Security News

A potent keylogger on Github

By

SonicWall Threats Research team came across an interesting Tweet that mentions about a repository on Github. This repository is named as Hakistan and it boasts of hacking related tools. One tool among the list of tools is a keylogger named Hakistan keylogger which does not appear to be created for malicious purposes.

 

Application details

 

Interestingly, the application name for this app is Google Service and it has a relevant icon as well. Clearly this keylogger application is trying to masquerade as a legitimate application thereby violating Google Play policies.

Install_image

Some of the services and receivers in this app request for dangerous permissions like:

  • BIND_NOTIFICATION_LISTENER_SERVICE
  • BIND_DEVICE_ADMIN
  • BIND_ACCESSIBILITY_SERVICE

Keylogging

Once execution begins, as expected the application requests the victim to grant several permissions and access:

One the required permissions are granted the keylogger keeps running in the background and monitors the victim’s keystrokes. The keystrokes are stored in a file locally as shown:

 

Additional Features

This keylogger logs more than just keystrokes. Some additional data stolen by this keylogger is as shown below:

Captures SMS on the device

 

Monitors incoming SMS

 

Forward SMS present on the device

 

Captures system information

 

Clients receive data about vicitims via email messages where the ‘from’ is keylogger@hakistan.org:

 

In case of the current sample the to address is base64 encoded, which decodes to dashdashpass7@gmail.com

 

These findings go in line with what is advertised about this keylogger:

 

Research related tools on Github are dime-a-dozen, if they are being used for research purpose most of them have a disclaimer that states their purpose. In this case the fact that the application is being saved as Google Services with believable icon makes it look a bit suspicious.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOSHakis.KLG (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Android ransomware purports to be a free social media follower application
China’s “Winnti” Spyder Module
Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009)
Microsoft Security Bulletin Coverage for October 2019
Ngrbot steals information and mines Bitcoins (Nov 18, 2011)
Wells Fargo Account Update Downloader Trojan (Mar 21, 2012)
New Dorkbot adds suite of new features (Feb 8, 2013)
BMC Track-It! .NET Remoting Vulnerability (Dec 5, 2014)