Obfuscated Files or Information

An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.[1] [2] [3] [4]

ID: T1406
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-21
Version: 2.0
Created: 25 October 2017
Last Modified: 23 September 2019

Procedure Examples

Name Description
Agent Smith

Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.[19]

BrainTest

BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.[8]

Bread

Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have used several commercially available packers as well as hiding code in native libraries and encrypted JAR files in the data section of an ELF file.[18]

Cerberus

Cerberus uses standard payload and string obfuscation techniques.[22]

Charger

Charger encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.[6]

Dvmap

Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.[14]

EventBot

EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[21]

FlexiSpy

FlexiSpy encrypts its configuration file using AES.[5]

Ginp

Ginp obfuscates its payload, code, and strings.[16]

GolfSpy

GolfSpy encodes its configurations using a customized algorithm.[15]

Gustuff

Gustuff code is both obfuscated and packed with an FTT packer. Command information is obfuscated using a custom base85-based encoding.[11]

INSOMNIA

INSOMNIA obfuscates various pieces of information within the application.[20]

Monokle

Monokle uses XOR to obfuscate its second stage binary.[12]

OBAD

OBAD contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.[3]

Pallas

Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.[10]

Rotexy

Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.[13]

TrickMo

TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.[17]

WireLurker

WireLurker obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.[9]

XLoader

XLoader loads an encrypted DEX code payload.[7]

Mitigations

Mitigation Description
Application Vetting

Application vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Detection

Malicious obfuscation of files or information can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.

References