? f20f9f No Anubis f20f9f Bot is very simple f20f9f Made in haste
Ar3s There is mention of an additional lib everywhere and everywhere. The main one. That is, the bot works on the principle of a lowader and the main functionality is pumped out when you start. f20f9f I think it is stupid there f20f9f On the account or made clean but in the resources garbage f20f9f That is additional libs weighty no f20f9f Type of appcompact f20f9f On 8ka work exactly will not work Ar3s why? f20f9f On 8 plus introduced rights so the app can download apk files as a loader f20f9f These rights are not in the manifest f20f9f And it cannot extend functionality with even dex f20f9f Since rights must be prescribed in the manifest Ar3s understood[/DATADEENCO]
So that leaves three important questions. 1. What is the main bot module there? It’s not clear which one is pulled up at the start of the main functionality. What is its function and what’s inside it? None of the reversers didn’t say a word about it. 2. I will need to check the operation of the add-on for the 8th version of android. I don’t have it at hand right now. And for the sake of the review I will not run to buy. 3. Where is the protection from the LPG work implemented there?
So that forum users do not feel left out, here are links to third-party analysis https://habr.com/ru/post/459858/ mirror here https://xss.is/threads/30405/ And soon there will be another material from https://twitter.com/LukasStefanko (info from the author) I was deeply hurt by the third-party analysis. I do not believe in coincidences.
Injects: I was given some injections as examples. The injector is an html file and a png image. Fig.45
cerber_ovner this is how to give an example to people cerber_ovner for their desktop publishing cerber_ovner at the time of anubis, red alert, etc. there were posted on forums saying they write injections) People made them for 25$ cerber_ovner the whole point of injections you need to do Android.returnResult(JSON) cerber_ovner js code run this cerber_ovner but consider the fact that many JS functions are not in the standard browser on the 5th and 6th android cerber_ovner and it let the variable, foreach loop, etc. cerber_ovner comments // are not supported, only /* text */ cerber_ovner simply if there are errors, the inject will not work Ar3s this is clear cerber_ovner essence, injects multi-page if, you do Android.returnResult on every page and it fills in the information you stole from the user, but if the user is on the last page and you need to close the injector after it runs, you need to add exit true in the json. You will see, there is a hidden input on forms everywhere cerber_ovner on the last page cerber_ovner or in papal on the first page, because this means that all, after the input and execution you need to close the injector
To summarize: 1. The claimed functionality is present. The bot works. It fits the description. The disadvantages are that the bot’s code is not of the highest level. Some extra kilobytes could have been removed. Sometimes crashes. For example, a window pops up with repeated entry of a credit card. No check of entered data in the injections. (Although I can not imagine how to make such a check on android, but I ideally want to). You should elaborate on obfuscation of builds. To make them more unique and secure. 2. SI. You should spare no time and seriously play with social engineering variants. In the bot, there are the basic and necessary for work pinouts. But in my opinion, they could be made better and more thoughtful. Also reconsider the requests for rights escalation and their periodicity. 3. The admin panel is not great, but it is usable. It is intuitive, what and where is located. Except for logs on bots. They can only be accessed from the bot by pressing the appropriate button. The color scheme for taste and color. The obvious drawback is that there is no mass clearing of logs. Have to delete one at a time. Admin at the servant ovner! 4. The price is here I was hanging heavily. Demand creates supply. The existing price is greatly inflated. But since there is no strong competition in this direction and trends are directed in the direction of such triple-digit numbers, I have nothing to cover.
The overall impression is not bad, but there is still some work to do. It’s nice that the author fixes and fixes everything promptly and. hopefully, it won’t catch up after the first three sales.
cerber_onerThe bank cards are fixed. I have to admit, there was such a problem. Now if a user has closed card input form, it won’t pop up a second time. In the admin panel, you will have to activate card injector again.
cerber_ovner You can not invalid card 1234 5678 9012 345 not enter cerber_ovner the card checksum (this is done to make the user believe that the card should be normal to enter) cerber_ovner I can JS code from the injector to check Ar3s I just entered the card. And it swallowed. I did not use a real map! cerber_ovner Map is checked by algorithm luna, it does not give you enter any numbers (the user thinks that you must enter a real map). Maybe the stars aligned and you just randomly entered a valid sequence.
cerber_ovner no protection from cis works everywhere cerber_ovner I only gave you a test mode in the bilder checkbox cerber_ovner cerber_ovner to work in the CIS cerber_ovner and so is blocked by SIM-card country Ar3s I did myself two builds. One as a test one and the second one as you have shown me with the protection switched on. I gave the reverser the second. cerber_ovner I can show you the source code in which the check takes place. cerber_ovner https://obzor.dlab.im/screen/cerberus/sng.png
cerber_ovner About the garbage from android studio is not clear a bit, because android studio was not involved in the development at all.
cerber_ovner The fact that it does not work on the 8th android is nonsense. No problem give out a test build, run it either on a virtual machine or on a real device. cerber_ovner we don’t install the apk cerber_ovner we use apk as a plugin module cerber_ovner this is the default android functionality cerber_ovner apk works from our rights)
cerber_ovner Next about detects and stuff: we don’t have our own cryptor, that’s in the plans. Use fttkrypt and you will get 0 detects in output. We give all our customers an invite to their crypto service. We only obfuscate code to make it harder to analyze, that’s all.
cerber_ovner Antivirus will not see the module (what is the second one?). The module is stored in a private directory of the application, without root rights third-party applications have no access to it, this is the security of android.
Postscript: I leave some loose ends in this review. I really want the topic to spark discussion and discussion about how the product works. This will allow to put all the points above I.
Special thanks to bot author for providing material. Special thanks to f20f9f for APK analysis. Thank you very much for your time. I have spent a lot more of it, believe me. And I really regret that I have not covered everything. The deadline was really stinging. I did my best.
Field notes specially for damagelab by Ar3s. All coincidences are random. No hamsters were harmed as a result of the tests.
p.s. Repost for those who haven’t read.