Android.Phantom.5

SHA1 hashes:

• c8466dd1f57bb38a984b3adb7a7e6a7c9f20fba3 (com.yippo.ai version 1.3.6 “Creation Magic World”)

Description

Someone on behalf of the developer SHENZHEN RUIREN NETWORK CO., LTD, released several applications. In terms of gameplay, they are all clones of popular mobile games:

• Creation Magic World — a sandbox game that resembles Minecraft. It is an unmistakable cubic world with similar mechanics;
• Cute Pet House — a game that operates on the principle of the Tamagotchi game, where one needs to take care of a cartoon pet;
• Amazing Unicorn Party — a game that also operates on the principle of the Tamagotchi game, with unicorn pets;
• SAKURA School Simulator — an anime-style school simulator game;
• Theft Auto Mafia — a GTA-style imitation; an SLG with criminal elements;
• Open World Gangsters — like the above example, it is a sandbox game involving criminals of all stripes.

All of these games acquired malicious modules after they were released. The first versions of these games did not contain malware. On September 28/29, Android.Phantom.2.origin was embedded in games, and on October 15/16, Android.Phantom.5 appeared. Here is an example of a typical inject for the applications, using Creation Magic World as an example:

Android.Phantom.5, unlike Android.Phantom.2.origin, is a dropper. From arrays of bytes, it decrypts the payload, which is Android.Phantom.4.origin.

Android.Phantom.4.origin contains two identical modules for downloading remote code from different control servers:

• hxxps[:]//fyapi[.]freeflightbird[.]com,
• hxxps[:]//cgb[.]jingongbuxiao[.]com.

Modules download and execute remote code with the help of DexClassLoader. When the trojan was being tested, it received a task from control servers to download and launch several modules. Examples of commands for downloading files:

task   
  {
      "d": 1,
      "ms": [
          {
              "p": "1010",
              "c": "com.wwk.brh.Run",
              "d": "hxxps[:]//5[.]ahd187[.]com/thirdsdk/flowcashpack/243/newoffer-120-202510151732d",
              "cm": "1",
              "id": 243,
              "m": "instance"
          },
          {
              "p": "1010",
              "c": "com.yui.vyh.Run",
              "d": "hxxps[:]//5[.]ahd187[.]com/thirdsdk/flowcashpack/244/newjsAd-110-202510201655d",
              "cm": "1",
              "id": 244,
              "m": "instance"
          }
      ]
  }

The files downloaded by these modules were encrypted using the AES CBC algorithm. The first 16 bytes of this file are the initialization vector, and the last 16 bytes are the encryption key. After decryption, Android.Click.435.origin is found in the file.

Android.Click.435.origin is an obfuscated trojan-dropper. It contains mostly junk code. Its task is to unpack the payload in the form of Android.Click.429.origin.

Android.Click.429.origin. This is the final link in the chain that is launched by Android.Phantom.5. A clicker that is simpler in functionality than Android.Phantom.2.origin. It downloads websites to WebView, and then simulates user actions with the help of JavascriptInterface and JavaScript code from the control server hxxps[:]//newsadapi[.]zhuifengzhe[.]top.

Android.Click.429.origin is also downloaded using the second link in the task, but without the additional packer Android.Click.435.origin.

An interesting point. We encountered this domain earlier in the context of cybercriminal activity. In 2021, the zhuifengzhe[.]top domain was found in Android.Joker.310.origin, where the hxxps[:]//datastatisapi[.]zhuifengzhe[.]top server managed the download of remote code. Android.Joker.310.origin is a modification of Android.Joker.242.origin that includes a remote code download module. You can read more about this in our news post and in the virus database (Android.Joker.242.origin).

MITRE matrix

News posts about this trojan