Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

As mobile applications become more and more popular, malware is becoming more sophisticated and stealthy. This report looks at a malicious Android software sample submitted to incinerator.cloud by ReBensk.

Sample hash value:

MD5: 2f371969faf2dc239206e81d00c579ff

SHA-256: b3561bf581721c84fd92501e2d0886b284e8fa8e7dc193e41ab300a063dfe5f3

Among the multiple malicious samples submitted by ReBensk to incinerator.cloud, we paid special attention to a custom modified APK file, hereinafter referred to as "sample b356". This sample uses unique obfuscation and concealment techniques, which makes it impossible for standard decompression tools to successfully decompress its contents. Through specific correction operations, we successfully broke through this limitation and further analyzed the sample.

Analysis process

1. Analysis of decompression failure

When trying to decompress the APK file using the 7z tool (Apk is essentially a ZIP file), an error was encountered showing an AndroidManifest.xml header error, which means that the standard decompression process cannot correctly decompress sample b356.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

After opening the APK file with 010 Editor and applying the ZipAdv template for parsing, no obvious errors or anomalies were found.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

To get a deeper understanding of the problem, we opened a working APK file for comparison analysis. This was done to determine if there was any special or irregular structure or data that might be causing the decompression failure.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

By comparison, we found that sample b356 uses a non-illegal compression algorithm 0x23C2. In the standard ZIP format specification, the compression method is represented by a short integer, and the value is usually as shown below (the following code is taken from the ZIPAdv.bt template of 010 Editor). Since 0x23C2 is not any known standard compression method, decompression tools such as 7z cannot recognize and process it.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Therefore, sample b356 uses an unknown compression algorithm, which causes general compression tools to fail to decompress it. But why can it still be successfully installed and run on the Android system?

2. Reasons for successful analysis and operation of Android system

As shown in the figure below, according to the Android system source code, when the system encounters a compression algorithm other than COMP_DEFLATE, it will use the "uncompressed" (COMP_STORED) method to process the input file. Specifically, the system directly reads the length of the uncompressed data and parses it accordingly.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Please pay attention to the code comparison between the yellow box and the red box. In the yellow box, if the COMP_DEFLATE compression algorithm is used, the system will decompress it according to the corresponding method. If not, the system will directly read the length before compression and then process it.

This explains why the system can still run correctly after modifying the compression method of AndroidManifest. After the normal packaging process is completed, sample b356 replaces the content of the AndroidManifest.xml file in the package with the uncompressed content, and replaces the compression algorithm with non-COMP_DEFLATE. Therefore, conventional decompression tools will fail, but the Android system will process it in an uncompressed manner, so it can run normally.

3. Suggestions for modifying the decompression procedure

3.1 Repair Apk

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

According to the processing method of the Android system, the AndroidManifest.xml of Apk can only use two compression methods: COMP_DEFLATE or uncompressed.

If the compression algorithm is not the default COMP_DEFLATE, then it must be uncompressed. Therefore, the way to repair the apk is to set the compression algorithm to 0, that is, uncompressed, if the compression algorithm is not COMP_DEFLATE, and set the length after compression to the length before compression. In this way, the regular decompression tool can decompress it.

After the fix, we tried to unzip it using the 7-Zip (often referred to as 7z) tool, and the result is shown in the figure below. Although there are still errors, especially regarding the CRC (Cyclic Redundancy Check) value that has not been fixed, we have successfully unzipped the APK file and can access the AndroidManifest.xml content inside it.

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

Technical analysis of AndroidManifest.xml multiple obfuscation bypass static analysis (Zip format type modification bypass)

3.2 Fixes for static analysis tools

The static analysis tool can process according to the system's decompression method. If it is found that the compression method of AndroidManifest.xml is not COMP_DEFLATE, the length before compression is read as the content of AndroidManifest.xml.

Summarize

Since the Android system uses uncompressed processing for non-COMP_DEFLATE compression methods during parsing, this approach does not conform to the specification logically, so b356 successfully exploited this logical vulnerability. The complete solution should be that the Android system processes according to the standard zip package decompression format.

Source: https://www.liansecurity.com/#/main/news/GzKmQIoBUQjGUXE22_tO/detail