With working from home on the rise, Zoom and other video conference applications have been in heavy use, by employees but also by malicious threat actors. On Apr 1st, Security Week wrote about a re-packaged version of Zoom targeting teleworking users on Android. In this blog, we will take a closer look at what this malicious APK looks to achieve and how it achieves it.

随着在家办公的兴起，Zoom和其他视频会议应用程序被员工以及恶意威胁参与者广泛使用。 4月1日，《 安全周刊》撰写了针对Android上远程办公用户的Zoom的重新打包版本。 在此博客中，我们将仔细研究该恶意APK的目标以及实现方式。

This malicious APK takes a legitimate Zoom APK, release 4.1.35374.1217 version 41021, and introduces new permissions and a new package that utilizes AES encryption to remain hidden. As seen in the first image, on first upload only eight security vendors detected this APK as malicious.

此恶意APK带有一个合法的Zoom APK，版本4.1.35374.1217版本41021，并引入了新的权限以及一个使用AES加密保持隐藏的新程序包。 如第一张图片所示，在第一次上传时，只有八家安全厂商检测到此APK为恶意软件。

We will first look at the data around the APK itself. When compiling this APK the malicious actor used a signing certificate with the Owner and Issuer matching the original Zoom APK in order to appear to be signed by Zoom Video Communications Inc.

我们将首先查看APK本身周围的数据。 编译此APK时，恶意行为者使用了具有与原始Zoom APK匹配的所有者和发行者的签名证书，以便看上去由Zoom Video Communications Inc.签名。

The core functionality of the APK is unchanged, you are able to sign-in to accounts, join meetings as you expect from the Zoom APK.

APK的核心功能保持不变，您可以登录帐户，并按预期从Zoom APK中加入会议。

In Android Studio, the original Zoom APK file is compared to this malicious APK file. Most of the files appear to be unchanged, there is more data in the AndroidManifest, as well as more data in the classes.dex where the java classes are stored. Near the bottom of this comparison, we can confirm that the signing certificate used by the malicious APK file is not the official Zoom certificate which was originally used.

在Android Studio中，原始的Zoom APK文件会与此恶意APK文件进行比较。 大多数文件似乎保持不变，AndroidManifest中有更多数据，而存储Java类的classes.dex中也有更多数据。 在此比较的底端附近，我们可以确认恶意APK文件使用的签名证书不是最初使用的官方Zoom证书。

The first item that has changed that we see in this comparison is the AndroidManifest.xml. Upon deeper dive, we see that this malicious APK has added new permissions in the manifest; including the ability to read, send and receive SMS messages, meaning that the app has the ability to read all the SMSs that are received on the user’s phone as well as sending SMS messages. Along with the additional permissions, the app has a new package inside, us.zoom.videomeetings.byfsl. We can see this package is defined as a BroadcastReceiver as well as an android service allowing this package to run in the background with no visual interface and allowing communication.

在此比较中看到的第一处发生变化的项是AndroidManifest.xml。 深入研究后，我们发现该恶意APK已在清单中添加了新权限； 包括读取，发送和接收SMS消息的能力，这意味着该应用程序能够读取用户手机上接收到的所有SMS以及发送SMS消息。 除其他权限外，该应用程序还具有一个新包us.zoom.videomeetings.byfsl。 我们可以看到此程序包被定义为BroadcastReceiver以及一个android服务，从而允许该程序包在没有可视界面的情况下在后台运行并允许通信。

Expanding into classes.dex, there is a new package under us.zoom.videomeetings call byfsl. Inside this folder, there are 11 new classes that are not in the original Zoom APK, and this is where the malicious code is present.

扩展到classes.dex中，在us.zoom.videomeetings下有一个名为byfsl的新包。 在此文件夹中，有11个新类不在原始的Zoom APK中，这是存在恶意代码的地方。

This new package, us.zoom.videomeetings.byfsl, includes several java classes that use AES encrypted strings to try and mask functionality.

这个新程序包us.zoom.videomeetings.byfsl包括几个Java类，这些类使用AES加密的字符串尝试掩盖功能。

The main method is in the Pkipn class, the first thing this method does is get the absolute path of the application, this is the first of the AES encrypted strings, which we will look at in the next paragraph(the decrypted string is . ). The package also stores the malicious domain (bytearray[] a) and stores it along with the absolute path in the object h.

主要方法是在Pkipn类中，此方法要做的第一件事是获取应用程序的绝对路径，这是AES加密字符串的第一个，我们将在下一段中介绍(解密的字符串是。)。 。 程序包还存储恶意域(bytearray [] a)，并将其与绝对路径一起存储在对象h中。

In the byfsl package, there are roughly 25 AES/CTR/NoPadding encrypted strings. The method for decrypting the strings is Qwkso.qdyiu, in this method, there is a check against the method initialize to determine if the DECODED_KEY has been stored yet. The DECODED_KEY is stored after the initialize method takes the ENCODED_KEY of peRcpinr/9e0CLOGnNg0kA==, converts this into a UTF-8 byte array and finally, base64 decodes this byte array to get the 16-byte DECODED_KEY. After the DECODED_KEY is stored this key is then used when outside classes call Qwkso.qdyiu.

在byfsl软件包中，大约有25个AES / CTR / NoPadding加密字符串。 解密字符串的方法是Qwkso.qdyiu，在此方法中，将对初始化方法进行检查以确定DECODED_KEY是否已存储。 在初始化方法采用peRcpinr / 9e0CLOGnNg0kA ==的ENCODED_KEY之后，将DECODED_KEY存储起来，将其转换为UTF-8字节数组，最后base64对该字节数组进行解码以获取16字节的DECODED_KEY。 存储DECODED_KEY之后，在外部类调用Qwkso.qdyiu时将使用此密钥。

The next method that follows storing the domain and absolute path queries the PowerManager and creates a new WakeLock to keep the screen on allowing the malicious activity to continue as long as the app is open.

存储域和绝对路径之后的下一个方法将查询PowerManager并创建一个新的WakeLock，以保持屏幕打开状态，只要打开应用程序，恶意活动就可以继续。

Finally, after setting the WakeLock the malicious connection is started. The bytearray a[] contains the tcp:// link that is used by this application tcp://googleteamsupport.ddns.net:4444, there are 3 if statements to determine if str starts with tcp or : or // (FJkiDDu3jjSJwK+ywmx09KXl4A== decodes to tcp, VnZnQoIx85b5BMH7EqtiNF4= decodes to : and TmXCTCW5NWLpz3dpWTyg4PU= decodes to /). Once this is determined the socket is opened and communication with the malicious domain begins.

最后，在设置了WakeLock之后，恶意连接就会启动。 字节数组a []包含此应用程序tcp：//googleteamsupport.ddns.net：4444使用的tcp：//链接，共有3条if语句来确定str是否以tcp或：或//开头(FJkiDDu3jjSJwK + ywmx09KXl4A ==解码为tcp，VnZnQoIx85b5BMH7EqtiNF4 =解码为：，TmXCTCW5NWLpz3dpWTyg4PU =解码为/)。 一旦确定，将打开套接字并开始与恶意域的通信。

This domain has been linked to a previously used IP address used as a command control for SandoRAT / DroidJack by BitDefender.

该域已链接到先前使用的IP地址，该IP地址被BitDefender用作SandoRAT / DroidJack的命令控件。

Going through the malicious package, we can see the effort used to try and stay hidden, providing an APK that is signed with a certificate that closely resembles the original APK and retaining the core functionality of the original APK. Though the difference in size may be small, the additional capabilities of being able to read SMS messages, as well as setting up a malicious backdoor potentially allowing malicious actors to spy on your device.

通过恶意程序包，我们可以看到用于隐藏尝试的工作，提供了一个经过签名的APK，该证书与原始APK非常相似，并且保留了原始APK的核心功能。 尽管大小差异可能很小，但是能够读取SMS消息以及设置恶意后门的其他功能可能会允许恶意参与者在您的设备上进行监视。

This APK can only be installed by sideloading, it is recommended to only install the Zoom android app from the PlayStore and keep your apps updated, do not install APK files onto your device from third party sources.

此APK只能通过侧面加载进行安装，建议仅从PlayStore安装Zoom android应用并保持您的应用更新，请勿从第三方来源将APK文件安装到设备上。

IOCs:

国际奥委会：

Network: tcp://googleteamsupport.ddns.net:4444

网络：tcp：//googleteamsupport.ddns.net：4444

Hash: 232ec4629458b1df0e3ef934365cd0cede498205409db31b4701223fa80c31bb

哈希： 232ec4629458b1df0e3ef934365cd0cede498205409db31b4701223fa80c31bb