Figure 6. Command “rate_words” which can be utilized to vote for fraudulent reviews
Commands and Parameters Decryption
Android/LeifAccess.A shops A hashtable map, in a SharedPreferences XML structure, in which the key may be the function title in addition to value may be the parameter employed by the commands. The real function names (plain text) and parameters are obfuscated, encrypted, salted and/or one-way hashed (md5 or sha-1) to avoid detection.
Figure 3. De-obfuscated selection of strings utilized as complete resource that is qualified associated with the view id access to execute fake reviews abusing accessibility solutions
Android/LeifAccess will try to install and install the prospective application because a person account only can compose reviews of apps which have formerly been set up. It’s going to try to install through Bing Enjoy but there is however additionally an implementation to down load apps from a alternate market store (APKPure), also direct links.
Real-world Example
As a real-world exemplory instance of this harmful behavior it really is feasible to get reviews on Bing Enjoy that match with all the parameters received through the C&C and saved into the de-obfuscated SharedPreferences XML files. By way of example, the application вЂSuper Clean-Phone Booster, Junk Cleaner & Central Processing Unit Cooler’ is rated with 4.5 stars typical and much more than 7k reviews, some of which are fake while they function replicated expressions copied through the Trojan’s command parameters.
In figure 5 the xml element offers the reviews delivered by the C&C whilst the hash is represented by the attribute “name” dining dining dining table key. In this instance the important thing “FF69BA5F448E26DDBE8DAE70F55738F6” is associated to your demand “rate_p_words”:
MD5 is a one-way function with the hash-table so it is not possible to decrypt the string but, based on the static analysis, it is possible to recalculate the hash for all the decoded strings found on the second stage DEX file and then associate it.
Recalculation of the hash that is particular feasible by invoking the hash function with rate_p_words and com.services.ibgpe.hflbsqqjrmlfej as arguments.
In identical hash table other parameters are stored, for instance the self-update server URL utilising the exact same encryption/obfuscation method:
Figure 7. Obfuscated HashMap
This key F09EA69449BA00AA9A240518E501B745 and also the embedded value can be interpreted the following:
Figure 8. HashMap as plain text
Other commands are detailed into the dining dining table of commands into the appendix which include shortcut creation and regularity of updates.
Also, received commands may also be kept locally within an DB that is SQLite that the main action done by the spyware.
Abuse of Accessibility
Deactivating Bing Enjoy Safeguard:
LeifAccess attempts to navigate through the prospective software utilizing AccessibilityNodeInfo by view-id resource title. As an example, for Bing Enjoy Safeguard, the package is embedded in the Bing Enjoy software with package title вЂcom.android.vending’ and it’ll attempt to access the scene id вЂplay_protect_settings:’ as defined on string g. The full qualified resource id is “com.android.vending:id/play_protect_settings” as shown into the code that is deobfuscated.
Figure 9. listing of view-id resources strings mistreated by LeifAccess
Fake Account Production Abusing Solitary Sign Up:
Another monetization strategy utilized by this family members could be the creation of accounts within the name of genuine individual identities and accounts registered regarding the device that is infected. This might be accomplished by abusing the accessibility solutions to do a free account creation and login utilizing the Google Sign-In OAuth 2.0 that numerous genuine solutions incorporate within their apps.
Android/LeifAccess can install and install the mark application to later set an account up without individual connection.
The code that is deobfuscated programs exactly just how Android/LeifAccess utilizes AccesibilityEvent to navigate right into a dating application to generate a free account utilising the Google login choice.
Figure 10. AccessibilityEvent utilized to produce accounts that are fake
Listed here are a few examples of other application package names which are targeted by this spyware to do account that is fake, mostly linked to categories such as for instance shopping, dating and social.