Reddit story on a Gretel A7 device infected by adware
 
There was an interesting post on Reddit's malware subreddit from a Reddit user about an infected Android device - link to the story. The phone in question is Gretel A7 which was purchased from Amazon a few years ago, few suspicious symptoms that the user observed on the device were - lots of ads being bombarded on the device, apps getting installed without user intervention, general slowness in performance. These are tell-tale signs of a malicious infection, most likely adware.

The user was kind enough to share the apk with the community on Reddit, below are details about the apk:
The apk requests for the following permissions:
  • access_coarse_location - Useful for accessing the device location
  • change_wifi_state
  • internet
  • read_phone_state
  • write_external_storage - Store files on the device
  • access_network_state
  • access_wifi_state
  • change_network_state
  • read_external_storage
  • receive_boot_completed - Start the apk as soon as the phone boots up
  • wake_lock
  • write_settings

Initial Observations

There are a few signs which raise suspicion about this app from the get-go:

1. There is no visible icon for this app once it gets installed:



2. There are no activities for this apk (including Main activity). An activity is essentially a screen/view for the user, no activity means the user does not see any screens related to this apk. Now this alone does not mean that the apk is malicious as there are legitimate apps as well which are meant to be running in the background that have no activities, regardless this is a point to be noted

3. There is a Broadcast Receiver - com.uctsadtxasch.quyry.util.WkcRvc - which gets triggered when critical events that occur on the device like:
- Boot completed
- Connectivity change
- Timezone change

4. Secret codes allow the developer to program an app to do a certain function when this code is entered. An example of this usage is show diagnostic information about the app - more details on this blogpost.
There is a secret code present in this app a well:





Since there is no app icon for this apk in the app drawer nor are there any activities, I started this app by starting its service from adb - com.uctsadtxasch.quyry.util.WkcSvc
  • am startservice com.uctsadtxasch.quyry/.util.WkcSvc

Once it begins execution, it contacts - adv-package.oss-ap-southeast-1.aliyuncs.com/files/236.txt - this URL points to a text file containing few interesting things, specifically names of few .jar files:



I kept logcat running in the background centered towards the package name for this app - ./adb logcat | grep "com.uctsadtxasch.quyry". It showed the following entries during the initial stages and few lines are particularly interesting:



The two .jar files circled above were present in the text file that was visited in the previous step. So these .jar files were downloaded and stored locally under the 'files' folder of the app and were loaded later. Image below shows the 'files' folder under /data/data/com.uctsadtxasch.quyry/files/:



Analysis of one these jar files shows presence of adware related component in it:
Jar file - 1551867021814-wygsapgtjaf2dfd3gdg6d.jar:



This is a common technique used by a number of malicious threats for Android wherein the base app may be clean by itself but malicious components are downloaded at a later stage to avoid suspicion on the base app.

Network Communications

The malware communicated with a number of components during my analysis session. VirusTotal Relations gave interesting data about few of the links as shown below:

1. adv-package.oss-ap-southeast-1.aliyuncs.com was contacted to download 236.txt which contained .jar files:



2. datastatis.coolook.org - was contacted to send POST data containing device information:



3. stats.adinsync.com - was contacted to send POST data. The URL has a parameter called app_name and contains the malicious app being analyzed. VT Relations shows a large number of connected malicious apks related to this domain, perhaps even they contacted this domain using their package name as the parameter:



There were additional malicious domains that were contacted during my analysis, I have listed few more of them without the VT Relations data:
  • 18.136.119.136
  • offers-api.adflushlife.com
  • atracking-auto.appflood.com
  • click.inplayable.com
  • mayrondigital.go2affise.com
  • circultural.com
A thing to note, I analyzed this sample just for 1 day and according to the user whose device was infected the sample started showing ads after a brief period. It's possible that over time I see more activity on my infected device but as of now I did not see any advertisements nor did other rogue apps get installed on my test device.

Neverthless this app does show malicious/suspicious behavior and should be scrutinized further.

I have added a rule on Koodous for this sample, I will continue to tune this rule to make it more generic.
 
Home