Retefe APK Analysis - hacking-cracking

The second part (read the first part) of the banking trojan is an SMS redirector app. Once installed, fraudsters

can redirect incoming SMS to a compromised website. In this part i will explain the functionality of the rogue app.

The victim receives an SMS with the request, to open the link in a browser.

If you try to access the link with a user agent that is not Android, another app is delivered. If the user agent

matches Android, the malicious app is served.

Once installed, the victim has to confirm various settings

Permissions are asked for:

- make and manage phone calls

- access contacts

- send and view sms

- access photos, media and files

Then, a password must be generated

However, the passwords are not random. They are hard-coded in the source code:

After the installation is completed, the app immediately starts talking to the c2c server. The URL's are hardcoded

in the config.cfg file stored in the res/raw folder of the app.

The function getRawData reads the raw ressources

and encodes the Blowfish key (blfs.key)

NfvnkjlnvkjKCNXKDKLFHSKD:LJmdklsXKLNDS:<XObcniuaebkjxbcz

to a hex-string

4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a

With this key the content of the config.cfg can be decrypted. The payload must first be decoded from base64 to

ASCII and then decrypted.

url_main contains three c2c adresses. The payload in the POST request can be decrypted in the same way and contains

information about the device and other stuff:

Information passed to the c2c server:

An interesting feature is the ability of the fraudsters to control the app remotely.

Therefore multiple control-commands are defined in the code:

Each keyword triggers a specific action:

The command LOCK for example will lock the device and confirm the action with the the text "Device locked"

(base64 encoded RGV2aWNlIGxvY2tlZA==)