# APT37 Using a New Android Spyware, Chinotto **[blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/](https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/)** December 6, 2021 Android Spyware is a program that has been used by Threat Actors (TAs) to steal personal data from the device without the user’s knowledge. This report will focus on one such malicious application used by the APT (Advanced Persistent Threat) group APT37. APT37 is also known by the following names – Reaper, Ricochet Chollima, ScarCruft group. This group performs its malicious activities through an application claiming the Secure Talk application. APT37 is a North Korean state-sponsored cyberespionage group that has been active since around 2012. This group is known to target victims from countries in Asia such as South Korea, Japan, Vietnam, Russia, Nepal, China, and India. APT37 has also targeted Romania, Kuwait, and various parts of the Middle East. [Cyble Research Labs came across a securelist article where researchers are claiming that a fresh attack](https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/) was carried out targeting North Korean defectors and human rights activists. The Threat Actor (TA) APT37 used new spyware called “Chinotto” to carry out these attacks. Cyble Research Labs downloaded one of the samples and performed a deep-dive analysis of the Chinotto Android spyware. ----- APT37 has also been linked to malicious campaigns between 2016-2018. In 2016, they targeted North Korean defectors, human rights activists, and journalists covering news related to North Korea and government organizations associated with the Korean Peninsula. They have been linked to high-profile attacks such as Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. The malware is designed for stealthy espionage, as once this application is successfully executed on user devices. It can steal sensitive data like contacts data, SMS data, call logs, device information, and files from the device’s external storage. ## Technical Analysis ### APK Metadata Information App Name: SecureTalk Package Name: com.private.talk SHA256 Hash: 8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93 Figure 1 shows the metadata information of the application. Figure 1 – App Metadata Information The application flow is shown in Figure 2. Upon being launched, the application asks for certain sensitive permissions, after which it displays the login page. During this time, the APK performs its malicious activities behind the scenes. Figure 2 – App Start Flow ### Manifest Description The application requests thirteen different permissions. Of these thirteen permissions, the attackers could abuse eight to carry out the following activities: Reading SMSs, Call Logs, and Contacts data. Reading current cellular network information, phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. Reading or writing files on the device’s external storage. ----- We have listed these dangerous permissions below. **Permissions** **Description** READ_SMS Access phone’s messages READ_CONTACTS Access phone’s contacts READ_CALL_LOG Access phone’s call logs READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device WRITE_EXTERNAL_STORAGE Allows the app to write or delete files to the external storage of the device READ_EXTERNAL_STORAGE Allows the app to read the contents of the device’s external storage GET_ACCOUNTS Allows the app to get the list of accounts used by the phone READ_PHONE_NUMBERS Allows the app to read the device’s phone number(s). Table 1: Permissions’ Description Figure 3 shows the launcher activity of the application. Figure 3 – App Launcher Activity ### Source Code Description The code snippets highlighted in Figure 4 show that the application steals the device’s contact data. Figure 4 – Code to Read Contact Data The code snippets highlighted in Figure 5 show that the application steals the device’s SMS data. ----- Figure 5 – Code to Read SMS Data The code snippets in Figure 6 show that the application steals the device’s call logs data. Figure 6 – Code to Read Call Logs The code snippets shown in Figure 7 show that the application steals the victim device’s information, such as: Reading the device’s phone number(s). Reading Android Operating System version Information. Reading device details such as brand name, model, serial number, etc. Checking for the presence of external storage on the device. ----- Figure 7 – Code to Read Device Information The code snippets shown in Figure 8 show that the application steals the account details being used on the device. Figure 8 – Code to Read Accounts Information The code snippets shown in Figure 9 show that the application also steals image and audio files from the device. Figure 9 – Code to Access Pictures and Audio The code snippets in the figure below show that the application collects the data from the device and writes it in a text file. ----- Figure 10 – Code to Write Collected Data in Text File.png The snippets below indicate the application’s code flow to upload the data on TA’s Command and Control (C&C) server. Figure 11 – Code to Upload the Data to TA’s C&C Server The snippet below shows that the application performs activities with commands defined by the TA(s). ----- Figure 12 – Commands Defined by the TA(s) The table below highlights some of the commands defined by the TA. **Permissions** **Description** ref: Sends signal to C&C server down Uploads /.temp-file.dat file UriP Writes path /.temp-file.dat to _/result-file.dat file and upload to C&C_ “” Writes results to /result-file.dat and upload to C&C Table 2 – Commands Description ### Traffic Analysis During traffic analysis of the application, we identified that it continuously communicates with the TA’s C&C server _hxxp://haeundaejugong[.]com/data/jugong/do.php?_ _type=command&direction=receive&id=1295c8887ec39859_hd._ The below figure shows that the application uploads sensitive data such as contacts, call logs, and SMSs from the device to TA’s C&C. ----- Figure 13 – Uploads Sensitive Data to the TA’s C&C ## Threat Actor Infrastructure Analysis Cyble Research Labs has also identified that the TA’s infrastructure was hosted in South Korea (KR) Figure 14 – Location of Domain Hosted We also noticed the TTL value of the MX record of http[:]//haeundaejugong.com is 60, which is generally an indicator of Fast-Flux behavior. Figure 15 – TTL Value of MX record of TA’s Domain ## Conclusion Chinotto is spyware targeting specific users to steal sensitive information such as contacts, SMSs, call logs and files. It also has the capability to record audio from the device without the victim’s knowledge. Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them. Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks. ## Our Recommendations ----- We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: **How to prevent malware infection?** Download and install software only from official app stores like Google Play Store. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Use strong passwords and enforce multi-factor authentication wherever possible. Enable biometric security features such as fingerprint or password for unlocking the mobile device where possible. Be wary of opening any links in SMSs or emails delivered to your phone. Ensure that Google Play Protect is enabled on Android devices. Be careful while enabling any permissions. Keep your devices, operating systems, and applications updated. **How to identify whether you are infected?** Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices. Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. **What to do when you are infected?** Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data. Perform Factory Reset. Remove the application in case factory reset is not possible. Take a backup of personal media Files (excluding mobile applications) and perform a device reset. **What to do in case of any fraudulent transaction?** In case of a fraudulent transaction, immediately report it to the concerned bank **What should banks do to protect their customers?** Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) -Deliver Malicious App via Other Means **Execution** [T1575](https://attack.mitre.org/versions/v7/techniques/T1575/) -Native Code **Persistence** [T1402](https://attack.mitre.org/versions/v7/techniques/T1402/) -Broadcast Receivers **Collection** [T1412](https://attack.mitre.org/techniques/T1412) -Capture SMS Messages **Collection** [T1432](https://attack.mitre.org/techniques/T1432/) -Access Contacts List ----- **Collection** [T1433](https://attack.mitre.org/versions/v7/techniques/T1433/) -Access Call Log **Collection** [T1533](https://attack.mitre.org/versions/v7/techniques/T1533/) -Data from Local System ## Indicators Of Compromise (IOCs) **Indicators** **Indicator** **type** **Description** **8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93** SHA256 Malicious APK **hxxp[:]//haeundaejugong.com/data/jugong/do.php?** **type=file&direction=send&id=1295c8887ec39859_hd** URL TA’s C&C -----