Malicious
36
/65

Threat

com.xiaoo.xii

Chat Me

Analyzed on 2022-06-13T05:28:48.528884

5

permissions

3

activities

0

services

0

receivers

1

domains

File sums

MD5 5f563a38e3b98a7bc6c65555d0ad5cfd
SHA1 286cb8d883b8eabfd8be0720dcdaa98bb6641f3a
SHA256 72aa69be5cd46220e1509c040ceb6e3cbb3c676a6c464a811370d688f45f26ec
Size 5.9MB

APKiD

Information computed with APKiD.

/tmp/tmp15egcns8!assets/face.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!assets/imo.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!assets/normal.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!assets/snap.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!assets/trueC.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!assets/viber.apk!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.TAGS check
  • possible ro.secure check
compiler
  • unknown (please file detection issue!)
/tmp/tmp15egcns8!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • possible VM check
compiler
  • r8

SSdeep

Information computed with ssdeep.

APK file 98304:PN0DQHNQ75LNFOPezdLHf+b5A/2pPwuowVhW+O/lj0VwJS/SWyT7U/Ya:PN0WNQ75LNFOp5A+JmwVhiZXJf17UQa
Manifest 96:UXU12er/fynSgPKVS0G1RR1//SqK5DsPV70C2yO:UNeDfynSgPKVhSRR13SLeZ2yO
classes.dex 24576:ullEak+M63x1wEx+xxTFY8hB5DJFo3ZcXAXQXUXB0cQ69peIMfBFi:ulSKL3hxg…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 384:hFeKnwENt/CYQis4WFfMpNDuTnnjqkW8szYb75Vmu0FDsaCAGjKIuf5OYQZ8H+S:z…
classes.dex 384:hFeKnwENt/CYQis4WFfMpNDuTnnjqkW8szYb75Vmu0FDsaCAGjKIuf5OYQZ8H+S:z…

APK details

Information computed with AndroGuard and Pithus.

Package com.xiaoo.xii
App name Chat Me
Version name 1.2
Version code 1
SDK 17 - 22
UAID 2944b4e3fbd9caaf1d8aa67eddf8cd8a56d69e15
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 e89b158e4bcf988ebd09eb83f5378e87
SHA1 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
SHA256 a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Issuer Email Address: android@android.com, Common Name: Android, Organizational Unit: Android, Organization: Android, Locality: Mountain View, State/Province: California, Country: US
Not before 2008-02-29T01:33:46+00:00
Not after 2035-07-17T01:33:46+00:00

Manifest analysis

Information computed with MobSF.

Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.

Main Activity

Information computed with AndroGuard.

com.xiaoo.xii.MainActivity

Activities

Information computed with AndroGuard.

com.xiaoo.xii.Rain
com.xiaoo.xii.Main2
com.xiaoo.xii.MainActivity

Sample timeline

Certificate valid not before Feb. 29, 2008, 1:33 a.m.
Oldest file found in APK Feb. 29, 2008, 7:33 a.m.
Latest file found in APK Feb. 29, 2008, 7:33 a.m.
First submission on VT April 24, 2020, 6:15 a.m.
Last submission on VT Aug. 27, 2020, 7:29 a.m.
Upload on Pithus June 13, 2022, 5:28 a.m.
Certificate valid not after July 17, 2035, 1:33 a.m.

VirusTotal

Score 36/65
Report https://www.virustotal.com/gui/file/72aa69be5cd46220e1509c040ceb6e3cbb3c676a6c464a811370d688f45f26ec/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: ahmyth Identified 7 times

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/xiaoo/xii/Main2.java
com/xiaoo/xii/HttpUploaderAll.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/xiaoo/xii/MainActivity.java
com/xiaoo/xii/Main2.java
com/xiaoo/xii/HttpUploaderAll.java

Domains analysis

Information computed with MobSF.

schemas.android.com

URL analysis

Information computed with MobSF.

http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifViewUtils.java
http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifTextureView.java
http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifTextView.java

Permissions analysis

Information computed with MobSF.

High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.REQUEST_INSTALL_PACKAGES Allows an application to request installing packages.
Malicious applications can use this to try and trick users into installing additional malicious packages.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Connect to a URL and receive input stream from the server
Confidence:
100%
Method reflection
Confidence:
100%
Install other APKs from file
Confidence:
100%
Load class from given class name
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Connect to a URL and get the response code
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Connect to a URL and set request method
Confidence:
80%
Read data and put it into a buffer stream
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Get declared method from given method name
Confidence:
80%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
80%
Get absolute path of the file and store in string
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Execute os command
       com/xiaoo/xii/MainActivity.java
Inter process communication
       com/xiaoo/xii/MainActivity.java
com/xiaoo/xii/Main2.java
Java reflection
       pl/droidsonroids/gif/LibraryLoader.java
Loading native code (shared library)
       com/getkeepsafe/relinker/SystemLibraryLoader.java
pl/droidsonroids/gif/LibraryLoader.java
Local file i/o operations
       com/xiaoo/xii/MainActivity.java
com/xiaoo/xii/Main2.java
com/xiaoo/xii/HttpUploaderAll.java
Starting activity
       com/xiaoo/xii/MainActivity.java
com/xiaoo/xii/Main2.java

Control flow graphs analysis

Information computed by Pithus.

The application probably gets the network connections information

The application probably plays sound

The application probably executes OS commands

The application probably listens accessibility events