This project is based on the video A clever Gumtree scam by the amazing Jim Browning. Before you read any further, be sure to check his channel out.
In the video, Jim presents sophisticated cyber-scam, based on a fake Gumtree page. During the process, the website asks the user to install an APK file; this project deals with that file.
To reproduce the files in this repository, a few common reverse engineering tools are needed:
- dex2jar to transform APK to JAR, and JD-Gui to decompile these JAR sources into readable Java code. Note that this Java code is not perfectly clean, so you cannot recompile it directly.
- Apktool to fully unpack the APK file. The sources generated by that are in the Smali format, which is a kind of Assembly language for Android's Dalvik VM. Applications decompiled by Apktool are often perfectly re-packable, i.e. you may slightly change the application's behavior through this.
- Retargetable Decompiler. The RealTalk framework discussed below is not fully implemented in Java, but also depends on a JNI library, which was written C++. The Retargetable Decompiler can transform these shared libraries (.so files) into (more or less) readable C code.
The application wants the user to login at http://web-gumtree.com/gumtree/login_mob.php. In its source, a tiny portion of JavaScript code has a comment in Russian language. Additionally, some strings in the app are only available in Russian. Thus, the country of origin is rather obvious; some details in the Realtalk framework support this fact even further.
Note that the app's AndroidManifest grants it permission to virtually every single component of the device. The SMS sending and delivery services are registered here as well.
It seems like a framework called Realtalk is used by the fake Gumtree application. This framework provides functions for getting all phone-specific information (like device ID, IMEI, phone numbers etc.), sending and receiving SMS, getting all other applications installed on a device or retrieving all contacts and a lot more.
I came to the conclusion that this is a general framework, because I found the malware report of a similar application on Joe Sandbox. The only real difference is the main package name: in this project it's com.gumsis
, on Joe Sandbox it's com.nikotin
. It's possible that Realtalk is distributed and/or sold on a private forum, maybe even in the Tor network, so any further investigation in this direction is appreciated.
As stated above, Realtalk is not fully implemented in Java, but also depends on a native JNI library. It was possible to tell that it was written in C++, as its decompiled source contained mangled GCC symbols. For example, using a demangler, you can tell that _ZN7_JNIEnv13CallIntMethodEP8_jobjectP10_jmethodIDz
becomes the C++ function signature _JNIEnv::CallIntMethod(_jobject*, _jmethodID*, ...)
, i.e. a variadic function in the _JNIEnv
namespace.
The native Realtalk library contains several functions related to retrieving phone information as well. Sadly, the underlying C code is close to unreadable, so these functions will need further investigation.
Still, the C code contains an interesting array of strings. This array first contains the Android package IDs of several security apps, like com.cleanmaster.mguard
, com.antivirus
or com.avira.android
. After that, there are other well-known apps like com.ubercab
, com.alibaba.aliexpresshd
, com.whatsapp
or com.instagram.android
and finally, some Russian banking apps like ru.alfabank.mobile.android
, ru.rosbank.android
or ru.sberbankmobile
. At the very end of this array, there are two absolutely suspicious links: http://backfround2.pw/2445d304/
, http://web-gumtree.com/2445d304/
and http://background1.xyz/2445d304/
. This format does not fit the other entries, so it seems like these URLs were added later and individually for this application.
- As every Android application, this one also starts at
com.gumsis.MainActivity
. It first gets the default SMS package usinggetDefaultSmsPackage
, and registers this information using Realtalk. - Next, the so-called command service is started. Apparently, it first generates an ID unique for each device, registers it at Realtalk and eventually starts the CmndSrs service. Maybe this service processes responses and/or command by the main server, as a lot of
parse*
functions exist in this source file. - The main activity also starts the activity
com.gumsis.wb.WbActivity
, where wb seems to be short for web browser. This activity just initializes a WebView with the given URL, where"?ID=" + Realtalk.getPsuedoID(this)
has been appended. Thus, the website shown in the app is directly linked to the user's phone. This is probably why it will only accept one specific phone number, as the server will know the connection between the pseudo ID and the user's phone number by now. - (...)
I'm not sure about the rest right now, as I haven't fully investigated the app's network communication yet.
The code in this repository is malicious. Execute it on your own risk and only in a safe environment (like a virtual machine without any links to your identity)