DEV Community

loading...

The movie app that watches you watching

chris
writing things down before I forget them
Updated on ・5 min read

Edit: 2021/05/13: improved the Yara rule to use groups of strings and added a suricata rule

How can a movie app be a spyware at the same time?

One day, I was checking the malicious apks that have been uploaded to Pithus. I found an application called com.hdmovies.freemovieshd that is tagged as spyware by various anti-viruses.

Virus Total Results

Quick static analysis

First, here are some basics regarding the code retrieved from Pithus:

  • some of the code is obfuscated: pithus result
  • the list of permissions on Pithus extends from read/write external storage, send/read/receive SMS, access fine location, camera, phone permissions, get accounts, read/write contacts... Too much permissions, it's fishy.
  • the network data has some suspicious domains such as ifronttech[.]in

Here we know that this app is somewhat malicious but how deep can we go?

Quick dynamic analysis

Then, we launched the app in tria.ge (see results) to have some idea of the behaviour of our target.

The app seems aware of possible emulation and didn't return us substantial results except this network section sent at the launch of the app:

Remote address:
166.62.28\.102:80

Request
GET /JSONAPI/AppXender/HDMovies.json HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
Host: ifronttech\.in
Connection: Keep-Alive
Accept-Encoding: gzip

Response
HTTP/1.1 200 OK
Date: Fri, 07 May 2021 19:31:27 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Sun, 17 Jan 2021 13:38:54 GMT
ETag: "b3c057b-2d1-5b918ba013f9e-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 415
Keep-Alive: timeout=5
Content-Type: application/json
Enter fullscreen mode Exit fullscreen mode

At this time, we don't know if that is a network check or a C2 communication. We'll need to investigate the code itself.

Longer static analysis

So it's time to boot up JADX.

Classes before deobfuscation:

Before deobfuscation

Classes after deobfuscation:

After deobfuscation

The most interesting part of the code is located in the package: com.hdmovies.freemovieshd.watchmovies.info and everything under. The name of those classes are obviously obfuscated but that doesn't prevent us from getting the general logic of the code.

Obfuscation technique

The code implements a custom deobfuscation technique with the method huhaa46() from the qedthong class, illustrated here:

Obfuscation technique

If will remove the "hognq" part of the string if it founds it and then try to decode it from base64. There a number of variables from options values to export files that are simply encoded in base64 and not using that system.

The app will scan for all your files

File grabber

This function will scan for files in your external storage and then process them with the obfuscated function qnqwerhong.qsavelivethong().

This function will create a file which name is encoded in Base64 (TGl2ZS50eHQ= which decode to file.txt) with the name of all the scanned files.

The app will record you

In qhieightrehong class you can see the app setting up the audio module from your phone and launch the mic with setSpeakerPhoneOne(true) (link to Android documentation).

Recording section

The app will steal your Signal or Whatsapp conversations

This might be the most substantial findings in the analysis of this application. It will look for archives of your Signal or Whatsapp folders and then grab everything it can from it.

WhatsApp/Signal grabber

b3JnLnRob3VnaHRjcmltZS5zZWN1cmVzbXMvLmNvbnZlcnNhdGlvbi5Db252ZXJzYXRpb25BY3Rpdml0eQ== => org.thoughtcrime.securesms/.conversation.ConversationActivity
Y29tLndoYXRzYXBwLy5Db252ZXJzYXRpb24= => com.whatsapp/.Conversation
Enter fullscreen mode Exit fullscreen mode

The app will log your phone calls

The app will log your phone calls and get the list of your contacts.

Phone call logger

The app will check your wifi and geolocalise it

Not only the app will get your wifi information but it will try to geolocalise you using those information. Indeed, some wifi have geographic coordinates.

Alt Text

The app will get your carrier and all the information about your device

The application will get all the information from your network carrier and your device. Frankly, at this point we aren't surprised anymore.

Carrier logger

The app will steal your account tokens from your apps

Each time you log in to an app, the account is linked to it with a token. This malware will steal those accounts allowing further hacking to your online accounts.

App tokens grabber

Noisy logging

The app seems to be quite poorly coded. A lot of the obfuscation techniques are quite easy to deobfuscate and the app has a lot of very noisy, poorly written logging (allowing so much better hunting!).

Noisy logs

Conclusion

This application allows us to finally accomplish our dream to tbe hero of the films we watch... by watching us!

The persistance process is made through the calendar relaunching the application in case it isn't running. The application will set up cancelled events here and there and when they ring, they will relaunch the application.

The application stores the entire stolen data in .txt files and in a sqlite database with md5 on the phone itself and then, probably send it over encrypted TCP communication as we saw function implementing encryption process. In case you want to run this application in a dynamic environment, you might want to look for that.

So, all in all, it's a spyware. Thank you for reading, let me know if you have questions or improvements, I'm still new at this!

Network indicators

  • fronttech[.]in
  • instadownload[.]buzz
  • 135.181.154[.]21

Hunting rules:

rule crime_unknown_eight {
    meta:
        date = "2021-05-10"
        author = "@evilcel3ri"
        description = "Detects a specific spyware with keylogging capabilities"

    strings:
        $a = "ifronttech.in"
        $b = "b3JnLnRob3VnaHRjcmltZS5zZWN1cmVzbXMvLmNvbnZlcnNhdGlvbi5Db252ZXJzYXRpb25BY3Rpdml0eQ=="
        $c = "Y29tLndoYXRzYXBwLy5Db252ZXJzYXRpb24="
        $d = "hognq" ascii
        $e = "HD_Movie1_8_321tn" ascii
        $f = "ppbew.txt" ascii
        $g = "dGhpcyBpcyBhZ2RmaGdkZmgga2V5"
        $h = "Removeing files" ascii
        $k = "bew.txt" ascii

    condition:
        uint16(0) == 0x6564 and (($a or $e) or ((($b or $d or $c or $g) and ($k or $h or $f))))

}
Enter fullscreen mode Exit fullscreen mode
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA/Spyware HDMovies suspicious host fronttech in";http.host;content:"ifronttech.in";http.uri;content:"/JSONAPI/AppXender/HDMovies.json";flow:to_server,established;)
Enter fullscreen mode Exit fullscreen mode

Details

See details page on Pithus: https://beta.pithus.org/report/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9

Pithus is an open-source static analysis tool for malicious Android application. Check it out at: https://beta.pithus.org

Discussion (2)

Collapse
karandpr profile image
Karan Gandhi

It was an interesting read. Thanks for sharing!

Collapse
evilcel3ri profile image
chris Author

Thank you for taking the time to read!