Reverse Engineering "Undangan APK" Malware

Summary

  1. The malware is an APK file called Lihat Poto Undangan_Pdf.apk with package name com.google.masitaux3.
  2. Once installed, it does not appear in the launcher.
  3. Upon opening, the malware requests permissions to read notifications, read SMS messages, and send SMS messages.
  4. After obtaining these permissions, the app displays a blank screen.
  5. The malware monitors notifications and SMS messages, sending the captured data to its owner via the Telegram API and SMS.
  6. The data is sent to Telegram Bot Deku1205 with the bot ID 6103323459 and phone number +6282141857614.
  7. Its primary purpose seems to be the takeover of accounts secured with OTP codes sent via SMS or WhatsApp.
  8. Additionally, the malware can potentially generate money by taking over e-wallets, which often send verification codes through SMS or WhatsApp.
  9. This malware can be uninstalled from device settings.

Important Links

Malware APK: https://files.catbox.moe/5sem2y.apk.

Background Story

My friend contacted me, saying that someone sent him a “virus”. He wants me to look at it, so he sent me the “virus”. It is an APK file named Lihat Poto Undangan_Pdf.apk.

Installing the APK

I installed it in an Android simulator. It didn’t show up in my launcher, so I had to start the application from settings. First, it asked for two permissions:

  1. Read notification.
  2. Read and send SMS.

After granting both, it displayed a blank screen.

Strings

I tried running the APK through strings. I got some interesting findings:

  1. There are strings of multiple languages in the application.
  2. There is a string “Cek Resi”, it seems like this app also uses that name.
  3. The package name is com.google.masitaux3.

I didn’t find anything else from strings, so I decompiled it.

Decompilation using apktool

I encountered trouble decompiling the res, so I skipped it. I found some API calls to Telegram Bot API, which is called when the malware is installed and whenever a notification or SMS message is received. I also found a phone number in the APK.

Exploring Telegram Bot and Phone Number

In decompilation, I found two things:

  1. A Telegram Bot API call to sendMessage when the malware is installed. The Bot ID is 6103323459 and the Bot username is Deku1205.
  2. A phone number in the APK. It is +6282141857614. In WhatsApp, the account name is KING KEVIN. I think this is just a burner phone number, as the name and profile picture belong to an Instagram account called @kingkevinreal.