INVOXES Blog

Yello. I'm Kousha (@INVOXES). I'm a FreeBSD/Arch user and a Web/Android PenTester. I love Reverse Engineering/Malware Analysis. I'll write down my things in this blog. :)

Android Trust Wallet Stealer Malware Analysis

As far as technology improves, hackers do their best to abuse these technologies. Android became one of the most impressive technology and it’s going further. Hackers research Android Security every moment and Android malware spread more and more. There is a lot of malware that developed till today. I want to analyze an Android malware that is a Crypto Wallet Stealer.

I have a sample which you can download it from HERE. MD5 Checksum: 70b07a67b618a6352bf35a735645b156

I begin the analysis with Jadx. So first I open the malware with Jadx to analyze AndroidManifest.xml.

It seems malware does not have many activities, services, or even permissions. We have two activities and one service. Our Main Activity that starts first is the SplashActivity, then let’s begin the analysis with that activity.

In the SplashActivity there’s just one thing, start a new Activity with a new thread.

Let’s go further and analyze MainActivity. Source code is easy to read, fortunately, We don’t have to deal with obfuscation. :) In onCreate() method we got just an if statement. Let’s check the conditions.

In O() method, the malware checks if the accessibility feature is already enabled, and also it will start the service that is defined in AndroidManifest.xml.

If accessibility feature does not enabled, malware execute W() function. W() function is the interesting part which using a phishing technique (Cloak & Dagger) that trick the user to enable accessibility feature by himself. :) The victim thinks that he confirms he’s not a robot, but actually, he clicks on the Accessibility permission behind.

After all, malware again tries to check that if statement. However, this time U() function will execute. This function uses Trust Mobile Application Package (Wallet) as a Component and starts it. If this code block fails (Trust is not installed), it will execute V() function that shows a message to the user “This application is not compatible with your device!”.

The MyAccessibilityService is quite interesting. This service clicks (touches) the buttons in the Trust application in the background by abusing the Accessibility feature to steal data and do actions and finally Malware developer used the Telegram bot to steal data.