Static and Dynamic Analysis of Pandemi Destek App.
Recently sample of Anubis malware has arrived at malware bazaar and shared by our friend Arkbird_SOLG. Following the most recent sample submitted on bazaar of Anubis we had decided to reverse it. Thanks to our friend Arkbird_SOLG for the sample !! So, let’s dig in !
Analysis of “Pandemi Destek”
It’s the Fake App/Anubis Malware CopyCat of T.C Ministry of Health Ankara City Hospital App.
Information about app :
Obfuscation and Anti-VM Code:
App logs into the sensitive information of user which should never be logged. It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] . Moreover , it has weak hash’s and also stores the sensitive information of user in plaintext.
Running app dynamically on emulator [ android VM ] . it popup with this sending the SMS using “prison.cause.tattoo.SendSms”.
Around 105 entries re being decoded from app. Some of them are:
Lots of app on Google Play Store are being malicious. That’s why it had become problematic even “Google LLC” being actively improving the disinfecting the malicious intent of threat actors.
That’s all for today.