Obfuscated Files or Information
Procedure Examples
Name | Description |
---|---|
Agent Smith |
Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.[19] |
BrainTest |
BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.[8] |
Bread |
Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have used several commercially available packers as well as hiding code in native libraries and encrypted JAR files in the data section of an ELF file.[18] |
Cerberus |
Cerberus uses standard payload and string obfuscation techniques.[22] |
Charger |
Charger encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.[6] |
Dvmap |
Dvmap decrypts executables from archive files stored in the |
EventBot |
EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[21] |
FlexiSpy | |
Ginp | |
GolfSpy |
GolfSpy encodes its configurations using a customized algorithm.[15] |
Gustuff |
Gustuff code is both obfuscated and packed with an FTT packer. Command information is obfuscated using a custom base85-based encoding.[11] |
INSOMNIA |
INSOMNIA obfuscates various pieces of information within the application.[20] |
Monokle | |
OBAD |
OBAD contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.[3] |
Pallas |
Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.[10] |
Rotexy |
Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.[13] |
TrickMo |
TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s |
WireLurker |
WireLurker obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.[9] |
XLoader |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Application vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. |
Detection
Malicious obfuscation of files or information can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.
References
- Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.
- Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.
- Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.
- Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.
- K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
- Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.
- Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.
- Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
- Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
- Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
- T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
- R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
- E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
- ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
- P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
- A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
- A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
- A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
- D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
- Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.