Currently, I'm working through the 8ksec Offensive Android Internals Course. It's been really interesting so far, and I'm learning a lot. The course primarily focuses on creating exploits but also touches on malware analysis. Although I have some experience analyzing Windows malware, I wanted to take a further look into Android malware. Android is the world's biggest operating system, so it goes without saying that it's an ecosystem ripe for malware authors. What follows is my analysis of VINETHORN (package: com.example.vpnner), an Android spyware disguised as a VPN application. This write-up covers a deep analysis of the sample from manifest inspection to dynamic analysis.
Android remains the most targeted operating system due to its massive global user base. Malware authors leverage its open nature and user negligence to deploy malware like VINETHORN, capable of sophisticated data theft and persistent surveillance. According to recent reports, spyware targeting Android has increased by nearly 35% in the past year, with surveillance tools like VINETHORN becoming increasingly sophisticated in their ability to evade detection while extracting sensitive user data.
The first thing I did was to fire up an Ubuntu VM on my MacBook (shoutout to Parallels—VMware is awful, VirtualBox even more so). Next, I downloaded the sample from Malware Bazaar (hash details at the end of this writeup). After running jadx-gui on the sample, I was immediately able to see some interesting results in the manifest.xml file. If you're not familiar with the manifest file, it's required in every Android project. It must contain the components of an app, including activities, services, permissions, and hardware and software features that are required.
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
<uses-permission android:name="com.huawei.permission.external_app_settings.USE_COMPONENT"/>Essentially, the malware is requesting permissions to access very sensitive data: SMS messages, camera, audio recording, call information, network state, etc. Something very important to note is the extensive list of permissions requested. Remember that the manifest file requires all permissions to be declared. Examining the file closer, we can look for the actions associated with these permissions.
VINETHORN maintains persistence using a receiver triggered at device boot, ensuring continuous operation even after the device restarts. This is a common technique used by sophisticated malware to achieve longevity on infected devices and avoid the need for user interaction to restart the malicious services.
public class StartActivityOnBootReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context ctx, Intent intent) {
if (Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())) {
MyJobIntentService.enqueueWork(ctx,
new Intent(ctx, MyJobIntentService.class).putExtra("maxCountValue", 1000));
Intent svc = new Intent(ctx, MainService.class);
if (Build.VERSION.SDK_INT >= 26) {
ctx.startForegroundService(svc);
} else {
ctx.startService(svc);
}
}
}
}This boot receiver starts two services: a JobIntentService and a MainService. The code demonstrates version-aware implementation, using startForegroundService() for Android 8.0 (API 26) and above, which is necessary for background services to function properly on newer Android versions. This shows that the malware authors are keeping up with Android platform changes to ensure their malware remains effective across different versions.
This snippet illustrates how VINETHORN requests and acquires SMS permissions to intercept messages, potentially stealing OTPs or other sensitive communications. SMS interception is particularly valuable for attackers attempting to bypass two-factor authentication systems that rely on text messages.
private void requestPermissions() {
ActivityCompat.requestPermissions(this,
new String[]{"android.permission.READ_SMS", "android.permission.SEND_SMS"}, 1);
}The malware doesn't merely read messages; it also requests permissions to send SMS. This dual capability allows attackers to not only intercept incoming verification codes but also potentially send messages to premium-rate numbers or propagate itself to contacts in the victim's address book. Some banking trojans use similar techniques to intercept transaction verification codes while simultaneously hiding these messages from the user.
VINETHORN abuses Google's billing API to monitor and manipulate purchase data. This could enable financial fraud or theft of payment information from the infected device.
public interface IInAppBillingService extends IInterface {
int isBillingSupported(int api, String pkg, String type);
Bundle getPurchases(int api, String pkg, String type, String contToken);
int consumePurchase(int api, String pkg, String purchaseToken);
}By implementing this interface, the malware can potentially monitor in-app purchases, steal purchasing credentials, or even make unauthorized purchases. The IInAppBillingService interface provides methods to check billing support, retrieve purchase history, and consume (complete) purchases. This level of integration with the Android billing system demonstrates sophisticated capabilities beyond simple data theft.
The spyware uses fake system updates as bait to trick users into granting additional permissions. This social engineering tactic exploits users' tendency to trust system-level notifications.
NotificationCompat.Builder(ctx, "channelId")
.setContentTitle("Android System")
.setContentText("Update your android to get better user experience")
.setPriority(NotificationCompat.PRIORITY_HIGH)
.setFullScreenIntent(getFullScreenIntent(ctx, false), true);This notification is designed to appear legitimate with high priority and full-screen intent. The malware impersonates the Android system itself, creating a false sense of urgency and legitimacy. When users interact with this notification, they're likely directed to grant additional permissions or download further malicious components. The use of system-themed notifications is a common tactic in sophisticated mobile malware, exploiting the implicit trust users place in system messages.
This malware is looking like it's spyware, but let's dive deeper. I fired up an emulated device and pushed the malicious APK to it. I then ran fsmon as root. Fsmon monitors filesystems on iOS, macOS, Android, and Linux. With this tool, I was able to see where the malware was saving its data on the device. The data was being saved to /data/data/com.example.vpnner/cache/logcache.dat. I pulled this file to my computer using the following command:
adb pull /data/data/com.example.vpnner /Users/marq/Desktop/vpnner
Further analysis of network traffic shows active exfiltration of data over an unsecured OpenVPN tunnel. The malware attempts to establish a connection to its command and control server using UDP over port 1194, which is the standard OpenVPN port. This clever disguise as legitimate VPN traffic helps the malware blend in with normal network activity while transmitting stolen data.
VUDP link remote: [AF_INET]143.244.220.150:1194
TLS Error: key negotiation failed (60 s) – continuous reconnect attemptExamining the logcache.dat file revealed that the malware was collecting a wide array of sensitive information including SMS messages, call logs, and even recorded audio snippets. The data was stored in a structured JSON format, ready for exfiltration when the C2 connection was established. The malware implements a retry mechanism for failed connections, demonstrating resilience in its communication strategy.
rule Android_VINETHORN {
strings:
$ip = "143.244.220.150"
$warn= "No server certificate verification method has been enabled"
$boot= "android.intent.action.BOOT_COMPLETED"
condition:
($ip or $warn) and $boot
}This YARA rule provides a basic detection mechanism for VINETHORN. Additional IOCs include the package name (com.example.vpnner), the presence of the logcache.dat file in the application's cache directory, and network connections to the C2 server on port 1194. Security teams should monitor for these indicators in their mobile security solutions to detect potential infections.
VINETHORN aligns with tactics used by APT42 (Charming Kitten), indicating a sophisticated espionage campaign targeting dissidents and activists. The technical sophistication, targeting profile, and operational infrastructure are consistent with previous campaigns attributed to this threat actor. The campaign likely represents continued efforts to conduct surveillance against specific individuals of interest to the threat actor's sponsors.
This was a fun project, and I thoroughly enjoyed it. This malware was not heavily obfuscated, so I didn't encounter many difficulties in analysis. I plan to do more of these writeups as I work my way through the course and grow my reverse engineering skills. I'll tackle more difficult samples in the near future and try to update this weekly (no promises). If you're interested in Android malware analysis, I'd also recommend the "Android Malware Handbook" by No Starch Press. It's been a really valuable guide. I'm also thinking of maybe updating my machine learning AV to include Android malware detection.
Mandiant did a great writeup on this malware, which you can find at Mandiant writeup
SHA256 Hash: 5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5