A new app called Sarahah, which allows people to receive anonymous feedback messages from friends and coworkers, has been quickly gaining popularity. Though it seems like a good concept, the app has already been criticized for silently uploading users’ contacts to its servers.
As a result of its quick growth, the ThreatLabZ team was certain the Sarahah app would be a top-of-mind target for attackers. We kept a close watch for any malicious indicators and came across a remote access Trojan (RAT) portraying itself as the app.
The Zscaler sandbox readily marked the fake Android app as malicious, as shown in screenshot below:
Fig 1 – Zscaler Sandbox report
The payload is a RAT variant created using DroidJack, a RAT builder that has been in the wild for quite a while. A few months back, we posted a blog about a fake system update on Google Play that was using traces of DroidJack. We also wrote recently about fake Pokemon GO variants, prepared using DroidJack, that were making the rounds in the wild.
DroidJack is a sophisticated piece of software that allows users to build Android Trojans with the ability to perform many invasive tasks:
Bind malicious code with any desired APK
Delete/Add/Modify/Download/Upload files from a victim’s device
Spy on SMS Messages
Record phone conversations
Read/copy a victim’s contacts
Take pictures from an infected device camera
Listen to a live conversation using an infected device mic
View browser history
Steal a victim’s location
And many, many more
App Name : Sarahah
MD5 : 3a9c32d270f19384e148b0f24d916a5f
Pkg Name : net.droidjack.server
Once installed, the malware app portrays itself as the Sarahah app. The screenshot below show the graphic of the official Sarahah app (left) and the fake app (right).
Fig 2 – Sarahah App- Original(Left) vs Fake(Right)
As soon as the victim clicks on the fake app, it asks for Admin privileges. Once admin rights are acquired, the icon disappears. The user may think the app has been removed, but it has only hidden itself.
Once hidden, the app begins running services that will later handle all the major malicious activities of DroidJack mentioned above.
The first function invoked by the malware is called MainActivity, which hides the fake app and starts an Android service called Controller.
Fig 3 – Main Activity
Major activities highlighted in the top left corner of the above screenshot are as follows:
CallListener : Handler taking care of call logging.
CamSnap : Designed to capture photos.
Connector : Broadcast Receiver designed to start Controller Service on every reboot.
Controller : Contains code to make connections with Command & Control(C&C) Centre. It uses open sourced Kryonet library for setting up connections.
GPSLocation : Contains code to capture GPS location.
VideoCap : Designed to capture live video using victim’s camera.
We also found hard-coded C&C details in the source code where the author leverages a dynamic DNS domain.
The screenshot below shows the C&C details:
Fig 4 – Command & Control (C&C) details
Stealing SMS Messages
DroidJack RAT is designed to read all email inbox messages as well as incoming SMS messages and send them to the C&C server. It also aborts new message notification, leaving the victim unaware of any new message received.
Fig 5 – Reading inbox SMS Messages
The screenshot below shows the code responsible for fetching incoming SMS messages and aborting the notification:
Fig 6 – Reading incoming SMS Messages
Along with stealing SMS messages, the RAT is also capable of sending messages to any number sent by the attacker.
Fig 7 – Send SMS Fucntionality
Upon further inspection, we found that this fake app also targets WhatsApp data.
Fig 8 – Accessing Whatsapp Data
Contacts and Calls
Along with SMS stealing, the fake Sarahah app is snooping around for the victim’s contact details.
Fig 9 – Reading Contacts
Fake Sarahah app is also capable of dynamically calling desired numbers.
Fig 10 – Calling Functionality
This RAT has the ability to record calls in a file with the .amr extension, which is later sent to the C&C server. It also steals GPS locations as well as browser history and bookmarks.
After all the desired data has been snooped out, it is stored in a database locally under /data/net.droidjack.server/. Databases are named as follows:
SandroRat_CurrentSMS_Database – Incoming SMS
SandroRat_RecordedSMS_Database – Inbox SMS
SandroRat_CallRecords_Database – Call Recordings.
SandroRat_Contacts_Database – Victim’s Contact details.
SandroRat_BrowserHistory_Database – Browser history and bookmarks
One more final precaution is taken by the fake Sarahah app while transmitting stolen data over the wire. It uses AES encryption to send the data to the C&C server. This step may be taken to prevent data from being easily detected during malware analysis through a proxy.
Fig 11 – AES Encryption
Attackers will continue to target victims by embedding malicious code into any new, popular Android app, as it’s an easy way to quickly widen their attack base. This was the case with Netflix and Pokemon GO. Attackers exploit people’s appetite for new apps and their desire to be the first to have them by offering up fakes before the real versions are officially launched or by mimicking add-on functionality that is not yet available in the official app.
ThreatLabZ strongly advises users to stay away from scams like the fake Sarahah app and download apps only from official Android stores, like Google Play. As an added precaution, it is advisable to review an Android app’s permissions before installing it to get a clear picture of the app’s capabilities and the developer’s motive.
ThreatLabZ will continue to monitor the use of apps for spreading malware to ensure that Zscaler customers remain protected from such attacks.