Reverse Engineering "Undangan APK" Malware
Summary
- The malware is an APK file called
Lihat Poto Undangan_Pdf.apk
with package namecom.google.masitaux3
. - Once installed, it does not appear in the launcher.
- Upon opening, the malware requests permissions to read notifications, read SMS messages, and send SMS messages.
- After obtaining these permissions, the app displays a blank screen.
- The malware monitors notifications and SMS messages, sending the captured data to its owner via the Telegram API and SMS.
- The data is sent to Telegram Bot
Deku1205
with the bot ID6103323459
and phone number+6282141857614
. - Its primary purpose seems to be the takeover of accounts secured with OTP codes sent via SMS or WhatsApp.
- Additionally, the malware can potentially generate money by taking over e-wallets, which often send verification codes through SMS or WhatsApp.
- This malware can be uninstalled from device settings.
Important Links
Malware APK. https://files.catbox.moe/5sem2y.apk.
Background Story
My friend contacted me, saying that someone sent him a "virus". He wants
me to look at it, so he sent me the "virus". It is an APK file named Lihat Poto Undangan_Pdf.apk
.
Installing the APK
I installed it in android simulator. It didn't show up in my launcher, so I have to start the application from settings. First, it asked for two permissions:
- Read notification.
- Read and send SMS.
After granting both, It displayed a blank screen.
Strings
I tried running the APK through strings
. I got some
interesting findings:
- There are strings of multiple languages in the application.
- There is a string "Cek Resi", it seems like this app also use that name.
- The package name is
com.google.masitaux3
.
I didn't find anything else from strings
, so I decompile
it.
Decompilation using apktools
I encountered trouble decompiling the res
, so I skipped it.
I found some API calls to Telegram Bot API, which is called when the
malware is installed and whenever a notification or SMS message is
received. I also found a phone number in the APK.
Exploring Telegram Bot and Phone Number
In decompilation, I found two things:
- A Telegram Bot API call to
sendMessage
when the malware is installed. The Bot ID is6103323459
and the Bot username isDeku1205
. - A phone number in the APK. it is
+6282141857614
. in WhatsApp, the account name isKING KEVIN
. I think this is just a burner phone number, as the name and profile picture belong to an instagram account called@kingkevinreal
.