Bangle Android App Packer: Unpacking & Analysis

Trustlook Labs has identified a malicious app which is most likely using social engineering attacks to trick users to install it. The app (MD5: eb9d394c1277372f01e36168a8587016) is packed by Bangle packer. The main activity triggering installation of the app is “com.goplaycn.googleinstall.activity.SplashActivity.” However, that activity is not found anywhere in the decompiled code:


A closer look at what is happening in the code
From class SecAppWrapper, there is a “System.loadLibrary” call to load “secShell.” The native layer code in the module is responsible for decrypting and loading the app’s primary payload from “assets\secData0.jar,” which is a zipped DEX file after it’s decrypted.



Most method names in the “secShell” module are obfuscated, and their strings are decrypted when in use.


The app detects most hooking and patching frameworks, such as Xposed. Xposed is a framework for manipulating Android applications’ flow at runtime.



The app forks a child process and calls “ptrace” to attach to the parent to prevent any attaching attempts by debuggers. The multiple processes trace one another to make sure the children stay alive.




The app also monitors values in the /proc files system to check the status of the process.


The JNI_OnLoad function in the “secShell” module has switch branches. One branch is responsible for anti-debugging, the other (located at 0x7543EAE4 below) will lead to the main DEX module for decrypting.


The following is the decrypting function:



After the anti-debugging is bypassed, the function “p34D946B85C4E13BE6E95110517F61C41” decrypts the data. Register R0 contains the file location, as identified by the header bytes “PK\x03\x04.” R1 stores the size of the file.



We can dump the memory:


After unzipping the file, we get the DEX file which can be viewed normally:


Android packers are valuable tools used to protect the intellectual property of legitimate mobile application developers. However, they can be also used for nefarious purposes, and make analyzing malicious apps more difficult. Trustlook Labs continues to work on identifying malicious applications to protect our customers and the mobile ecosystem.


How to Stop Snooping Android Apps

Are you worried Android apps are secretly recording what you say or what you do? A new study from computer science researchers at Northeastern University suggests you may have good reason to be afraid.

The study analyzed 17,260 Android apps from the Google Play store, as well as third-party marketplaces AppChina, and Anzhi. The research team found evidence of “several” Android apps spying on users by recording video and images of users’ screens. The study was published last week in a research paper titled “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications.”

The Northeastern University team cited several examples of popular apps that engaged in unauthorized recording of users’ screens, including GoPuff, a food delivery app. The researchers discovered the app sent captured video via the Internet to a domain belonging to web analytics firm Appsee, and that the video recording could include personally identifiable information such as ZIP codes. The researchers said that Appsee’s software required no permissions to record the video and did not issue notifications to users.

Researchers warn that a lot of the risk comes mainly from these third-party libraries, such as Appsee’s, that often abuse the permission an app obtains from users. “Apps often display sensitive information, so this exposes users to stealthy, undisclosed monitoring by third parties,” researchers say.

Embedded Behavioral Security for Android Devices
The good news is that security within Android is getting better with every new release of the popular mobile operating system. In fact, the company previewed the security features of Android P, the newest version of the mobile OS, at the Google I/O conference in May. Android P will only grant access to device sensors such as microphones and cameras to apps in the foreground, preventing potentially harmful apps from running covertly in the background and using sensors to spy on users.

There are also third-party software tools, such as Trustlook’s SECUREai Sentinel 2.0, that provide next-generation privacy protection for Android powered devices. Sentinel 2.0 is a custom OS and SDK that offers real-time detection of malicious behaviors, as well as powerful privacy features for Android users.

Robust Settings
Sentinel 2.0 offers end users complete control over their privacy settings. Users can select which behavior categories to have monitored (such as their microphone or location), whether or not to screen System apps, and even the option to have no privacy protection at all.

Screenshot_20180601-113804         Screenshot_20180601-113741        Screenshot_20180601-113748

Alert Options
Sentinel 2.0 can be customized to deliver various types of notifications and alerts. For example, the message on the left below is a simple alert stating that audio is being recorded in the background. However, the message on the right adds functionality by giving the user 30 seconds to either approve or deny the behavior.

                  Basic Alert                                               Advanced Alert
2018-05-29_1740                Screenshot_20180601-110138

It’s clear from the research by the team at Northeastern University that there is no slowing the rise of sneaky malicious apps and surreptitious attacks. With so many more connected devices than just a few years ago, the problem will only get worse. Add in the financial benefits of ransomware, and the possible state-sponsored chaos that can be caused with DDOS attacks, and the situation becomes that much more important to control.

Fortunately the tools to combat these attacks are also improving, and give Android users confidence when storing personal information and making sensitive transactions on their Android devices.