Loading ...

Play interactive tourEdit tour

Android Analysis Report 2NlAl5qpCB.apk

Overview

General Information

Sample Name:2NlAl5qpCB.apk
Analysis ID:456680
MD5:83a4eb8beabb086699b0bbeda3b1297f
SHA1:8c930522a53698e02f444a954402abd4f0c574f6
SHA256:c2ecec7e8fa9183772cd87c9861aa409fe109f05767f6a5b4baca1d127c820d4
Tags:AbereBotapk
Infos:

Most interesting Screenshot:

Detection

AbereBot
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected AbereBot
Protects itself from removal
Removes its application launcher (likely to stay hidden)
Sets itself as the default SMS application
Uses accessibility services (likely to control other applications)
Accesses android OS build fields
Checks an internet connection is available
Creates SMS data (e.g. PDU)
Detected TCP or UDP traffic on non-standard ports
Has functionalty to add an overlay to other apps
Has permission to read contacts
Has permission to read the SMS storage
Has permission to receive SMS in the background
Has permission to send SMS in the background
Has permission to write to the SMS storage
Loads a webpage with cache disabled
Loads a webpage with cache disabled
Obfuscates method names
Opens an internet connection
Parses SMS data (e.g. originating address)
Performs DNS lookups (Java API)
Queries list of installed packages
Queries phone contact information
Queries the phones location (GPS)
Requests permissions only permitted to signed APKs
Requests potentially dangerous permissions
Uses reflection

Classification

Yara Overview

No yara matches

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: c.b.c.m$h;->c:29API Call: android.location.Location.getLatitude
Source: c.b.c.m$h;->c:30API Call: android.location.Location.getLongitude
Source: c.b.c.m$h;->c:32API Call: android.location.Location.getLatitude
Source: c.b.c.m$h;->c:33API Call: android.location.Location.getLongitude
Source: c.b.c.m$h;->c:35API Call: android.location.Location.getLatitude
Source: c.b.c.m$h;->c:36API Call: android.location.Location.getLongitude
Source: c.b.c.w;->a:6API Call: android.location.LocationManager.getLastKnownLocation
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:322API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:323API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:345API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:346API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.example.autoclicker.MainActivity;->u:394API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.example.autoclicker.MainActivity;->u:395API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.example.autoclicker.MainActivity;->u:396API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.example.autoclicker.MainActivity;->u:397API Call: android.net.NetworkInfo.isAvailable
Source: com.example.autoclicker.MainActivity;->u:398API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.example.autoclicker.MainActivity;->u:399API Call: android.net.NetworkInfo.isConnected
Source: global trafficTCP traffic: 192.168.2.30:56068 -> 8.8.4.4:853
Source: com.example.autoclicker.Bank;->onCreate:12API Call: android.webkit.WebSettings.setCacheMode
Source: com.example.autoclicker.FileDownloadService;->onHandleIntent:60API Call: java.net.URL.openConnection (not executed)
Source: f.k0.k.b;->e:82API Call: java.net.Socket.connect (not executed)
Source: f.k0.k.h;->e:111API Call: java.net.Socket.connect (not executed)
Source: f.s;->a:4API Call: java.net.InetAddress.getAllByName (not executed)
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.42
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: $avd_show_password__2.xmlString found in binary or memory: http://schemas.android.com/aapt
Source: standalone_badge_gravity_bottom_end.xml, abc_tint_seek_thumb.xml, material_timepicker_dialog.xml, design_appbar_state_list_animator.xml, mtrl_picker_header_fullscreen.xml, material_clock_period_toggle_land.xml, material_clock_period_toggle.xml, androidString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: mtrl_outlined_stroke_color.xml, abc_screen_simple.xml, test_toolbar_elevation.xml, test_reflow_chipgroup.xml, mtrl_fab_transformation_sheet_expand_spec.xml, abc_btn_check_material_anim.xml, $avd_show_password__2.xml, text_view_without_line_height.xml, abc_tint_seek_thumb.xml, abc_btn_colored_material.xml, abc_ic_arrow_drop_right_black_24dp.xml, btn_checkbox_checked_to_unchecked_mtrl_animation.xml, btn_checkbox_to_checked_box_outer_merged_animation.xml, abc_alert_dialog_button_bar_material.xml, design_text_input_start_icon.xml, mtrl_extended_fab_state_list_animator.xml, material_time_chip.xml, design_layout_snackbar.xml, design_snackbar_in.xml, design_appbar_state_list_animator.xml, design_navigation_item.xml, accessibility_service_config.xml, mtrl_calendar_month.xml, mtrl_picker_header_fullscreen.xml, mtrl_fab_show_motion_spec.xml, material_clock_period_toggle_land.xml, abc_dialog_title_material.xml, design_bottom_navigation_item.xml, abc_seekbar_thumb_material.xml, btn_radio_off_to_on_mtrl_animation.xml, ic_launcher.xml, material_clock_period_toggle.xml, mtrl_calendar_months.xml, androidString found in binary or memory: http://schemas.android.com/apk/res/android
Source: material_timepicker_dialog.xmlString found in binary or memory: http://schemas.android.com/apk/res/android77material_textinput_timepicker
Source: androidString found in binary or memory: https://api.telegram.org/bot
Source: androidString found in binary or memory: https://github.com/yutronsayshi/aberebot456/raw/main/
Source: unknownNetwork traffic detected: HTTP traffic on port 39602 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 41366 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50458 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 41366
Source: c.b.c.m;->S:498API Call: WindowManager.addView
Source: c.b.h.c1;->d:107API Call: WindowManager.addView
Source: com.example.autoclicker.Bank;->onCreate:12API Call: android.webkit.WebSettings.setCacheMode
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Source: submitted apkRequest permission: android.permission.BROADCAST_SMS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_MMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Source: classification engineClassification label: mal64.troj.spyw.evad.andAPK@0/251@0/0
Source: 2NlAl5qpCB.apkTotal valid method names: 39%
Source: c.b.c.m;->J:274API Call: androidx.appcompat.widget.FitWindowsLinearLayout.makeOptionalFitsSystemWindows
Source: c.b.c.m;->J:274API Call: Real call: public void android.view.ViewGroup.makeOptionalFitsSystemWindows()
Source: d.b.a.a.a;->c:196API Call: java.lang.reflect.Method.invoke
Source: androidx.activity.ImmLeaksCleaner;->g:16API Call: java.lang.reflect.Field.get
Source: androidx.activity.ImmLeaksCleaner;->g:18API Call: java.lang.reflect.Field.get
Source: c.h.b.d$c;->onActivityPaused:6API Call: java.lang.reflect.Field.get
Source: c.h.b.d$c;->onActivityPaused:9API Call: java.lang.reflect.Field.get
Source: c.h.b.e;->run:7API Call: java.lang.reflect.Method.invoke
Source: c.h.b.e;->run:12API Call: java.lang.reflect.Method.invoke
Source: c.h.b.d;->b:33API Call: java.lang.reflect.Field.get
Source: c.h.b.d;->b:35API Call: java.lang.reflect.Field.get
Source: c.h.b.d;->b:46API Call: java.lang.reflect.Method.invoke
Source: c.h.b.f;->G:88API Call: java.lang.reflect.Method.invoke
Source: c.h.b.f;->V:262API Call: java.lang.reflect.Method.invoke
Source: c.h.b.f;->d0:328API Call: java.lang.reflect.Method.invoke
Source: c.h.b.f;->x:534API Call: java.lang.reflect.Field.get
Source: c.h.b.f;->z:547API Call: java.lang.reflect.Method.invoke
Source: c.b.a;->d:295API Call: java.lang.reflect.Field.get
Source: c.f.c.d;->a:243API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:247API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:250API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:254API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:258API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:262API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->a:266API Call: java.lang.reflect.Method.invoke
Source: c.f.c.d;->b:412API Call: java.lang.reflect.Method.invoke
Source: c.b.c.m;->A:66API Call: java.lang.reflect.Field.get
Source: c.b.c.m;->A:75API Call: java.lang.reflect.Field.get
Source: c.b.c.m;->A:85API Call: java.lang.reflect.Field.get
Source: c.b.c.m;->A:92API Call: java.lang.reflect.Field.get
Source: c.b.c.t$a;->onClick:37API Call: java.lang.reflect.Method.invoke
Source: c.b.c.m;->d:702API Call: java.lang.reflect.Method.invoke
Source: com.google.android.material.chip.Chip;->dispatchHoverEvent:244API Call: java.lang.reflect.Field.get
Source: com.google.android.material.chip.Chip;->dispatchHoverEvent:252API Call: java.lang.reflect.Method.invoke
Source: c.h.d.e;->h:6API Call: java.lang.reflect.Method.invoke
Source: c.h.d.e;->a:41API Call: java.lang.reflect.Method.invoke
Source: c.h.d.f;->h:21API Call: java.lang.reflect.Method.invoke
Source: c.h.d.f;->i:27API Call: java.lang.reflect.Method.invoke
Source: c.h.d.h;->m:9API Call: java.lang.reflect.Method.invoke
Source: c.h.d.g;->b:62API Call: java.lang.reflect.Method.invoke
Source: c.h.d.g;->k:77API Call: java.lang.reflect.Method.invoke
Source: c.h.d.g;->l:85API Call: java.lang.reflect.Method.invoke
Source: c.h.d.g;->m:93API Call: java.lang.reflect.Method.invoke
Source: c.h.d.g;->n:95API Call: java.lang.reflect.Method.invoke
Source: c.h.d.j;->g:11API Call: java.lang.reflect.Field.get
Source: androidx.core.graphics.drawable.IconCompat;->toString:36API Call: java.lang.reflect.Method.invoke
Source: c.b.g.f$a;->onMenuItemClick:21API Call: java.lang.reflect.Method.invoke
Source: c.b.g.f$a;->onMenuItemClick:25API Call: java.lang.reflect.Method.invoke
Source: c.b.g.f$b;->c:52API Call: java.lang.reflect.Method.invoke
Source: c.b.h.c0;->e:25API Call: java.lang.reflect.Method.invoke
Source: c.b.h.c0;->f:155API Call: java.lang.reflect.Method.invoke
Source: c.b.h.f1;->a:10API Call: java.lang.reflect.Method.invoke
Source: c.b.h.m0;->i:80API Call: java.lang.reflect.Method.invoke
Source: c.b.h.m0;->i:136API Call: java.lang.reflect.Method.invoke
Source: c.b.h.m0;->i:151API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.i.f;->b:29API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.i.f;->d:47API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.i.f;->d:49API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.i.f;->d:53API Call: java.lang.reflect.Method.invoke
Source: c.b.g.i.d;->w:191API Call: java.lang.reflect.Method.invoke
Source: c.h.j.b0$b;-><init>:8API Call: java.lang.reflect.Field.get
Source: c.h.j.b0$f;->d:27API Call: java.lang.reflect.Method.invoke
Source: c.h.j.b0$f;->d:32API Call: java.lang.reflect.Field.get
Source: c.h.j.b0$f;->d:34API Call: java.lang.reflect.Field.get
Source: c.h.j.e;->b:32API Call: java.lang.reflect.Method.invoke
Source: c.h.j.e;->b:43API Call: java.lang.reflect.Field.get
Source: c.h.j.w;->a:7API Call: java.lang.reflect.Method.invoke
Source: c.h.j.q;->h:92API Call: java.lang.reflect.Field.get
Source: c.h.j.q;->n:119API Call: java.lang.reflect.Field.get
Source: c.h.j.q;->n:121API Call: java.lang.reflect.Field.get
Source: c.h.j.q;->n:123API Call: java.lang.reflect.Field.get
Source: f.k0.k.b$b;->a:10API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.b;->g:99API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.b;->g:102API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.b;->k:117API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.e$a;->invoke:43API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.e;->a:16API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.e;->d:44API Call: java.lang.reflect.Method.invoke
Source: f.k0.k.e;->f:51API Call: java.lang.reflect.Method.invoke
Source: c.h.k.d;->onPrepareActionMode:30API Call: java.lang.reflect.Method.invoke
Source: c.h.d.l.d;->isProjected:18API Call: java.lang.reflect.Method.invoke
Source: c.m.a$a;->a:19API Call: java.lang.reflect.Method.invoke
Source: c.m.a$a;->a:21API Call: java.lang.reflect.Method.invoke
Source: c.m.a$a;->a:23API Call: java.lang.reflect.Method.invoke
Source: c.q.a0;->d:14API Call: java.lang.reflect.Method.invoke
Source: c.s.a;->o:41API Call: java.lang.reflect.Method.invoke
Source: c.s.a;->w:60API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$SearchAutoComplete;->a:14API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView;->s:354API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView;->s:360API Call: java.lang.reflect.Method.invoke

Hooking and other Techniques for Hiding and Protection:

barindex
Protects itself from removalShow sources
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:360API Calls in same method context: AccessibilityNodeInfo.findAccessibilityNodeInfosByText,AccessibilityEvent.getPackageName
Removes its application launcher (likely to stay hidden)Show sources
Source: com.example.autoclicker.MainActivity;->onCreate:364API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: g.h;->b:19API Call: java.security.MessageDigest.getInstance
Source: g.h;->b:21API Call: java.security.MessageDigest.digest
Source: g.v;->b:12API Call: java.security.MessageDigest.getInstance
Source: g.v;->b:16API Call: java.security.MessageDigest.update
Source: g.v;->b:17API Call: java.security.MessageDigest.digest
Source: c.b.c.m;-><clinit>:2Field Access: android.os.Build.FINGERPRINT
Source: com.example.autoclicker.AccessibilityService;->b:236Field Access: android.os.Build.MANUFACTURER
Source: com.example.autoclicker.AccessibilityService;->b:240Field Access: android.os.Build.MODEL
Source: com.example.autoclicker.SmsReceiver;->onReceive:56Field Access: android.os.Build.MANUFACTURER
Source: com.example.autoclicker.SmsReceiver;->onReceive:60Field Access: android.os.Build.MODEL
Source: com.example.autoclicker.MainActivity;->onCreate:327Field Access: android.os.Build$VERSION.RELEASE
Source: com.google.android.material.textfield.TextInputEditText;->onAttachedToWindow:31Field Access: android.os.Build.MANUFACTURER
Source: d.b.a.a.z.p;->onAttachedToWindow:30Field Access: android.os.Build.MANUFACTURER

Stealing of Sensitive Information:

barindex
Sets itself as the default SMS applicationShow sources
Source: Lcom/example/autoclicker/SmsReceiver;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "android.provider.Telephony.SMS_DELIVER"
Uses accessibility services (likely to control other applications)Show sources
Source: com.example.autoclicker.AccessibilityService;->a:229API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.example.autoclicker.AccessibilityService;->e:271API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.example.autoclicker.AccessibilityService;->e:274API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.example.autoclicker.AccessibilityService;->onAccessibilityEvent:360API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.example.autoclicker.SmsReceiver;->onReceive:18API Call: android.telephony.SmsMessage.createFromPdu
Source: com.example.autoclicker.SmsReceiver;->onReceive:19API Call: android.telephony.SmsMessage.createFromPdu
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: com.example.autoclicker.SmsReceiver;->onReceive:20API Call: android.telephony.SmsMessage.getMessageBody
Source: com.example.autoclicker.SmsReceiver;->onReceive:21API Call: android.telephony.SmsMessage.getOriginatingAddress
Source: com.example.autoclicker.MainActivity;->onCreate:332API Call: android.content.pm.PackageManager.getInstalledPackages
Source: com.example.autoclicker.MainActivity;->v:412Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI

Remote Access Functionality:

barindex
Detected AbereBotShow sources
Source: Lcom/example/autoclicker/MainActivity;->onCreate(Landroid/os/Bundle;)VMethod string: AbereBot strings

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingSystem Network Connections Discovery1Remote ServicesAccess Contact List1Exfiltration Over Other Network MediumEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMS1Remotely Track Device Without AuthorizationCarrier Billing Fraud1
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryLocation Tracking1Remote Desktop ProtocolLocation Tracking1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesNetwork Information Discovery1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.