A Hidden Way of Malware on Android

Background

In Android operation system, APK is the ZIP format file that contains several normal files and executable files. In a normal APK file, the compressed root directory includes a DEX executable file named classes.dex, and it may contain a shared object file or several shared object files with ELF format. If there are other executable files or shared object files with the format of APK, DEX or ELF at different locations of the APK file, then we call it abnormal executable file.

When detecting malware, the security software would not only carry out feature matching detection among APK, classes.dex and relevant shared object files, but also detect the feature of abnormal executable file.

Here we make the sample of egdata family as an example to introduce how to hide the abnormal executable file in order to avoid the detection by security software against the relevant malware files and make the detection more difficult.

The Tampered Calender — egdata.a

Sample egdata.a is a calendar application that has been tampered with and repacked by the attacker, which would prompt program updates when it is running; however, the updates would fail due to the different signatures.


Figure 1 Screenshot of running egdata.a

Comparing the sample APK file format with the official application format, we found the sample added one more eg.data file in /assets directory. After identifying the file head of eg.data, we discovered the beginning two bytes are PK and the root directory would contain AndroidManifest.xml and classes.dex after decompression, which meant it is the standard APK file.

The full analysis report can be downloaded here.