BOOMSLANG Mobile fraud family analysis

Lian Blog2023-12-01 16:01:57

Overview

Upon monitoring, we intercepted a fraudulent Android app distribution incident related to an unknown family. Detailed investigation revealed that the family mainly uses the open source Telegram Android source code as its core functionality template. Through various tactics, including but not limited to swiping, investment promotion, and pornographic chatting, the family induces users to download and install their apps in order to perform fraudulent operations. Further exploration of the network environment revealed the existence of several active apps that were highly similar to the family, further confirming that these apps indeed belonged to the same fraudulent family. This family is not only highly fraudulent and consistent, but also has a complete business supply chain. Based on these characteristics, we decided to name this fraud family "BOOMSLANG".

Technical Analysis

Traceability analysis from the sample of the family we obtained revealed that the family first began to spread in September 2022. The family was in the early stages of fraudulent spread between September 2022 and March 2023 due to external factors such as the epidemic at the time. However, as social conditions gradually recovered, the family began to spread on a large scale with several versions for different business types. Notably, the family was first mutated in July 2023 to adapt to anti-fraud measures, introducing "Domain Over HTTPS (DoH)" technology. Subsequently, in September 2023, the family sample was mutated again, adding resistance to existing automated app security detection methods, specifically employing the StringFrog obfuscation technology that comes with NPManager to circumvent string-extraction-based security detection.

DoH (DNS over HTTPS) is a secure protocol for DNS resolution requests and responses over HTTPS-encrypted connections. Its main purpose is to increase privacy and security and prevent DNS requests from being eavesdropped or tampered with.

What follows is an in-depth analysis of the original version of the family as well as the version that introduced DoH technology.

Sample Overview

Sample ID

MD5 Hash: 0a731ace7a01349d8c103ad5dc7fc230

Functions and Behavior

login interface: after the sample is launched, a login interface is displayed, which asks for an invitation code in order to login.
Chat interface: after successful login, the user will enter a chat interface.
malicious activities: the sample mainly performs scamming or other types of malicious behaviors through the chat feature.

Analytical Details

Sample Fundamental Analysis

Privilege analysis: After opening the sample with Incinerator tool, it can be observed from the generated Report information that the sample requests several high-risk privileges.

Dynamic detection results:
- Package Name and Subdirectory Problems: The dynamic detection results show that there are obvious problems with the NetworkConfig.java file in the tgnet subdirectory under the im.lpfupkaehn.messenger package name.

Next, we will analyze the specific performance and potential risks of the im.lpfupkaehn.messenger package name in detail.

Code Similarity

File and directory structure

tgnet subdirectory: there is an explicit tgnet subdirectory in the corresponding directory of im.lpfupkaehn.messenger.

Source Code Comparison

GitHub search results: a GitHub search using the code in this directory reveals that this part of the code is highly similar to the Telegram Android source code.

Code similarity comparison

im.lpfupkaehn.messenger vs org.telegram.messenger

Multiple class files, such as AccountInstance, are shown to be 100% identical after excluding decompilation.

Code Diff Analysis

Major additions

In this sample, based on Telegram Android source code, there are three main notable additions:

dependency libraries
- Location: mainly concentrated in the com directory.
- Functions and calls: These libraries can basically be found by searching where they are called, and are mainly used to handle some smaller functions.
- Example: com.alibaba.fastjson library is mainly used to handle the protocol for updating user information.
UI directory diff
- Comparison: The im.lpfupkaehn.ui directory has a few more directories compared to the org.telegram.ui directory.
- Speculation: These additional directories may have been added to satisfy the need for customized UI.

tgnet directory diff
- Comparison: A comparison between the im.lpfupkaehn.tgnet and org.telegram.tgnet directories reveals several more files in the former.
- Speculation: these additional files may be used to implement specific network communications or features.

Detailed new class file analysis

Of particular note in this family sample are the addition of the following new class files:

Basic network and file manipulation classes:

FCTokenRequestCallback: possibly related to Token requests.
FileLoadOperation: File load operation.
FileLoadOperationDelegate: proxy for the file load operation.
NetBean: Network Configuration Bean.
NetworkConfig: Network configuration.
ParamsUtil: Parameters tool.

Telegram Backend Communication Extensions (TL Series):

TLApiModel: API model.
TLRPCZ: May be related to RPC communication.
TLRPCBackup: Backup related.
TLRPCBasic: Basic RPC functionality.
TLRPCCall: Call function.
TLRPCCdn: CDN related.
TLRPCChats: Chat related.
TLRPCContacts: Contacts related.
TLRPCFriendsHub: Friends Hub.
TLRPCHotChannel: Hot channel.
TLRPCLogin: Login related.
TLRPCRedpacket: Redpacket function.
TLRPCWallet: wallet function.

These new class files focus on various aspects of network operations, file handling, and communication with the Telegram backend. This further highlights the customization and expansion of this family of samples from the original Telegram code.

Network Behavior Analysis Report

Primary Focus: NetworkConfig.java

Based on the results of the automated analysis, there are obvious problems in the NetworkConfig.java file code, so this analysis will focus on this file.

Network configuration update mechanism

Environment Distinction: The code distinguishes between online and intranet environments. Only the one labeled 1002 is the online environment, which needs to update the network configuration.

There are two key functions initRemoteConnInfos and selecteRemoteConnInfo.

The key functions are analyzed:

initRemoteConnInfos: Mainly responsible for getting the target IP and port information from the configuration interface https://*************.***-**********.********.***/************.***

selecteRemoteConnInfo: Use AliYunCeng to convert target IP and port to proxy IP and port to hide actual IP and port.

AliyunCeng Usage Logic

Function: AliyunCeng provides a resilient security network that is immune to DDoS/CC attacks. Specifically, it generates a dynamically changing proxy IP and port based on the provided target IP and port.
Challenges and Impacts: AliyunCeng's resilient security network poses a serious challenge for network behavior analysis and malicious program network request blocking. Because proxy IPs and ports can change constantly, this greatly increases the difficulty of network tracking and interception.

The sample utilizes a complex network configuration and a third-party security service (AliyunCeng) to hide its actual network behavior, making analysis and tracing more difficult. These characteristics further demonstrate the highly specialized and stealthy nature of this malicious sample.

The decompiled code of YunCeng.getProxyTcpByDomain is as follows:

According to an older version of the documentation on the official AliyunCeng website, the first four parameters of the getProxyTcpByDomain function behave as follows:

The last two parameters of the function are used to return the proxy IP and port corresponding to the input target IP and port.

Upon further analysis of the above code, we see that the returned proxy data is eventually passed to the ConnectsManager.

We notice that this is a native function. Normally, we would need to reverse-analyze the so file to get the corresponding code. However, since we have already mentioned the high similarity between this sample code and Telegram Android, we decided to analyze it by going directly to the source code of Telegram Android.

In this step, the returned IP address and port number are set to the ConnectManager's datacenter object, and the handshake process is subsequently re-initiated to establish a new connection. This operation realizes a server switch for the sample to communicate with the cloud network. At this point, the malicious sample has successfully established a new communication channel with the remote server via the new IP and port.

Interception Methods:

After detailed analysis, we completed a review of the sample's main network request escape interception behaviors. The sample cleverly utilized anti-DDoS services to effectively circumvent traditional protection methods based on fixed IP request interception by constantly changing the requested IP address and port.

To comprehensively block the network requests of this sample, it is necessary to find out how the sample utilizes the AliyunCeng service through a combination of static and dynamic analysis, and block the relevant network communication paths accordingly. Specific interception strategies can focus on the following three aspects:

Intercept network requests in which samples request AliyunCeng to obtain target IP addresses and ports.

If the first interception strategy is not successfully executed, then it is also necessary to intercept the default IP and port that are preset in the sample. Specifically, all network requests directed to ****.**.********.*** should be blocked.

During the grayscale testing phase, if the first two interception strategies are unsuccessful, then attention should be paid to the third default IP address preset in the sample, i.e. **.***.***.***. All network requests directed to this IP should also be blocked.

These web requests are cleverly hidden deep within the code and require a combination of dynamic and static analysis methods to accurately identify them, which undoubtedly adds an extra challenge and workload to security countermeasures.

Family Variant Analysis

In the process of continuously tracking this kind of malicious APP, we found a new variant whose MD5 hash value is 61eea96bae6e53b6806d974cf35877df. This new sample makes a significant change: it no longer relies on Ali Game Shield but shifts to use QiNiu Cloud's DoH (DNS over HTTPS) service. The specific usage is as follows:

In this new variant, the attacker configures the address in the HOST to be the dnsServer of QiNiu Cloud's DnsManager, which is then responsible for performing DNS queries. This change not only indicates that the attackers are becoming more familiar with and utilizing more advanced network services, but also increases the complexity of analyzing and intercepting their behavior.

In this case, the sample dynamically changes IP addresses through a dnsserver under its own control. This setup allows the attacker to use a tool similar to AliGameShield on the backend to randomly return different proxy IP addresses, thus enabling the hiding of the real IP address. If the DNS query fails, the sample will fall back to the preset IP and port, further increasing the complexity of the adversarial analysis. This multi-layered network behavioral strategy not only increases the difficulty of the analysis, but also creates additional challenges for effective interception.

Summary

In a comprehensive analysis of this malicious sample, we can see that the sample exhibits complex and covert behavioral characteristics on multiple levels:

code structure: the sample borrows heavily from the Telegram Android source code and makes multiple customizations and additions, which increases the complexity of the analysis.
Network behavior:
- Early versions mainly used AliGameShield to dynamically change IPs and ports to circumvent network interception.
- The new variant switches to using QiNiu Cloud's DoH service, which further improves its stealthiness.
Combination of dynamic and static analysis: Since the sample uses multiple methods to conceal its network behavior and code structure, both dynamic and static analysis are needed to fully understand its behavioral patterns.
Countermeasures: Effective interception of the sample requires careful analysis of all communication paths and dependent libraries used by the sample, and targeting these specific paths and libraries for interception.
Updates and Evolution: This sample has a high update frequency and diversity, and requires continuous attention to its variants and updates.

In summary, this malicious sample demonstrates a high degree of complexity and stealth, and requires a combination of multiple analysis tools and continuous tracking of its changes in order to develop effective protection measures.