Femas is a new family of Android malware, which falls into the class of malware known as droppers. The dropper class of malware has become increasingly popular for ad fraud related applications such as HummingWhale and numerous other families with similar behavior. In this case, the dropper downloads a remote access trojan to exfiltrate data, although with less functionality than DroidJack.
The first publicly known occurrence of Femas is an upload to VirusTotal on December 22, 2015. A new variant appeared in early 2016. Femas has not been identified on devices outside of Israel or in any major app stores. It is entirely reliant on socially engineering individuals to disable OS protections and sideload applications for deployment.
Kaspersky provided the original research into Femas, describing it as having ‘relatively unsophisticated technical merit’. This was followed up by Lookout who referred to this malware as an “advanced persistent threat (APT)”, “very sophisticated”, and with the more marketable name, ViperRAT. Both have stated that Femas is targeting the Israeli Defense Force.
Given the disparity in descriptions of its sophistication, we chose to investigate this malware to understand to what extent this represents an enterprise threat.
Femas follows basic dropper deployment methods
- Convince a user to install an application that is mostly benign or not overtly malicious in the initial package
- Send basic data about the device to a web server
- Download a new application that can be used maliciously
- Execute on end goals such as ad fraud or, in this case, exfiltration
Unlike modern and successful droppers such as HummingWhale, Femas appears to rely entirely on socially engineering individuals to gain installs. This greatly limits its attack surface to a small number of users versus the millions of installs seen by more advanced tactics. Part of this social engineering requires the attackers to convince users to manually disable built in OS protection and allow “Unknown Sources” in their system settings for application installs.
As Google Play is available in Israel, the location of the reported targets, there is little reason to already have “Unknown Sources” enabled with the exception of using third party markets, developers, or potentially piracy.
<User can not install until Unknown Sources is allowed>
Once the system security has been manually overridden, the user can install the dropper they have downloaded. It is reported that attackers asked “the victim to send explicit photos, and in return sending fake photos of teenage girls” to convince individuals to perform these steps. Targets’ social media accounts were also used in gathering information.
<unknown sources is enabled>
When tapping the downloaded app, the user will be shown the dropper permissions. The user has to install and open the app for the dropper to work.
Once the user opens the application it will report a false error that is staged in code. Note the spelling errors.
In the background another application with RAT capabilities, in this case WhatsApp Updater, will be downloaded and the launcher for YeeCall Pro will be hidden from the user.
YeeCall Pro, the dropper, will still be visible as an installed app in the System Settings.
As with the dropper, the user will need to launch the RAT. The attacker is incentivized to be aware of the applications on the device and is likely why an app inventory is harvested. This helps the chances that the user will click on the launcher. If the user clicks on WhatsApp Updater launcher, the RAT will start. If WhatsApp is installed, it will be loaded in the foreground by the RAT.
If WhatsApp is not installed, the user is likely to see a crash message for WhatsApp Updater on the homescreen. If WhatsApp is installed, the crash message will occur over WhatsApp.
Exfiltration is now ready to begin. The launcher for WhatsApp Updater will also be deleted after WhatsApp Update is launched. The dropper and the RAT can be uninstalled in the System Settings.
Femas: relatively unsophisticated or a very sophisticated APT?
Femas Is Not Advanced
An advanced threat will employ sophisticated techniques to exploit vulnerabilities. This is a particularly important step in order to bypass static analysis, make it into major app stores, and evade malware-centric detection methods. Commonly this involves the use of packers combined with a dropper and the ability to root some versions of Android. Auto-rooting malware that commits ad fraud is an example that uses public exploits and has successfully made it into the Play store garnering millions of installs.
In this particular case, no packer was used with the dropper nor is there any attempting to gain persistence on the phone via rooting, exploits, or other methods. Basic obfuscation was implemented via ProGuard, which is self-described as:
ProGuard is the most popular optimizer for Java bytecode. It makes your Java and Android applications up to 90% smaller and up to 20% faster. ProGuard also provides minimal protection against reverse engineering by obfuscating the names of classes, fields and methods.
In addition to the lack of any serious attempts at obfuscation and protection against discovery, the application also employs hard coded keys with its limited use of encrypted traffic.
This makes Femas far less advanced than common successful consumer malware utilized for ad fraud and pay per download schemes. We agree with Kaspersky that the malware is ‘Characterized by relatively unsophisticated technical merit’.
The code structure would suggest that the author has a basic foundation in Android development and web services. They likely either have little knowledge or no desire to implement basic techniques that would evade malware detection focused solutions. This would also mean that detection for all shared samples of this malware is trivial. It is also trivial to modify a malware family such as this and repurpose it for use by multiple actors.
Additionally the malware does not follow the structure or language patterns of malware sourced from Eastern European or Eastern Asian countries. It’s likely the author speaks English as a second language and was not reliant on online translation tools for the English phrases. There is a sample with Arabic strings, mentioned by Lookout, where they state it is “unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic”.
The sample with Arabic strings has a hash of cc1389ecc57dddd60470c36cf0e3200b76c9edda and is an app in the first known variant. Regarding this sample, we can state with a high degree of certainty that the author of the strings is a native Arabic speaker from the Middle East but we cannot be regionally specific.
When writing formally in Arabic, it is common to do so in Modern Standard Arabic. Regional dialects are not typically used, thus limiting further reasonable assumptions. There are two strings that are not grammatically sound, and it is very likely a translation tool was used for these, however this can be attributed to how difficult it is to write in Modern Standard Arabic versus colloquial. Keep in mind that Modern Standard Arabic is also an official language in Israel, further complicating the matter of attribution.
As the IDF was leading the research along with Kaspersky we speculate that additional installs would have occurred to further the investigation. This will likely impact the accuracy of some claims regarding installs and targeting.
Ideally, those attributing the Femas malware to Hamas have more attribution data than a WHOIS statement for URL stated to be registered in Gaza. Also, those arguing against should have more evidence than Arabic being used in the Middle East, or the use of supported libraries for encryption as an indicator of actor sophistication.
What is certain is that we cannot be sure of the true author at this time. We only offer caution when publicly releasing speculative attribution data. It is more likely to be wrong than it is to be right and the risks of being wrong are exceptional.
Femas is Persistent
The most persistent aspect of this family is that it has existed, according to VirusTotal, for more than one year before being uncovered.
Kaspersky reports investigating this since July of 2016 and Lookout for the last month. It appears that this malware has evaded malware-centric threat solutions for an extended period of time.
A command and control server was used (AKA a webserver) to extract data, however it employs only the most basic capability of popular (non-malicious) applications seen in the major App stores. Kaspersky reported on C&C commands that are not fully implemented such as ‘GET_ROOT_STATUS’. This does indicate that at the time of creation, there was some thought put into continued development and potentially, on device persistence. At some point in the future, the authors may try and take advantage of phones that are already rooted. Although this is grounded by the lack of code evolution in the binaries identified which span over one year.
Femas is an unlikely threat to enterprises
This malware is a threat that individuals and enterprises should be alerted to. It provides similar risks to spousal spyware, available in many popular app stores and through direct purchase, with less technical merit. Both can lead to the loss of data and privacy and both should be remediated immediately upon discovery.
Much like spousal spyware, this malware relies heavily on humans for successful delivery. This means that the user must disable basic OS protections such as blocking untrusted sources. Additionally users must sideload the application that is provided via a URL in a message. This requires overt participation from the user.
Recommendations for Enterprises
- Employ a mobile security solution that detects suspicious behaviors, sideloaded apps, and malware.
- Push internal enterprise apps via your MDM.
- Advise users not to install applications provided via links.
- Advise users to never adjust their settings to allow installation of apps from unknown sources.
How Appthority Customers and Their Employees Are Protected
All Appthority customers are automatically protected against this malware as part of the Appthority MTP solution’s malicious threat coverage. Any devices found with “Infected by Femas” should be remediated immediately.
image credit: PCWorldenEspanol