Deep Analysis of SecretCalls, A formidable app for notorious Korean financial fraudsters (Part 2)

Author: S2W TALON

Last modified: Apr 30, 2024

Photo by Kasia Derenda on Unsplash

You can also read more about the Voice Phishing Group in the announcement we made at Black hat asia 24 — https://www.blackhat.com/asia-24/briefings/schedule/index.html#voice-phishing-syndicates-unmasked-an-in-depth-investigation-and-exposure-37941

Executive Summary

• SecretCalls is installed via SecretCalls Loader and performs functions to steal data from infected devices and manipulate call flow.
• Unlike SecretCalls Loader, SecretCalls utilizes the Realm Database to store infection status information and data for further malicious behavior.
• Commands are received via Firebase Cloud Messaging (FCM) and processed by an event bus implemented inside the app.
• The command and control(C&C) server address is determined by the type of malicious event and by appending a random string to the command server address.
  — The random string is generated in the pattern of [A-Za-z0–9]{1,5}
• Call-forwarding (forced incoming/forced outgoing) is performed by canceling the user’s legitimate call, redirecting it to the attacker’s phone number, and then faking the call screen and log as a legitimate call.
• You can learn more about SecretCalls Loader in the Part 1 report.
• Filename: cFuvDW.apk
• App name: tbrqrfl
• Package name: com.psetnse.bsept07b
• MD5: 245f0704e508798f3a8ebd22439ae109
• SHA-1: 5e061999554c0d9a9c63acc41e7d5c5c17381dc1
• SHA-256: 20dacca08ce674d94e865079b3e1906a992d394d6d99ec284ffb69d449a5d946
• Cert(SHA-1): e24292b5d840671519b87cb076f9ced4f39191c5

1. Storing configuration values

While the SecretCalls Loader uses a separate file for each command to store the values such as infection status and command execution results, the SecretCalls uses the filename call.realm to store data sent to and received from the command server, data received via Firebase, and the results of malicious command execution. These values are later sent to the command server or used to determine whether to execute malicious behavior. There are at least 76 values stored in this database file, and the table structure and values stored vary from variant to variant.

2. URL determined by the type of message

When the SecretCalls communicates with the C&C server, it determines the number of random strings that generate URL paths based on the message type. Each random string is generated in a pattern of 1–5 character strings ([A-Za-z0–9]){1,5}) in any combination of alphabetical case and numbers and is randomly generated for each communication. For example, a message of type “K_UP_REGISTER_INFO” uses 2 random strings, and when sending data to the server via that command, it uses the address of {C&C Cerver}/{random string 1}/{random string 2}. The number of random strings and their functions for each command type are shown in the table below.

• e.g.) http[:]//127[.]0.0.1/A3bh3/Vdc5

Table 1. Relationship between the number of random strings per event

3. Execute commands through the event bus

The event bus defined in the app receives malicious messages from activities, services, broadcast listeners, and Firebase Messaging and processes various commands. 39 behaviors can be processed through the event bus, and functions are defined for information theft/audio recording, fake call activity, data manipulation/deletion, etc.

4. Verify that C&C server is available

First, the SecretCalls checks to see if it can communicate with the C&C server by using the Socket.IO library to connect to the server. If the connection to the server is lost or a timeout occurs, it tries to reconnect every 2 seconds and sends a K_UP_REGISTER_INFO message to the event bus every 30 seconds.

1. Define listeners based on the commands that would received from the C&C server.
2. Attempt to communicate with the hardcoded C&C server in the app (using WebSocket)
3. Once the connection is established, pass the device identification number(toUid) and appid value.
   — Example: [“bind”,”{“appid”:”21",”toUid”:”60884692–0c48–4422–9fdc-ad14d06f2f62–21"}”]
4. Send the K_UP_REGISTER_INFO event to the event bus to pass the infected device information to the server (using HTTP)

5. Initial communication

When the event bus receives the K_UP_REGISTER_INFO message, the SecretCalls sends the infected device information to the C&C server. The data sent includes device information such as the model name, phone number, and battery level of the infected device, as well as some data for malicious functions such as audio recording status and Juphoon Chat ID

The data is organized in JSON format and then encrypted with the AES algorithm. The AES-encrypted data is further Base64-encoded and URL-encoded and sent via HTTP request to the C&C server. Finally, the data is sent in the form “a{timestamp}={encrypted data}” with the current timestamp value at the time of transmission.

• Encryption Algorithm: AES-128-CBC
• Key: rb!nBwXv4C%Gr^84
• IV: 1234567812345678

Figure 1. Examples of data sent

If the data transfer is successful, the infected device receives the encrypted data from the C&C server. The decryption process is identical to the encryption process. The data received contains a list of blocking numbers, the attacker’s number, and Reddit URL addresses. Each piece of data is stored in a database(call.realm) and used for further malicious behavior.

Figure 2. Encrypted response data

Figure 3. Decrypted response data in JSON

6. Command control with FCM

SecretCalls use Firebase Cloud Messaging (FCM) to receive commands. When a command is received via FCM, it checks the message type and performs the malicious behaviors according to the content. A total of 26 commands can be executed through FCM, and depending on the type of FCM message, they perform behaviors such as data theft, modification, update, external communication, etc.

Of the 39 total behaviors, the attacker can specify 26 of them through FCM.

If the received command via FCM is 2, the K_UP_CONTACT_INFO message is executed through the event bus as shown in the figure below, and the number of random strings is 5 to determine the number of random strings used for generating the URL path. The information about the infected device and the result corresponding to the command is encrypted and sent to the determined C&C Server address.

• Command via FCM: 2
• Message: K_UP_CONTACT_INFO
• Behavior: Send the infected device’s information
• The number of random strings: 5
• C&C Server address:
  http[:]//[C&C Server}/{random}/{random}/{random}/{random}/{random}

Figure 4. Performing commands via FCM

7. Update the C&C server address through Reddit

The C&C server used to steal infected device information, such as text messages/contacts, is hardcoded into the SecretCalls by default. If the attacker wants to update the C&C server address to a different address, they leverage a dead drop resolver technique to obtain the new address from a legitimate Reddit site. It bases the request on the app's hardcoded Reddit profile page and supports changing other Reddit profile pages through command. The process for updating the C&C server address is as follows: if you successfully get a new command server in step 1, you don’t need to do step 2.

1. Connect to a hardcoded Reddit profile within the app and decrypt data to obtain a new C&C server address presented in the “public_description” field
2. Look up the Reddit profile received from the C&C server and decrypt the data presented in the “public_description” field.

The obtained C&C server address is padded with a specific string of 8 bytes, while the actual data is AES-128-CBC encrypted and Base64 encoded. The first padding value of the string, *1A2B3C*, and the last padding value, *4D5E6F*, are removed before decrypting the data. The key/IV used for decryption is the same as the encryption key used to transmit the infected device.

Figure 5. Encrypted new C&C server address (in the “public_description” field)

8. Call-forwarding

First, SecretCalls asks if they want to register itself as their default phone app. Upon registration, the call will be terminated, and a new outgoing call will be sent to the attacker’s phone number received from the C&C server, even if the user attempts to call a legitimate institution. Then, SecretCalls plays the user with the same call connection sound (.mp3) as the legitimate one and shows the user a manipulated call screen during the call connection. The call screen displays a legitimate phone number, not the attacker’s.

• Path to the call connection sound:
  {app installation path}/assets/{number}.mp3

Even after the call ends, the history of the call with the attacker is deleted, and a new manipulated call record is created. If the infected phone already has T전화(T-Telephony) installed, SecretCall requests overlay permissions from the T-Telephony app to hide the normal call screen and display manipulated call activity to the user.

The SecretCalls can block all incoming calls from phone numbers present in the “blo” field in the response data from the server. The following describes the fields related to phone numbers received from the server. (See Figure 3)

• fno: List of legitimate phone numbers — abort call when called from those numbers
• pno: Attacker’s phone number — calls to numbers included in the fno are aborted and transferred to this number
• blo: List of blocked phone numbers

9. Audio recording (eavesdropping)

If the message K_RECORD_MESSAGE is received via FCM, forced audio recording (eavesdropping) is initiated. The recording time value is set to 5 minutes by default and can be changed via command. If the recording is completed within that time and the .mp4 file is created successfully, the file and path are sent to the C&C server and deleted.

• Recording file path:
  {external storage path}/log/{recording start time}.mp4.

Figure 6. Record and interrupt audio (default 5 * 1 minute)

10. Exfiltrates image files on a device

The ContentResolver is used to exfiltrate the image files on the infected device, which are sent to a separate server defined by the attacker. The image is sent to the address in the “IMG_HOST” field received from the C&C server, which is of the form {HOST}/up_filesnew/[A-Za-z0–9]{13}. If the server address is not received from the server, the image file is sent to the default C&C server.

11. voice/video streaming (Juphoon)

Juphoon is a cloud calling and broadcasting service that allows you to send/receive voice or video calls 1:1 / 1:N. To use the service, SecretCalls receives a 24-byte Juphoon authentication key (auth) from the C&C server and attempts to connect to the Juphoon Cloud server.

Once a client is created that can connect to the Cloud server with a valid authentication key, it generates a unique identifier (chatid) and sends it to the C&C server so that it can make voice/video calls to the infected device. The unique identifier can be a mobile phone number without the country code or a random 8-digit value.

• Random 8-digit value: the first 8 digits of the Android advertising ID or the hardware address of the network interface (wlan0) excluding colon (:)

Since the corresponding identifier (chatid) value is sent to the C&C server at the beginning of the infection and at the time of data exfiltration, if all of the above processes are completed, the attacker can force video streaming (Callee). If the type of authentication key received from the server is Trial, only voice is transmitted, and if it is not Trial, both video and voice are transmitted. Once the attacker receives the chatid value, they can more easily eavesdrop or voyeurize on the infected device remotely by using Juphoon SDK.

Figure 7. Juphoon voice/video communication process using the SDK
(Source: Juphoon developer)

12. Bypass user interaction (force acceptance of permissions)

The prerequisites for malicious behavior, such as granting permissions, screen overlays, and changing the default phone app, all have one thing in common: they require user interaction. SecretCalls uses accessibility to satisfy these conditions without user interaction.

If the SecretCalls has been granted accessibility by the user beforehand, it can force acceptance of permissions, force screen overlays, force changes to the default phone app, etc. When a specific activity is executed, it accepts the appropriate functionality for each purpose based on the package name.

Table 2. List of user interaction bypass targets

Conclusion

• SecretCalls (Loader) is distributed through phishing sites, so users should be extra vigilant about calls, texts, and emails that forward phishing site addresses.
• The infected device loses control of making/receiving calls, and call logs are manipulated, making it impossible to determine if the caller is a legitimate institution.
• Since all data on the infected device is sent to the attacker’s server, the victim’s identity can be inferred, and a targeted voice phishing campaign can be established.
• SecretCalls (Loader) is mainly distributed with financial themes such as banking, cards, loans, or law enforcement themes such as the National Police Agency or the General Prosecutor’s Office, so it is necessary to be careful when downloading these types of apps through third-party channels other than the official Play Store.

Appendix A. IoCs

Hashes

• a7140192e82152cbe061a772af68c792
• b3f07117bf70fceaadbf5188392459b3
• 19ac36eb407243e6363dff21ea786cd1
• 97e186a374dcfe963ddc5e4dbdc5168b
• 1239cfabdf85a8645c0505583ea2f935
• b9eb29d572032a36cf4f7818a08a6245
• c95f7d05fac5cbe9de4e720b980af678
• d749bcdcad3d9de6d0745b5017fda655
• 3758b3aca94f26634ee9280d8048d87b
• 228c35d9010e8566cb1cd4335c68189f
• 071e116186b0534a200857838e7c8ff7
• 1c382e85d013f43b313ffc175a74c812
• e93b0bfd7adcc9caa83a65dbf96bb358
• 119fc51520b1a4c2b56b79a74e722242
• 2e2ac47e32bcfae36d462def52f2dc7b
• 1095f3ef59b9ea77fc227fd4b6cf1791
• 19c91abe816a478318966de18f73a9f32674406f036d6fe263c56ff6ab38d1e1
• 317490df1812e009b6b025248ebb549d18f3adedc5e561074964855c4a968afb
• 7803842c706db82cffbc1a7ff0ba092bf85c85a5c4e975c84c093dab4f617440
• 7531a3cec5bf3f957b7dcdbbd17095418c54cd490a08c6d524428b3be3c31076
• 2a650fe765b2aef1f4d2c085b6cd0c8d889811b43bab5d0ce5a29152c1c2bf5b
• addee9520b41971a16a75eb5db43f1743e23b9b1aa87ddd683a5a62d97273df1
• 9a5e2a4bb1b0433d3c45dc257d98f42476b235c56a212d67aaeae167a8b18d0a
• fc4321a2a25678515c77b2f461774af681b68eb6d2ec45c5b07399dda40217c3
• baa5e0d0397dc44c417937d08a21fb12dd570606bf7b01840a967600dff9520a
• c97037b48760e802c9969d15c729c822aeeaf9a2c6367bcf0045a0747fbaa632
• 6b57881574ebdbe7bc31134b8939bdc3c4d443bc110f6652a566e08deb55e7a2
• bbca69e2ae69ae051008ca4c21f0d4ba7ec28dd4682aba984e1e42dca052b468
• 134dcf8274e3ba2d185493e2b03afa9ed87b8fa39f3ecb044e4ad0acec402373
• 2b269a26faeed131775eeb80a00a9a96a8e6edfbf8dc033ee8110ddf757843a7
• ed34f8b694e181472d32df4231aa3db6f5462e146005f122ec20175eaec60819
• 5e9f365ba339aa1a7c0435c7e03065fc9c002d6f904c5f8bda5edce268a99a7d

Network

• 154.19.69[.]75
• 149.104.49[.]49
• 183.111.122[.]124

Appendix B. Mobile MITRE ATT&CK

Initial Access

• (T1660) Phishing

Defense Evasion

• (T1633.001) System Checks
• (T1630.002) File Deletion
• (T1575) Native API
• (T1633.001) System Checks

Discovery

• (T1426) System Information Discovery
• (T1422) System Network Configuration Discovery
• (T1420) File and Directory Discovery

Collection

• (T1532) Archive Collected Data
• (T1429) Audio Capture
• (T1636.002) Call Log
• (T1636.003) Contact List
• (T1636.004) SMS Messages
• (T1512) Video Capture

Command and Control

• (T1437.001) Web Protocols
• (T1521.001) Symmetric Cryptography
• (T1481.001) Dead Drop Resolver

Impact

• (T1616) Call Control
• (T1516) Input Injection