Cheetah Mobile

At the Black Hat Conference in July of 2017, it was revealed that a campaign dubbed “Operation Manul” had been organized to eavesdrop and launch cyber attacks against certain people in Kazakhstan. Recently, Cheetah Mobile and Antiy Lab also discovered that the campaign was likely spying on the Android platform.
 

Preface

Researchers from the Electronic Frontier Foundation (EFF) presented a report at the latest Black Hat Conference that disclosed information about a hacking campaign called Operation Manul. This large-scale cyber attack targeted a select group of people, namely journalists and political activists who were vocal about the authoritarian government in Kazakhstan. The EFF report analyzed the eavesdropping technologies and domains.

Through the internal retrieval comparison of several C2 server domains that were used for command control and file uploading, as disclosed in the report, Cheetah Mobile and Antiy Lab discovered some relevant malicious samples. According to the analysis, the spyware disguises itself as popular apps so that it can sneak into the devices of targeted users. When gaining privileges, the spyware begins a series of eavesdropping activities, including secretly taking pictures and recording sounds, plus stealing users’ SMS, contacts, geographic location, and other private information. After that, the spyware uploads the information to a remote server.

This is the first discovery of Operation Manul attacks on the Android platform. Below is the detailed analysis of the captured Android spyware.

Brief analysis

The spyware discovered by Cheetah Mobile and Antiy Lab disguises itself as popular applications and injects malicious codes into these apps to launch nefarious attacks against targeted users. The affected apps include WhatsApp, Orbot, Psiphon, and more.

The structures of application packages injected with malicious modules are seen in the following figure:

Analysis object description

We found that the malicious modules injected in different apps were almost the same, so we chose one of the samples to conduct a more detailed analysis.

Analysis of the malicious behaviors

The AM file shows that the spyware has registered a lot of “receiver” and other related privileges that allows it to gain control of the device and retrieve sensitive information. The attributes of the malicious module can be seen in the image below.

According to the operating logic of the program, the malicious behaviors include three steps.

Step 1. Gains sensitive privileges

At first, the spyware will ask for specific privileges, such as invoking the camera, recording sound, geographic location, phone calls, reading SMS, etc.

Next, the Pms and cmd modules of the spyware will confirm whether it has gained the key privileges. If not, it will send a privilege request again to make sure that it gains the privileges needed to steal the information.

Step 2. Executes remote commands

The execution of the main malicious behaviors of the spyware entirely relies on the commands sent from the remote server. The spyware starts when the device is booted, immediately executing the malicious module. It receives the control command sent from the remote control server by using “https.” The spyware launches malicious activities according to the command information to steal private information and self-update codes. Below are the detailed steps.

“ReSeRe” is a self-starting program used to begin the main malicious service of the spyware, namely “MySe.”

“MySe” is the leading malicious module of the spyware, and “onCreate” will launch thread “F.”

Thread “F” can receive remote commands, parse remote control commands, and execute malicious behaviors.

The remote control commands contain a lot of codes to steal users’ private information, such as SMS, contacts, phone calls, location, browser history record, file information, network information, device information, and more. The spyware then sends the collected information to a remote server.

Step 3. Executes other malicious modules in the code

The spyware will record sounds in the users’ environment by using the malicious module “ReSe.”

“MyPhRe” is mainly used to tap into phone calls.

Analysis on the sources of the spyware

While analyzing the code, we found the C&C server used for communication.

We got the plain text URL after decoding the above address. The decoding key is: Bar12345Bar12345

Meanwhile, according to the domain of the C&C server, we found the same domain address in the report published from the Black Hat Conference in 2016. The original report summarized the information of servers used to launch phishing and other cyber attacks by Operation Manul (as in the image below), including the domain adobeair.net, which reflects that the captured Android samples probably originated from the hacker campaign Operation Manul.

Note: This picture is from the report published at the Black Hat Conference.

While reversing the domain “adobeair.net” with “whois,” we discovered a mailbox (iainhendry@blueyonder.co.uk) that seems to belong to the spyware author. The time it holds the adobeair.net domain name coincides with the time of the attack in the original report.

Through further research, we found an application promotion webpage (//www.androidfreeware.net/developer-3195.html) developed by the user of the mailbox. All of the applications promoted in this webpage are developed by this person, so it can be conjectured that the user of the mailbox is a developer with Android programming ability.

Summary

In recent years, with the popularity of smartphones and mobile networks in the world, mobile directional attacks are gradually increasing, and they have a trend of integration with PCs. Attackers combine mobile and PC attacks to obtain valuable personal identity information. Due to the boundaries, plus social and privacy attributes of mobile devices, once they get attacked, it likely leads to an avalanche effect and causes increasing losses. The Operation Manul campaign is not only a joint attack on PC and Android, but it’s also a typical event of a directional attack that targets a specific group.

Directional attacks against high-value users is a classic long-tail problem in a mobile threat confrontation. When security events have the features of clear targets and attack intention, and they involve important user privacy, there’s often unparalleled losses to the targeted victims. As such, security vendors should pay close attention and continue to enhance the ability of long-tailed threat confrontation to better escort users’ mobile security.

Appendix

IOC (Android)：