[About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Malware » Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/) # Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks [Posted on:March 5, 2020 at 3:58 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2020/03/) [Posted in:Malware, Mobile](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Vit Sembera (Threats Analyst)](https://blog.trendmicro.com/trendlabs-security-intelligence/author/vits/) 0 The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the [Stratosphere Laboratory.](https://www.stratosphereips.org/) They detected the trojan by monitoring HtBot malicious proxy network. The botnet targets Russian banks, with the victim count at over 800,000 users at the time the study was published in Virus Bulletin last year. The research disclosed the types of information that Geost (detected by Trend Micro as AndroidOS_Fobus.AXM) steals from victims, as well as the activities of the group behind the botnet, including operational tactics and internal communication between masters and botnet coders. Building upon this interesting finding, we decided to dig deeper into the behavior of Geost by reverse engineering a sample of the malware. The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer. To study the code and analyze the algorithms, we had to create Python scripts to decrypt strings first. ### Initial Analysis Geost hides in malicious apps that are distributed via unofficial web pages with randomly generated server hostnames. The victims usually encounter these as they look for apps that are not available on Google Play, or when they don’t have access to the app store. They then find a link to that application on some obscure web server, download the app, then launch it on their phones. The app will then request for permissions that, when the victims allow, enables malware infection. The Geost sample we analyzed resided in the malicious app named “установка” in Russian, which means “setting” in English. The app showed a version of the Google Play logo as its own icon, which did not appear on the phone screen after launch. _Figure 1. Application icon of the malicious app установка_ When the app was launched, it requested device administrator privileges. This was unusual since legitimate apps don’t often ask for this, as it basically gives an app complete rights over a device. Important permissions that the user might unknowingly allow include those for accessing SMS messages, including confirmation messages from banking apps. These messages allow the malware to harvest the victims’ names, balances, and other bank account details. With just a few clicks, attackers can then transfer money from the bank accounts of unaware victims. Go to… ----- Figure 2: Screen that requests device admin permission Figure 3: Application permissions requested After confirming necessary permissions, the visible part of the app will close and the app icon disappears, making victims think that the app was deleted. The sample device did not show any alarming signs of malicious activity at first, but the malware is working in the background and the attackers just gained access to the device, allowing them to monitor sent and received messages, including SMS confirmation messages from banking apps. To maintain persistence across reboots, it registers for BOOT_COMPLETED and QUICKBOOT_POWERON broadcasts. ----- ### Stage One Like many malware types, Geost’s run-time life is split into stages. The first stage is small and simple, which will then download and/or decrypt and run the next stage, which is more complex. The Geost sample’s APK housed compiled Java code in classes.dex file. It also contained AndroidManifest.xml and resource files, which are usual contents of APK files. It also had a “.cache” file with a size of 125k. To decompile the extracted classes.dex file, several Java decompilers, namely dex2jar, jadx, jd-core/jd-gui and Ghidra, were all used, as no single decompiler was able to decompile all the Smali code. Figure 5: Decompiled Java source code At first glance, the decompiled code seemed to be partially encoded in a series of strings; however, character frequency analysis showed random character usage. Further analysis revealed that the malware contained additional pieces of code that have no impact on the app’s behavior except to slow down its execution. It made reverse engineering more difficult because the malware split useful code into parts and frequently changed execution paths. Which branch was taken was usually dependent on some variable with an unknown value. The same is applied with “switch”, “if”, and “try/catch” command blocks. Functions without meaningful code were inserted to make overall understanding of the malware actions harder. Figure 6: Example of code with case switch The non-functional code segments were gradually removed and the first decryption algorithm used was identified. All strings in stage one were encrypted through RC4, using an algorithm that was split into several functions to avoid indication that it used RC4. After this, the next step was to find the key for RC4 decryption. ----- Figure 7: Decompiled Java source, which is part of the RC4 algorithm Figure 8: Part of cleaned up RC4 code Figure 9: RC4 key RC4 is a stream cipher, with an internal state that changes with every decrypted symbol. To decrypt several encrypted strings, usually the decryption must be performed in the very same order the encryption used. Fortunately, this was not the case with the sample. The code authors simplified RC4 without keeping internal state between decryptions, as the RC4 encryption code always copied state array S[]. Figure 10: RC4 encryption always copied state array S[] Afterwards, the search for common code libraries began. Android.support.v4 libraries and ReflectASM Java Reflection libraries were found. Figure 11: Code with encrypted strings ----- At this point, the stage one code became understandable: It uses reflection code to hide interesting classes and methods from curious eyes. Basically, the first stage decrypted the second stage file with the same RC4 algorithm and key. Figure 13: Example of reflection method invocation The aforementioned “.cache” file is renamed to .localsinfotimestamp1494987116 and saved after decryption as ydxwlab.jar, from which the .dex file is loaded and launched. Figure 14: Decrypting and saving second stage Code authors inserted a false flag, HttpURLConnection and its URL, which seemed to connect to the Command and Control (C&C) server. But this http open connection is never executed. Figure 15: False flag Stage one loads a class from the second stage, which the researcher named “MaliciousClass”. Figure 16: Launching the second stage ### Stage Two Looking at the classes.dex, it’s clear that obfuscation and encryption were used again in stage two. But this time, the symbol names were partially replaced by strings 1-2 characters long instead of the previous 6-12 character strings. Also, the string encryption algorithm is modified, making it different from the algorithm used in the previous stage. Different tools were used. Additionally, parameters of the decryption algorithm were modified separately for each class. All Java decompilers had problems decompiling the decryption algorithm due to goto command jumping into the if block. Only Jeb decompiler handled this construction well. ----- Figure 17: Smali code of decryption algorithm Figure 18: Java code of decryption algorithm Each class decryption method contained different parameter orders and different constants; writing the Python decryption script was made more difficult. It meant either the decryption script must detect the algorithm setup from the Smali code and adapt itself, or the parameters must be manually set up within the script before decryption for each class. Figure 19: Example of an encrypted string After string decryption, libraries used could be detected. These include: AES encryption engine Base64 encoding Emulator detector File download service IExtendedNetworkService USSD api library Zip4jUtil ### Initialization phase The aforementioned MaliciousClass invoked from the first stage serves as an envelope for the instantiated class the researcher named “Context.” Figure 20: Context Class The Context class launches the EmulatorDetector service first. It then starts two other services: AdminService and LPService, followed by the main application Intent. ----- Figure 21: Main initialization routine _Emulator Detector_ The emulator detector checks for signs that it’s running in an emulated environment. The sample detected the existence of Nox, Andy, Geny, Bluestacks and Qemu Android emulators. Figure 22: Emulated enviroment traces _AdminService_ This service is responsible for granting admin permission to the application. This is a critical part since it enables access to sensitive data and can launch privileged actions. Figure 23: Critical part of AdminService _LPService_ This service was responsible for keeping the application running and connected to the C&C server. It used WakeLock and WifiLock acquire() calls to reach this state. A side effect to this is high battery drain, which most victims usually ignore. ----- Figure 24: Locking to CPU and WiFi resources LPService then creates LPServiceRunnable Thread, which wakes up every five seconds and is responsible for monitoring and relaunching these services: MainService AdminService SmsKitkatService This service also collects information about running processes and tasks. It also periodically starts WebViewActivity, which can open browser window to arbitrary URLs or launch malicious code. WebViewActivity code was not implemented in this sample. _MainService_ The MainService first hooks to AlarmManager for time scheduling tasks, then registers two broadcast receivers, MainServiceReceiver1 and MainServiceReceiver2. At the end of the initialization phase, it will launch MainServiceRunnable Thread. When the sample executes overloaded onDestroy() method, it restarts the MainService again. Figure 25: Overloaded onDestroy to restart MainService An important method of MainService is processApiResponse(), which processes commands formatted as JSON string received from C&C server. Figure 26: Processing C&C server commands _ClearService_ This service invokes the ClearServiceRunnable thread, which takes care of locking/unlocking commands (blocking/unblocking user activity) so the botnet operator can perform remote tasks without user intervention. The ClearService also relaunches itself if there is an attempt to terminate it. Figure 27: ClearService class ----- Figure 28: ClearServiceRunnable _SmsKitkatService_ This service was prepared to replace the standard SMS messaging application with a different one written by the attackers. In this version, it used a default one. Figure 29: Code for replacement of default SMS application ### Commands The list of commands that this malware recognized can be seen in the table and screenshot below (organized by the order they were defined in the code): **Commands** **Description** #conversations #contacts #calls Collects the address, body, date, and type columns from all SMS messages from content://sms/conversations/, content://sms/inbox and content://sms/sent, and sends to the C&C server Collects a list of all contacts from content://com.android.contacts/data/phones and sends to the C&C server Collects all calls performed from content://call_log/calls and sends to the C&C server Collects list of installed package names and labels #apps and sends to C&C server #bhist This command is ignored in this sample Sets time period for fetching C&C server #interval {set:number} commands Sets the phone numbers from which to intercept #intercept SMS (“all” or a list of numbers) #send id:, to:, body: Sends SMS #ussd {to:address, tel:number} Calls a number via USSD framework #send_contacts Sends SMS to all contacts in phonebook #server Sets scheduled time to run # h k { h i } S d li f i C&C ----- hxxp://fwg23tt23qwef.ru/ #send_mass {messages: {to:address, Sends multiple SMS messages to different body:text}, delay:ms} addresses, with a delay between sends #lock Starts RLA service from ClearServiceRunnable, which intercepts events from key press AKEYCODE_HOME, AKEYCODE_CAMERA, and AKEYCODE_FOCUS. It also intercepts onBackPressed() Activity method, mutes ringer, clears all SMS notifications, stops itself, and makes the phone unresponsive Disables actions listed under #lock command and #unlock unlocks phone by stopping ClearServiceRunnable Calls a number using standard #makecall {number:tel_number} android.intent.action.CALL API #openurl {filesDir=j:url} Opens a webpage URL Hooks to a number – it forwards all incoming SMS #hooksms {number:tel_number} messages to a number in the parameter Sets task time to unparsable string value, which #selfdelete stops its self-scheduling tasks Figure 30: List of C&C SERVER commands ### ApiRequest, ApiResponse, ApiInterfaceImpl The ApiRequest, ApiResponse, and ApiInterfaceImpl classes enable communication with the C&C server. In the connection parameters initialization, the value of replaceWithRandomStr variable was set to true by default and is not changed within the code. ----- Figure 31: Building C&C server connection string Figure 32: Connection parameters initialization An algorithm was used to generate a random string for the C&C server URL. The API connection was then initialized, and the hostname of the C&C server was set up. Figure 33: Building random string for the C&C server URL Figure 34: API connection initialization Figure 35: Setting up C&C server hostname An example of C&C server API usage was shown as the C&C server command “#contacts“ was implemented. Finally, parameters for commands are appended as JSON format and converted to string. Figure 36: Example of C&C server API calling ### Best Practices and Trend Micro Solutions In its [2020 Security Predictions, Trend Micro predicted the continued proliferation of mobile malware families, such as Geost, that target online banking and payment](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) systems. Mobile users should safeguard themselves as they navigate the treacherous mobile landscape by following [best practices for securing mobile devices. One](https://www.trendmicro.com/vinfo/us/security/news/mobile-safety/best-practices-securing-your-mobile-device/) such step is to avoid downloading apps outside official app stores. U f l h l fi d d li i i l i i Al i h h i d i f h ----- should also conduct regular audits to remove unused apps. For additional defense against mobile threats, users can install a multilayered mobile security solution such as [Trend Micro™ Mobile Security to protect devices from](https://www.trendmicro.com/us/home/products/mobile-solutions/android-security/#compare-versions) malicious applications and other mobile threats. ### Indicator of Compromise **SHA 256** **Detection Name** 92394e82d9cf5de5cb9c7ac072e774496bd1c7e2944683837d30b188804c1 AndroidOS_Fobus.AXM 810 ## Related Posts: **[New Version of XLoader That Disguises as Android Apps and an iOS Profile Holds New Links to FakeSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/)** **[Anubis Android Malware Returns with Over 17,000 Samples](https://blog.trendmicro.com/trendlabs-security-intelligence/anubis-android-malware-returns-with-over-17000-samples/)** **[Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud](https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-apps-on-google-play-communicate-with-trojans-install-malware-perform-mobile-ad-fraud/)** **[Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [androidGeostMalwareRussianTrojan](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/android/) **0 Comments** **[TrendLabs](https://disqus.com/home/forums/trendlabs/)** [🔒 Privacy Policy](https://help.disqus.com/customer/portal/articles/466259-privacy-policy) [1](https://disqus.com/home/inbox/) **Login**  Recommend t Tweet f Share **Sort by Best** ### Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name Be the first to comment. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://disqus.com/)** ⚠ **D** **[N t S ll M D t](https://disqus.com/data-sharing-settings/)** ### Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) ### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ### Recent Posts ----- [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) ### Popular Posts [LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File](https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/) [Misconfigured Container Abused to Deliver Cryptocurrency-mining Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/) [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) [February Patch Tuesday: Fixes for Critical LNK, RDP, Trident Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/february-patch-tuesday-fixes-for-critical-lnk-rdp-trident-vulnerabilities/) [Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/) ### Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. Your email here Subscribe -----