# FluBot Variant Masquerading As The Default Android Voicemail App **[blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/](https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/)** September 9, 2021 During our routine threat hunting exercise, Cyble Research Labs came across a sample of the FluBot malware from our OSINT research. This variant calls itself “Voicemail” to trick users into thinking that it’s the default Voicemail app. FluBot is a type of malware that operates by taking over devices, collecting sensitive information from them, and even sending messages to the victim’s contacts. The application uses Smishing (a combination of SMS+Phishing) attacks to spread the malware. In the case of phishing, attackers send fraudulent emails that trick recipients into opening an attachment which includes malware, or by clicking on a malicious link. In the case of Smishing, emails are replaced by text messages. Cyble Research Labs downloaded the malware sample and performed a detailed analysis. Through our analysis, we determined that the malware performs suspicious activities such as reading Contact data, SMS data, and device notifications. The malware explicitly requests users for complete control of their devices. After gaining full access and permissions, the malware further enhances its functionalities. The image below shows the statistical view of FluBot samples distributed by the attackers observed through our open-source analysis from one of our Threat hunting sources. Refer to Figure 1. Figure 1: Statistical View ## Technical Analysis ----- ### APK Metadata Information Figure 2 shows the metadata information of the application. Figure 2: Metadata Information We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 3. The application asks the users to turn on the accessibility service. The application asks for complete control of the device. The application asks the users to allow access to notifications. The application asks the users to allow it to replace the default SMS app. Once it gets this permission, the application can handle SMS data. Figure 3: Application Start Flow Upon simulating the application, it requests that users enable the Accessibility service. Attackers can abuse this service to carry out malicious activities such as clicking buttons remotely to gain admin privileges and trick users into clicking on overlay content over the screen. Refer to Figure 4. ----- Figure 4: Requests Accessibility Service Figure 5 shows the malware asking users to give them complete access to the device. Once the malware gains complete control over the device, it can perform the following activities: View and control screen. Control device data, including contacts, SMSs, and pictures. Delete or manipulate the device’s data. ----- Figure 5: Asks for Full Control Figure 6 shows that the malware asks the users to enable Notification access for the application. Once the application gets notification access, it can read all notifications on the device, including the SMS data of the device. ----- Figure 6: Asks for Notification Access Upon receiving notification access, the application requests users to make the application their default SMS app. Upon becoming the default SMS app, the app proceeds with its malicious activities. Refer to Figure 7. ----- Figure 7: Asks for Default SMS App Permission ## Manifest Description **Voicemail requests sixteen different permissions, of which the attackers could abuse seven. In this case, the** malware can: Reads SMS and Contacts data. Make calls without user intervention Delete SMS data Can kill background process of other apps Receive and send SMSs We have listed the dangerous permissions below. **Permissions** **Description** READ_SMS Access phone messages. ----- READ_CONTACTS Access phone contacts. WRITE_SMS Allows applications to write SMS messages. Malicious apps may manipulate SMS data. KILL_BACKGROUND_PROCESSES Allows applications to kill the background processes of other apps. CALL_PHONE Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. RECEIVE_SMS Allows an application to receive SMS messages. SEND_SMS Allows an application to send SMS messages. Table 1: Permissions’ Description Upon reviewing the code of the application, we identified the launcher activity of the malicious app as shown in Figure 8. Figure 8: Launcher Activity We were able to identify that the permissions and services defined in the manifest file can replace the default Messages app. After getting default app permissions, this app will be able to handle sending and receiving SMSs and MMSs. Refer to Figure 9. Figure 9: Handles SMS and MMS Figure 10 demonstrates that the malware has defined customized services that leverage the **BROADCAST_WAP_PUSH service. Using this service, an application can broadcast a notification stating** that a WAP Push message has been received. Figure 10: Using Broadcast WAP Push Permission Threat Actors (TAs) can abuse this service to generate false MMS message receipts or replace the original [content with malicious content. As per Google, this service is not for use by third-party applications.](https://developer.android.com/reference/android/Manifest.permission#SEND_RESPOND_VIA_MESSAGE) ----- Figure 11 demonstrates that the malware has defined customized services that leverage the permission **SEND_RESPOND_VIA_MESSAGE, permitting the application to send a request to other messaging apps** to handle Respond-via-Message action for incoming calls. Figure 11: Using Send Respond VIA Message ## Source Code Description The code given in Figure 12 shows that the malware is capable of reading Contact data. Figure 12: Reads Contact Data The code shown in Figure 13 demonstrates that the malware is capable of sending text messages as well. Figure 13: Sending SMS The code in Figure 14 shows that the malware is capable of reading notification data and removing the notifications altogether. ----- Figure 14: Reads Notification Data The code shown in Figure 15 demonstrates the encryption technique used by the malware to encrypt the data. Figure 15: Encryption Technique Used by the Malware The below code shows encrypted strings. After decrypting some strings, we determined that they also contain the FluBot malware variant version information. Refer to Figure 16. ----- Figure 16: Encrypted Strings The malware obfuscates certain data such as strings, Command and Control (C&C) Commands, malicious APIs using custom encryption techniques. Upon analyzing the sample, we found that the malware uses a simple XOR algorithm. The input to the algorithm has been stored in the form of integers. Refer to Figure 17. Figure 17: Decryption Code ----- ## Traffic Analysis Description During our traffic analysis, we observed the malware communicating with various IP addresses. Refer to Figure 18. Figure 18: Communicates with the Server Figure 19 shows that the malware has hardcoded data, i.e., the malicious URL, based out of Russia. Figure 19: Hardcoded Data ## Conclusion Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them. Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid exposure to such attacks. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Download and install software only from official app stores like Google Play Store. Ensure that Google Play Protect is enabled on Android devices. Users should be careful while enabling any permissions on their devices. If you find any suspicious applications on your device, uninstall, or delete them immediately. Use the shared IOCs to monitor and block the malware infection. Keep your anti-virus software updated to detect and remove malicious software. Keep your Android device, OS, and applications updated to the latest versions. Use strong passwords and enable two-factor authentication. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Execution** [T1204.002](https://attack.mitre.org/techniques/T1204/002) User Execution: Malicious File ----- **Defense Evasion** [T1418](https://attack.mitre.org/techniques/T1418) Application Discovery **Credential Access** [T1412](https://attack.mitre.org/techniques/T1412) [T1432](https://attack.mitre.org/techniques/T1432/) Capture SMS Messages Access Contacts List **Impact** [T1565](https://attack.mitre.org/techniques/T1565/) Manipulation ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **type** **Description** **9624131c01da6d5b61225a465a83efd32291fa3f2352445c3c052d9d8cfb2daa** SHA256 Malicious APK **hxxp://85.214.228[].]140/p.php** IP Communicating URL **asfnfpfibhtrafy[].]ru** URL C2 Domain **hxxp://87.106.18[].]146/p.php** IP Communicating URL **kkwpifwkkxilltk[.]ru** URL C2 Domain **hxxp://181.129.180[].]251/p.php** IP Communicating URL **poceeubeciuqyto[].]ru** URL C2 Domain ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/) cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To [learn more about Cyble, visit https://cyble.com.](https://cyble.com/) -----