As reported from different fonts, Pokemon Go is a virtual reality game and it is also the first game developed by Nintendo for smartphone Android and iOS.
Researchers discovered an infected Android version of the mobile game Pokemon GO. The installation file (APK) was modified to include a malicious remote access tool (RAT) called DroidJack, which would give an attacker full control over a victim’s phone.The game was first released in Australia and New Zealand on July 4th and on July 6th in the US.
The game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their country, attempted to download a copy of the game outside of legitimate channels.
PART 1 - STATIC ANALYSIS
In the first part of this article I want to do a deep dive analysis of the evil APK and compare the differences between the real and the infected App.
Who created the evil App retrieved a game's copy, inserted inside a RAT tool and spread the APK in different third part market. The attacker took advantages of frenzy of the rest of the world to play the game before to be official released in the countries.
HERE WE GOOOOOOO!!!!
First of all I think it is important to analyze the differences between PERMISSIONs included within the Manifest file.
In the red square is highlighted a part of permissions added into the evil APK.
The user, accepting these permissions give to the attacker the full access of his SMS, contacts list, camera, microphone, Internal and external (SD card) memory, etc.
Another evidence is reported in the image below. In the green square is present the safe part of the APK, in the red square is reported the padding code, where different droidjack server services are invoked to be enabled.
In the same part is possible to read the declaration of two activities, CamSnapDJ and VideoSnapDJ.
Two receivers are also declared:
- Connector to run on boot completed
- CallListener to read phone state
Inspecting content of both APK files, stand out that three different packages were added by the attacker.
Droidjack is also known as SandroRat, below is reported the evidence:
The attacker used Java Crypto library to encrypt communications with AES (Advanced Encryption Standard) algorithm.
Source: https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
I was able to decode the Key from the byte array
Below is reported the URL contacted and the port used to communicate with the C&Cs.
This malware identifies the device and creates a Database to store these information. Then everything is sent to the website http://droidjack(dot)net/storeReport(dot)php.
In the class bs the attacker verifies if the device is rooted by checking into the fonder /system/app/ the existence of the APK file Superuser.apk.
If the smartphone is rooted, this malware will have device full control.
In the last picture I reported how the Whatsapp database is read and stolen.
Finally, this report evidences how third part market that give you the opportunity to download APK for free, could spread malicious App. To protect yourself from possible infections, download apps from official app store and not from third-party site.
There's no such thing as a free lunch!!
IOC:
SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
MD5: d350cc8222792097317608ea95b283a8
Domain:
- http://pokemon.no-ip.org (IP address: 88.223.178.130)
- http://droidjack.net/storeReport.php (IP: 162.251.80.24)
Dynamic analysis is coming soon...
