Mamont - Trojan APK Analysis
Information
| SHA256 hash: | c6f2553734e73ffbafab7acba0194ad545cdce3364e60e2014f37b0e49e1ab64 |
|---|---|
| SHA1 hash: | 4d44166162cf6a16c1daffa7d40f1c5b0c47b3ca |
| MD5 hash: | 9273aa2e465996dde7ad912424f06be2 |
| File name: | Фото-2025.08.10.apk |
| File size: | 1’484’158 bytes |
| First seen: | 2025-12-28 15:17:05 UTC |
| Last seen: | Never |
| File type: | apk |
| MIME type: | application/zip |
virustotal
Sample:
reference: bazaar.abuse.ch
reference: VirusTotalVirusTotal
Introduction
Mobile trojan malware in the form of APK files has become one of the most common threats to Android users. The malware disguises itself as a legitimate application to trick users into installation. Once installed, it operates in the background to steal sensitive information, send stolen data through Telegram channels, and possibly perform remote control tasks. The report highlights the significance of mobile malware, the risks associated with messaging apps like Telegram, and the methodology used to analyze the sample.
Executive Summary
The analyzed APK appears as a standard Android app but contains hidden malicious code. Its true function is to connect to Telegram channels for exfiltration and control. The malware requests unnecessary permissions such as access to contacts, storage, messages, and network. These permissions allow it to interact with the device covertly, making it highly dangerous for both personal and organizational users. Attackers modify or embed malicious code into legitimate-looking apps. Users unknowingly install them, granting permissions that allow the malware to operate in the background. The motive goal is to stealing messages,contact,camera, OTP that can lead to loss of personal privacy.
Tools
tools that will be used throughout this analysis:
- Detect It Easy (DIE)
- JADX
- Android Studio
- Burp Suite
Analysis
Observation
The analyzed APK is an Android application built primarily with Kotlin, incorporating native C/C++ libraries for multiple architectures (ARM, ARM64, x86, x86_64). It was compiled using Android SDK (API 21–36) and Android NDK r25c. The main executable code resides in classes.dex, targeting the Dalvik VM for 32-bit devices. Additionally, the APK includes compressed resources such as publicsuffixes.gz and native shared libraries (libandroidx.graphics.path.so) for both 32-bit and 64-bit platforms, indicating broad device compatibility. Here highlighted version on how the compilation structed of this apk:
- Platform: Android (Universal, supports multiple architectures)
- Language: Kotlin & C/C++ (via Android NDK)
- Build Tools: Android SDK (API 21–36), Android NDK r25c
- Arch list: arm64-v8a, armeabi-v7a, x86, x86_64
Static Analysis
Using jadx. headed to central configuration of Android application which is AndroidManifest.xml. This is to understanding the defining permissions, components, and intent filters. Checking it first allows analysts to quickly identify suspicious permissions, potentially malicious activities, and the app’s intended behavior before deeper code inspection.
Resources/AndroidManifest.xml
The APK requests excessive permissions beyond normal app behavior and defines numerous exported services and receivers that can handle SMS, MMS, and notifications. Combined with obfuscated component names and Firebase integration, this strongly suggests the APK is designed for data exfiltration, remote control, and persistent monitoring of the device
permission:
services:
Critical Permissions Requested (potentially malicious or privacy-sensitive)
- SMS:
READ_SMS,SEND_SMS,RECEIVE_SMS,SMS_SENT,SMS_DELIVERED - Contacts & Accounts:
READ_CONTACTS,WRITE_CONTACTS,GET_ACCOUNTS - Phone state:
READ_PHONE_STATE,READ_PHONE_NUMBERS,CALL_PHONE - System/Network:
INTERNET,ACCESS_NETWORK_STATE,QUERY_ALL_PACKAGES,RECEIVE_BOOT_COMPLETED,WAKE_LOCK - Notifications & Foreground:
POST_NOTIFICATIONS,FOREGROUND_SERVICE
Activity
entrypoint of the application start (main function) on the activity section which located on chimera.best.panel.FQEndmTHnhCpoUnvNq
Main Activity
Location: sources\chimera.best.panel\FQEndmTHnhCpoUnvNq.java
The presented source code is heavily obfuscated, making direct reading difficult. The decoding process taking abit time than trying to fully deobfuscate every class and method.
notice the function call of qJMbAezHp.ujkitozmfsyqth
FQEndmTHnhCpoUnvNq.java serves as the primary entry point and orchestrator for this Android banking trojan. Upon launch, the Activity establishes communication with a command-and-control server to retrieve critical configuration parameters, including the attacker’s phone number (RETRANSMITTER_PHONE_NUMBER) and a whitelist of targeted financial applications (PUSH_WHITELIST_KEYS). The malware implements a 17-second timeout loop waiting for this configuration; if the C2 server is unreachable, the application deliberately crashes to avoid detection through behavioral analysis.
Once configured, the Activity initializes a full-screen WebView with aggressive permissions (JavaScript enabled, file access, DOM storage) to display attacker-controlled phishing pages that mimic legitimate banking interfaces. Simultaneously, it requests elevation to default SMS application status using platform-appropriate APIs (RoleManager for Android 10+ or legacy Telephony intents for older versions), granting complete access to intercept, read, and send SMS messages—particularly targeting two-factor authentication codes from financial institutions.
The implementation employs user retention techniques including back button hijacking that prevents easy exit from the phishing interface, file upload capabilities for document exfiltration, and persistent permission prompting until SMS access is granted. This combination of credential phishing, SMS interception, and C2-driven configuration creates a sophisticated attack vector targeting Russian-speaking users of banking applications listed in the decoded strings (Sberbank, Tinkoff, Alfa Bank, VTB, etc.).
SMS/Notification Interception
Location: sources\acMDegCzSEifNwxeufPp\OPnEFgTiSobaaZMQyA.java
Handles SMS forwarding to attacker’s number
Configuration/Storage Manager
Location: sources\pTUpXgpd\knhWGwDvyVUGmiCIdfq.java
This class stores, updates, and limits daily usage/heartbeat records per key in Android SharedPreferences, keeping only recent dates and tracking counts. Flow will be explain in below:
Flow:
- It saves dates (per UTC day) for each key.
- It keeps a global daily marker to avoid duplicate actions in one day.
- It limits total stored events (max 30) and removes the oldest when full.
- It cleans old dates and returns pending records when needed.
Location: sources\pTUpXgpd\nwnQKTUGhGInbImg.java
This class initializes a shared preferences helper, stores device info (model and Android version), and exposes saved app configuration values like client ID and web view URL.
WebView File Upload Handler
Location: sources\mdQPPWonHAmHwOYj\nwnQKTUGhGInbImg.java
This class handles file upload requests from a WebView by opening the Android file picker and returning the selected file to the web page. Flow process:
- It replaces any old file callback.
- It launches the system file chooser.
- It sends the chosen file back to the WebView.
String Decoder/Obfuscation [I STOPPED HERE]
Location: sources\SGfdSCgRDRfmflGigM\qJMbAezHp.java
ujkitozmfsyqth() method used everywhere from encryption string. This class use to decodes all base64 obfuscated strings
Firebase Messaging Service
Location: sources\com\google\firebase\messaging\FirebaseMessagingService.java
Receives remote commands from attackers.
Encrypted method
now the encryption headed to TJsCxHfLdliFyglAE.nwnQKTUGhGInbImg.liatbvahhplwimctf to parse the str and str2 to decode base64 first then parse the original text. and then XOR both text and return it back to UTF8.
Concept:
Source code/ghruvjqZJCdxlWe/knhWGwDvyVUGmiCIdfq
more cipher can be seen. an alternating transposition that combine both cipher into one
Concept:
Export source code:
to extract all the encrypted text
save location
1
λ grep -r --no-filename -o "qJMbAezHp.ujkitozmfsyqth([^)]*)" . > collectedtext.txt
trying to read the few file. we already extracted all the encrypted text. next we need to decode all of it
Decoding
taking the encrypted text
making a simple script to quicken the analysis process taking a few steps which is
- Collecting pattern of
ujkitozmfsyqth\("([^"]+)",\s*"([^"]+)"\)using regex - Removing
\nis required for valid Base64 decoding - XOR string hiding used across the APK
script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import base64
import re
def xor_bytes(a, b):
return bytes(a[i] ^ b[i % len(b)] for i in range(len(a)))
pattern = re.compile(r'ujkitozmfsyqth\("([^"]+)",\s*"([^"]+)"\)')
with open("collectedtext.txt", "r") as f:
for line in f:
m = pattern.search(line)
if not m:
continue
enc1 = m.group(1).replace("\\n", "")
enc2 = m.group(2).replace("\\n", "")
b1 = base64.b64decode(enc1)
b2 = base64.b64decode(enc2)
dec = xor_bytes(b1, b2)
try:
out = dec.decode("utf-8")
except:
out = dec
print(f"{enc1}:{enc2} = {out}")
output:
IP:
URL:
Telegram and Firebase URL:
Dynamic Analysis
setup burp and android emulator. proxy and port must be the same. in this sample using 311337 port with hostname of 127.0.0.1
install the application on mobile. it will shows an photo logo
permission:
on app battery usage. click open:
and the url will be triggered:
Checking back the gettingData and event on our collected decode process found it exist from the file:
this is where the encrypted of the operation stored the encrypted text:
the function that make POST request:
Conclusion
The Trojan APK analyzed exploits Telegram as a covert communication channel. It demonstrates how social engineering, combined with legitimate-looking apps, can bypass user awareness and security mechanisms. Awareness of permission misuse and network behavior monitoring is crucial for preventing such threats.