[Malware Studies] VikingHorde

It’s been a long time but I decided to write another analysis of a binary obtained in theZoo. This time it’s about an Android application.

SHA1 sample: 3bd9635325957d559ca366601922a23134789023

This app is a game which was on Google Play in 2016 but since its malicous activities were discovered by Check Point, Google removed it from their app store.

It uses Stericson’s RootShell and RootTools to check for root permissions to know if the device is rooted.

The check to know if the device is rooted is to determine the installation process. There are two binaries inside /res/raw, aps_exec and aps_exec_watch_dog. The first one handles communcation with the C2 and the second one ensures the persistency of aps_exec.

If the device is detected as root, these two binaries are loaded, but, if not, aps_exec is loaded as a shared library on the system.

After this process, in the onStartCommand() function we can see communicaton with the C2. In the Work() function it collects device data, in StartInstallHandler() a request is sent to hxxp://176[.]9[.]138[.]114:7777/ecspectapatronum/ to get a JSON with a list of apps and a link to download them. Then, is checked on the system if some of these apps are installed and, if not, they are installed with the URL contained in the JSON.

Finally, the Knock() function sends a request to hxxp://loginprotect[.]mobi/callback[.]php?referer= with the value o this.ref, which is defined in the BroadReceiver inside the onStartCommand() function.

With these procedures, the device becomes part of the botnet.

That’s it for now!