Based on the basic detection capability of Incinerator for Apk

Preface

This article mainly focuses on the threat intelligence centers/online sandboxes of various companies inAndroid Malicious Code Automated Analysis CapabilityBy comparing the analysis capabilities of the incinerator reverse engineering tool developed based on Reactor, this article makes it clearer and more intuitive for everyone to understand the differences between them. The threat intelligence centers tested in this article are all public versions (free) and do not represent the actual status of each capability platform, and should not be generalized.

The following is the list of test platforms:

• Qihoo 360 Threat Intelligence Center (including its sandbox)
• Anheng Threat Analysis Platform (including its sandbox)
• AnTian Threat Intelligence Center
• Green盟 Technology NTI Threat Intelligence Center (including its sandbox)
• Qihoo 360 Threat Intelligence Center (including its sandbox)
• Qianxin Threat Intelligence Center (including its sandbox)
• Tianji Network Alliance RedQueen Security Intelligence Service Platform
• VirusTotal Online Malware Analysis Platform (including its sandbox)
• VirusTotal (including its sandbox)

The following is a test sample of malicious code:

• Sample name:ERMAC
  • Hash value:
    • MD5:16e991d73049f1ef5b8f5fa0c075ef05
    • SHA-256:f4ebdcef8643dbffe8de312cb47c1f94118e6481a4faf4166badfd98a0a9c5d3

ERMAC is operated by the attacker behind BlackRock's mobile malware. On August 17, forum members named 'ermac' and 'DukeEugene' began to promote this malware. ERMAC, like other banking malware, is designed to steal contact information, SMS messages, open any application, and trigger targeted attacks on a large number of financial applications to scrape login credentials. In addition, it has developed new features that allow the malware to clear the cache of specific applications and steal accounts stored on the device.

Extracted from Anheng Threat Intelligence Platform

• Sample name:FurBall
  • Hash value:
    • MD5:6151b1e2e5035a8eb596ce1c37565e87
    • SHA-256:0d09d5e46e779d796a8d295043e5bbd90ac43705fa7ff7953faa5d8370840f93

Domestic Kitten, also known as APT-C-50, is said to be a hacker organization from Iran, mainly engaged in obtaining sensitive information from damaged mobile devices, and has been very active since at least 2016. In a report in 2019, Trend Micro stated that APT-C-50 may be associated with another hacker organization named 'Bouncing Golf'. (Bouncing Golf mainly targets Middle Eastern countries for cyber espionage activities).

Excerpted from Freebuf

Horizontal Analysis and Comparison

This article will conduct a comparative analysis from multiple dimensions of Android malicious code analysis. Considering that some platforms do not have cloud sandbox functions based on Android (or they have not appeared in the public/free version), the comparison results are based on the relevant static analysis data presented by each platform. LianSecurity's incinerator, as a comprehensive Apk reverse engineering product, does not have any functions based on malicious code feature libraries, threat intelligence sources, sandboxes, etc. Therefore, the content of the horizontal analysis and comparison is only based on the Apk static analysis capabilities of incinerator.

In order to have a more concrete understanding of what is good when we compare relevant capabilities, or what kind of analysis capabilities presented in the analysis report is more suitable for the research of malicious code and threat tracing, we have chosen a more universally recognized 'VirusTotal'. From the analysis report of VirusTotal, we can see the details and granularity of each in the analysis of Android malicious code.

Figure 1

From the static analysis results of the two samples (as shown in Figure 1 on the left), VT's detection and presentation of various Apk information are very comprehensive, able to accurately analyze all the key information in the sample. From the perspective of malicious code analysis and threat tracing, first of all, a professional analysis service can accurately and in detail list the following, and I believe this is already an excellent analysis report.

• Apk Basic Information

  HASH

  TrID

  File Size and Others

• Apk Package Name and Related Information

  Apk Name

  Apk Signature Information

• Apk Application Permission Analysis

  Risk Level Classification and Arrangement

• Apk Behavior Analysis

• Apk Application Network Requests

• Apk Software Component Analysis

Therefore, in the following, we will make a horizontal comparison of the analytical capabilities of the manufacturers mentioned above, as presented in VT's report, to deeply understand the development of this field in China and how the relevant technology is.

360 Threat Intelligence Center

Figure 2

Unfortunately, from the analysis content of samples 1 and 2 (as shown in Figure 2), we can see that in 360's analysis report, only the sample's HASH, package name, and corresponding IOC information are displayed, but there is no information about the application behavior, application permissions, network requests, and component analysis, and there is no dynamic analysis at all. For the research on malicious code and threat intelligence, the presentation of the 360 Threat Intelligence Center is almost of no help.

Note: The 360 Security Brain Sandbox Cloud detection failed, the Android part requires relevant points and payment, so it was abandoned.

Anheng Threat Analysis Platform

Figure 3

In the analysis of the two samples (as shown in Figure 3), Anheng, like 360, can accurately determine the family and related affiliation of the samples, and Anheng also added Hexdump information about the samples in the basic information, making the basic information part look very rich. However, as a static analysis result, Hexdump is neither a summary of the results nor can it provide any qualitative information to the analysts, and it should not be presented here. It may be due to the free/public version, there is no information about dynamic analysis, but it is still very helpful for research on malicious code and threat intelligence, and is basically the same as the information presented by 360.

AnTian Threat Intelligence Center

Figure 4

After we submitted the sample hash we sampled to the Antiy Threat Intelligence Center (as shown in Figure 4), the displayed detection result was empty. Therefore, we could not conduct any comparative analysis on the Android analysis capabilities of the Antiy Threat Intelligence Center. It is estimated that the Antiy Threat Intelligence Center does not have sample data, but the Antiy antivirus engine can correctly identify the sample as malicious code.

Green盟 NTI - Threat Intelligence Center

Figure 5

Green盟 Technology NTI-Threat Intelligence Center can display the corresponding HASH information based on ERMAC sample analysis (as shown in Figure 5), but there is nothing else, and the sample analysis based on APT-C50 does not show any data. Just like the Antiy Threat Intelligence Center, it should be that they do not have corresponding sample records. When we changed to the Threat Analysis Center and submitted the sample for analysis, we saw that the analysis center was able to effectively detect both samples. The sample with the hash value “16e991d73049f1ef5b8f5fa0c075ef05” presented relevant basic information (sample hash, metadata) but no static analysis report. The sample with the hash value “6151b1e2e5035a8eb596ce1c37565e87” presented basic information more simply, the antivirus engine detection had no results, and the analysis results adopted Green盟's own detection strategy, which was different from the common detection and was rather chaotic, so it required some learning to understand it better.

VenusEye Threat Intelligence Center

Figure 6

VenusEye presents the basic information of sample 1 (as shown in Figure 6 on the top) as relatively complete, which is also relatively weakened, and there is no static analysis at all. As for sample 2 (as shown in Figure 6 on the bottom), VenusEye does not have corresponding data.

Qianxin Threat Intelligence Center

Figure 7

From the level of detail of domestic threat intelligence centers or sandbox detection, from the threat assessment and analysis of sample 2 (as shown in Figure 7 on the bottom), with the complete supplement of sandbox detection, the overall analysis is very detailed. Qianxin is undoubtedly provided by domestic manufacturersPublicly accessible threat intelligence centers/sandboxThe ceiling, and from the analysis of sample 1 (as shown in Figure 7 on the top), we submitted many tests, whether in the login/non-login state, the sandbox detection is always in the state of detection, I don't know whether there is a deadlock situation, so sample 1 has little difference from other manufacturers in the pure static state.

RedQueen of Tianji Network Alliance

Figure 8

The hash value of RedQueen based on sample 1 (as shown in Figure 8) has no data, and it is impossible to upload the sample for testing. After querying the hash value of sample 2, there are relevant data records, and the basic information is almost the same as that of the manufacturer, while the other information is not.

Weibolu Online Malware Analysis Platform

Figure 9

Among many domestic threat intelligence centers/sandbox vendors, Weiguang Online was the only one that could accurately identify the family of the malicious code of sample 1 (as shown in Figure 9 on the left). However, after I ran sample 1 multiple times to obtain the latest detection report, its family detection began to change, which puzzled me. And from the detection report (as shown in Figure 9 on the right), there are many logical problems in the detection, such as:

• The sandbox environment is Win7+Office2013
• Multi-dimensional detection is unrelated to the detection sample
• The results of multi-engine detection are inaccurate

When I was uploading samples for detection, the file format available for upload was not Apk, so I could only upload it in the compressed file format it recognized. The sandbox environment was bound to be inexplicable for Android applications, and the multi-dimensional detection Sigma rule under the sandbox environment was a complete false positive. In the results of multi-engine detection, Weiguang Online showed that "only three antivirus engines detected this sample as malicious code at the time of 19:36:04 on October 29, 2022," but from the data from multiple parties, it was already possible to identify sample 1 as malicious code in the engines that did not detect malicious code as shown by Weiguang Online, such as Kaspersky, Avast, and Dr.Web.

From the data of sample basic information, under no sandbox detection, the detection results of Weibu Online are better than those of Qianxin, the basic information, metadata, permission analysis, and so on are all there, but for researchers who need to look at the report, the report is obviously not presented with much consideration of this kind of demand, especially if there is no support from auxiliary data such as IOC, antivirus engines, etc., both popular ERMAC and more secretive APT samples will have serious false reporting situations.

Based on the basic detection capability of Incinerator for Apk

Incinerator, as a domestically developed Android Apk reverse engineering tool analysis tool, is used to compare with threat intelligence, malicious code analysis platforms, or dynamic sandboxes, and looks very funny to anyone's eyesWhat we compare is just the basic information presented to the user by incinerator during Apk analysis(as shown in Figure 10), when we perform Apk analysis, incinerator will first conduct a comprehensive basic analysis of Apk through independently developed efficient and accurate reverse engineering technology, including basic information such as package name, HASH, and signature (as shown in Figure 11), and then find the full process execution path through the combination of static single assignment and cross-reference, and perform source code-level deep detection of application behavior and classify permissions, highlighting high-risk and sensitive permissions, check network requests within the application and target address feature information, and extract fingerprint information of dependent libraries to analyze the composition of software.

• Basic information of Apk presentation

Figure 10

• Signature Information

Figure 11

• Permission Information

Figure 12

The figure above is a part of the permission information extracted from sample 1 ERMAC (as shown in Figure 12), which shows that incinerator has performed detailed detection and classification of permissions, and marked high-risk for permission declarations such as "send text messages" and "make phone calls" in Apk.

Note: In In the Android official documentation,"text messagessend" and "dialmake a phone call"is"Marked as dangerousPermissions

• Behavior Analysis

Figure 13

Figure 14

Incinerator has multiple categories of behavior analysis for Apk, as follows (as shown in Figure 13-14):

• Encryption Security

It mainly checks whether the encryption method used is correct and whether there are insecure configurations that lead to encryption failure or easy cracking.

• Application Security

Check for security risks in the current application, including whether there is log leakage, whether Dex is dynamically loaded, and whether high-risk functions are used.

• Component Security

Dynamic registration of Receiver risks, Fragment injection, component export risks, implicit Intent call risks, Intent reflection call risks, and other risks.

• Data Security

External storage risks, clipboard leakage, application data backup risks, and other risks.

• Privacy Security

Whether the application uses behaviors such as recording, making phone calls, using the camera, location, phone listening, sending text messages, etc. The final result will be given based on the permission application situation. If there are sensitive API calls but no permission is applied, it will not be pointed out in the report because the call will not be successful. To prevent false positives from causing inconvenience to users.

• WebView Security

WebView arbitrary code execution vulnerabilities, WebView enabling Javascript risks, WebView plaintext password storage risks, and other risks.

• Communication Security

Unverified CA certificates, HTTP protocol transmission, WebView ignoring certificates, port opening detection, and other issues.

When related issues are detected, incinerator will classify and arrange them according to severity, provide corresponding security recommendations, and locate the specific code position after decompilation.

• Software Component Analysis

Sample 1 ERMAC did not detect any SDK dependency calls, so the following figure shows the SCA analysis results of Sample 2 FurBall (as shown in Figure 15). When incinerator performs software component analysis detection, it finds that Sample 2 has related SDK dependencies, and from the presentation of information, it can be known that the specific version number and name of the SDK. Incinerator will combine public CVE information to query whether there are any public vulnerability information of the dependent SDK, and will display it in the report.

Figure 15

By performing a deep scan of the built-in code, hard-coded URLs, email addresses, IPs, and other information are extracted (as shown in Figure 16).

Figure 16

At the same time, combining our own Whois, IP database for queries, detailed information presentation of the obtained domain names and IPs is carried out (as shown in Figure 17).

Figure 17

In summary, we can see that incinerator provides a more comprehensive output for basic information detection of Apk compared to domestic threat intelligence platforms. Compared with VT, incinerator lacks basic information such as HASH, TrID. From the overall analysis reports of both domestic and international perspectives, incinerator, without sandbox dynamic detection and without mandatory calling results of sensitive behaviors, is sufficient to be superior to all platforms in this comparison solely based on the completeness and depth of the basic information detection listed.

Reference Source:

• Malicious Code Sample

• https://bazaar.abuse.ch/sample/f4ebdcef8643dbffe8de312cb47c1f94118e6481a4faf4166badfd98a0a9c5d3/#iocs

• 【Security Information】Analysis of ERMAC New Android Banker Trojan https://ti.dbappsecurity.com.cn/info/2560

• 360 reference address 1:

• https://ti.360.net/#/detailpage/searchresult?query=16e991d73049f1ef5b8f5fa0c075ef05&rand=0.8184840901507511

• 360 reference address 2:

• https://ti.360.net/#/detailpage/searchresult?query=6151b1e2e5035a8eb596ce1c37565e87&rand=0.46923541160428095

• Anheng reference address 1:

• https://ti.dbappsecurity.com.cn/hash/16e991d73049f1ef5b8f5fa0c075ef05/

• Anheng reference address 2:

• https://ti.dbappsecurity.com.cn/hash/6151b1e2e5035a8eb596ce1c37565e87/

• AnTian reference address 1:

• https://www.antiycloud.com/#/search/hash?type=hash&key=16e991d73049f1ef5b8f5fa0c075ef05

• AnTian reference address 2:

• https://www.antiycloud.com/#/search/hash?type=hash&key=6151b1e2e5035a8eb596ce1c37565e87

• GreenWall reference address 1:

• https://ti.nsfocus.com/file?query=16e991d73049f1ef5b8f5fa0c075ef05

• Green盟 Reference Address 2:

• https://ti.nsfocus.com/file?query=6151b1e2e5035a8eb596ce1c37565e87

• Green盟 Reference Address 3:

• https://poma.nsfocus.com/report?md5=16e991d73049f1ef5b8f5fa0c075ef05

• Green盟 Reference Address 4:

• https://poma.nsfocus.com/v4/report?md5=6151b1e2e5035a8eb596ce1c37565e87

• Qianxin Reference Address 1:

• https://ti.qianxin.com/v2/search?type=file&value=16e991d73049f1ef5b8f5fa0c075ef05

• Qianxin Reference Address 2:

• https://ti.qianxin.com/v2/search?type=file&value=6151b1e2e5035a8eb596ce1c37565e87

• Weiguoyang Online Reference Address 1:https://s.threatbook.com/report/file/f4ebdcef8643dbffe8de312cb47c1f94118e6481a4faf4166badfd98a0a9c5d3

• Weiguoyang Online Reference Address 2:https://s.threatbook.com/report/file/0d09d5e46e779d796a8d295043e5bbd90ac43705fa7ff7953faa5d8370840f93

• VirusTotal Reference Address 1:

• https://www.virustotal.com/gui/file/f4ebdcef8643dbffe8de312cb47c1f94118e6481a4faf4166badfd98a0a9c5d3/details

• VirusTotal Reference Address 2:https://www.virustotal.com/gui/file/0d09d5e46e779d796a8d295043e5bbd90ac43705fa7ff7953faa5d8370840f93/details

Source address: https://liansecurity.com/#/main/news/ZJXRMoQBu1ziL48C5Yp-/detail