[BUG] Malware corrupted the android manifest and other files.

NikitinWork commented 1 year ago

Information

Apktool Version (apktool -version) - last apktool_2.6.1
Operating System (Mac, Linux, Windows) - win
APK From? (Playstore, ROM, Other) - It's a virus, be careful

Stacktrace/Logcat

Exception in thread "main" brut.androlib.err.RawXmlEncounteredException: Could not decode XML
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:145)
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decodeManifest(XmlPullStreamDecoder.java:151)
        at brut.androlib.res.decoder.ResFileDecoder.decodeManifest(ResFileDecoder.java:159)
        at brut.androlib.res.AndrolibResources.decodeManifestWithResources(AndrolibResources.java:193)
        at brut.androlib.Androlib.decodeManifestWithResources(Androlib.java:141)
        at brut.androlib.ApkDecoder.decode(ApkDecoder.java:109)
        at brut.apktool.Main.cmdDecode(Main.java:175)
        at brut.apktool.Main.main(Main.java:79)
Caused by: java.io.IOException: Expected: 0x00080003 or 0x00080001, got: 0x00080000
        at brut.util.ExtDataInput.skipCheckInt(ExtDataInput.java:45)
        at brut.androlib.res.decoder.AXmlResourceParser.doNext(AXmlResourceParser.java:808)
        at brut.androlib.res.decoder.AXmlResourceParser.next(AXmlResourceParser.java:98)
        at brut.androlib.res.decoder.AXmlResourceParser.nextToken(AXmlResourceParser.java:108)
        at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.nextToken(XmlPullParserDelegate.java:105)
        at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:138)
        ... 7 more

Steps to Reproduce

java -jar apktool_2.6.1.jar d malware.apk

Frameworks

If this APK is from an OEM ROM (Samsung, HTC, LG). Please attach framework files (.apks that live in /system/framework or /system/priv-app)

APK

This is a malware, please if you accidentally got into this problem do not download it. I will only fix the hash 606fb2fd5f3fcfa7abead87c92ae6df30b7be0cac1a1f7e511ca41f71e9ccc70

Questions to ask before submission

Have you tried apktool d, apktool b without changing anything? - Yep
If you are trying to install a modified apk, did you resign it? - It's just a virus
Are you using the latest apktool version? - Yep

Short description

Most likely this virus was packaged, I was able to get rid of the protection on AndroidManifest.xml and will share with you, but it also has other tricks that interfere with the work of the apptool, which I did not try to figure out.

Problems I have encountered

Too long file names are used inside the apk, I do not advise unpacking it on Windows systems
Corrupted android manifest
other problems

How to fix the manifest

Fix the magic number

Replace the first 4 bytes of the file, they must be either 0x03000800 or 0x01000800 , in this virus, this meaning is different 0x00000800.

Fix the stylesOffset

Replace 0x00fcf81e with 0x00000000 , if you don't then you will get this error.

Caused by: java.io.EOFException: reached end of stream after reading 4092 bytes; 519633676 bytes expected
at com.google.common.io.ByteStreams.readFully(ByteStreams.java:794)
at com.google.common.io.ByteStreams.readFully(ByteStreams.java:775)
at com.google.common.io.LittleEndianDataInputStream.readFully(LittleEndianDataInputStream.java:66)
at brut.util.DataInputDelegate.readFully(DataInputDelegate.java:66)
at brut.androlib.res.decoder.StringBlock.read(StringBlock.java:62)
at brut.androlib.res.decoder.AXmlResourceParser.doNext(AXmlResourceParser.java:814)
at brut.androlib.res.decoder.AXmlResourceParser.next(AXmlResourceParser.java:98)
at brut.androlib.res.decoder.AXmlResourceParser.nextToken(AXmlResourceParser.java:108)
at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.nextToken(XmlPullParserDelegate.java:105)
at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:138)
... 51 more

Fix the stringCount

Replace 0x3e000000 with 0x36000000 , if you don't then you will get this error.

Caused by: java.io.IOException: Invalid chunk type (16842783).
    at brut.androlib.res.decoder.AXmlResourceParser.doNext(AXmlResourceParser.java:856)
    at brut.androlib.res.decoder.AXmlResourceParser.next(AXmlResourceParser.java:98)
    at brut.androlib.res.decoder.AXmlResourceParser.nextToken(AXmlResourceParser.java:108)
    at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.nextToken(XmlPullParserDelegate.java:105)
    at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:138)
    ... 51 more

Result

Input


00 01 02 03 04 05 06 07  08 09 0A 0B 0C 0D 0E 0F 
--------------------------------------------------------------------
00 00 08 00 18 11 00 00  01 00 1C 00 90 09 00 00   | ................
3E 00 00 00 00 00 00 00  00 00 00 00 F4 00 00 00   | >...............
00 FC F8 1E 00 00 00 00  0E 00 00 00 1C 00 00 00   | ................

output


00 01 02 03 04 05 06 07  08 09 0A 0B 0C 0D 0E 0F 
--------------------------------------------------------------------
03 00 08 00 18 11 00 00  01 00 1C 00 90 09 00 00   | ................
36 00 00 00 00 00 00 00  00 00 00 00 F4 00 00 00   | 6...............
00 00 00 00 00 00 00 00  0E 00 00 00 1C 00 00 00   | ................

kurogai commented 1 year ago

So, this is an malware targeting reverse engineers?

iBotPeaches commented 1 year ago

Sorry - I'm not in this industry and last time I was told to download a hash - I realized I did not pay for the service that I could obtain it from. So I am just going to close this. I have no method to dig into this.

Sorry!

NikitinWork commented 1 year ago

I will attach a link to a zip archive whose password is infected.

MALWARE (https://dropmefiles.com/V4ubJ)

Please do not run it on your device, only a virtual machine. It's also a bit protected from exploration, you'll have to hook the isDebuggerConnected()Z function with FRIDA if you want to debug it.

If you still have to download the hash sometime, then it's better to register on virustotal and get the file without paying money.

iBotPeaches / Apktool