1. Introduction
BlackRoseLucy is an Android trojan found in the wild. The malware is known to collect data from infected phones and turns them to a remote controlled bots. You have to find out the address of the Command & Control (CC) server controlling the bots and you will find out more about the name of the malware. The address is "hard coded".
Requirements
- Download the APK (Android Package).
- Decompile the apk (jadx).
- Analyze the java code
Your goal is to find the CC server address (Protocol,IP, Port) in the decompiled code.
2. Analysis
On github I discovered a tool called Androwarn.
https://github.com/maaaaz/androwarn
Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
Let’s give it a try and generate a report of the package:
androwarn -i /home/hacker/Android/LAB6/BlackRoseLucy.apk -v 3 -r html
From the html report I get the hint, that it opens a suspiscious connection, but it doesnt reveal the remote address:
Services and permissions looks linke this:
My next approach is to open the package with jadx-gui and search for http:// and https:// strings:
Here we can see the following two URLs:
Let’s check against virus total by entering the md5 hash: a2a921c0e8a9171300a805c5b1df78b8
From the virustotal analysis results we can see that the package connects to thelucy.top which is the possible CC Server.
CC Server URL: thelucy.top
Port: 443