Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling

Summary:

• Lookout identified and analyzed an Android application sample of Deblind — a component of the Infamous Chisel Android surveillance tooling.
• Once a device is infected, the app monitors and takes detailed logs of user activity and configures it to enable future access.
• Infamous Chisel has reportedly been deployed against the Ukrainian military and attributed to Sandworm, a Russian state-sponsored APT group.
• Sandworm APT has close ties to Russia’s military intelligence organizations and is known to conduct a wide range of cyber attacks around the world, including attacks on power grids, interfering in elections, and deploying ransomware that impacted thousands of private enterprises.
• Lookout customers are protected from Infamous Chisel.‍
• Contact us if you have been targeted or would like to consult with our research team on mobile threats.

What is Infamous Chisel?

Infamous Chisel is a collection of surveillance tooling used to target Android devices. It was first reported by the Ukrainian Security Service (SBU) in early August 2023 and attributed to Russia’s Sandworm APT. According to the SBU, the main purpose of this toolset was to collect information from Android devices likely connected to Ukrainian military information systems during the Russia-Ukraine war. The U.K.’s National Cyber Security Centre (NCSC) and its international partners in Canada, Australia, and the U.S. subsequently published their own joint report in late August 2023.

One component of the tool that SBU found was a spyware Android app that they named “Deblind.” The app was designed to monitor user actions by abusing accessibility services and logging interesting accessibility events as encrypted JSON objects stored on the device.

Lookout Threat Lab researchers found a sample of Deblind, which we label internally as “InfamousChiselSurv” and have conducted in-depth analysis that has not previously been revealed publicly. The malicious app identified in this report were not found on Google Play.

‍

Who is Sandworm APT?

Sandworm is a state-sponsored cyber espionage group tied to the Russian Ministry of Defense’s Main Intelligence Directorate (GRU), Main Center for Special Technologies (GTsST). This APT threat group is known for conducting a wide range of cyber attacks around the world, with the bulk of Sandworm’s activity targeting traditional desktop environments. Infamous Chisel is a rare instance of Sandworm targeting mobile devices for military espionage purposes.

In 2022, shortly before the Russian invasion of Ukraine, Sandworm conducted a series of data wiper attacks against Ukraine. Sandworm APT have also been reported to have targeted the Ukrainian electrical grid in 2016, the 2017 French presidential election, and the 2018 Winter Olympic Games in South Korea, which included a mobile component.

The group is most known for its NotPetya ransomware attack in 2017 that ended up compromising over 2,300 organizations around the world, including enterprises in finance, transportation, energy, commercial facilities, and healthcare, and costing over $10 billion dollars in damages. 

In 2020, a U.S federal grand jury indicted six Russian GRU officers and charged them with deployment of these malware and other cyber attacks.

Notable capabilities of Infamous Chisel Android application

Deblind is a minimalistic but effective surveillance tool deployed as a system-level component of Infamous Chisel. It collects information from compromised Android devices by abusing accessibility services to capture user activity and leverages root access gained by other components of the Infamous Chisel toolset to execute privileged commands to enable Android debug bridge (ADB) access over the network, most likely designed to enable future access to the compromised device. Deblind stages user activity logs to the device, but relies on other Infamous Chisel components to exfiltrate these logs. 

Unlike most Android surveillanceware, Deblind is installed and runs as a system app, which grants it much higher privileges than user-level apps and allows far broader access to information on the victim device without the need for extensive security permissions usually required of user-level apps. 

Privileged-level data access

The Deblind Android app sample has the package name “com.android.system.update" and is meant to be installed as a system app based on use of a shared user ID value of “android.uid.system”, which is stored in the app’s manifest.

This sample was targeted for Android API level 26 (version 8.0 “Oreo”) and required Android API level 19 (Android 4.4 “KitKat”) at minimum to install. However, it can also run in a more limited way on higher versions up to API level 28 (version 9). As a system app, Sandworm’s tools most likely will attempt to place the APK in the /system/priv-app path after gaining root access.

Permission requests 

As opposed to most surveillanceware apps, which are all-in-one tools that handle both collection and exfiltration, the Deblind sample analyzed by Lookout Researchers is almost minimalist in comparison. This is possible since Infamous Chisel comprises multiple components with different purposes. Similarly, the Deblind app only requires a sparse set of permissions compared to the extensive list typically found in single-app-based surveillanceware:

• WRITE_EXTERNAL_STORAGE
• RECEIVE_BOOT_COMPLETED
• FOREGROUND_SERVICE
• BIND_ACCESSIBILITY_SERVICE

The APK does not handle exfiltration of collected data, instead most likely relying on an external modified DropBear tool (ssh server) as well as a malicious “netd” that are part of the Infamous Chisel package. 

Monitoring capabilities

The functionality of Deblind includes monitoring device activity via accessibility services, logging accessibility events as JSON objects in local storage, and altering the following configuration items:

• Enabling developer features on the device if not already enabled
• Enabling ADB (Android debug bridge) on the device if not already enabled
• Enabling accessibility services
• Disabling a security warning about active ADB and development mode in a third-party app.

‍

Technical analysis of the Infamous Chisel Android application

User activity collection

User activity is collected via tracking accessibility events. The following three events are monitored:

• TYPE_VIEW_FOCUSED (T_V_F), which occurs whenever a GUI element is selected
• TYPE_VIEW_CLICKED (T_V_C), which occurs when a button or other element is clicked on
• TYPE_VIEW_TEXT_CHANGED (T_V_T_C), which occurs whenever text is edited.

The text of the event is collected and stored in a JSON object via a “log()” function that writes the date, event, and event text (as a “message”) to an encrypted JSON object stored locally in a cache directory at “/Android/data/com.android.system/cache/”.

The actor can control whether data collection is enabled or not via a “getT()” and "setT()" function in the SHP class, which is used to enable or disable user activity. A custom SYSTEM_UPDATE intent action is triggered by the actor to control collection.

Deblind in action

As part of our analysis, we were able to capture user activity logs by running the Deblind sample in Android emulators running API level 22 or below without Google APIs. 

Enabling ADB and Developer Options

The Deblind sample appears to be designed around the Sandworm actors’ expectation that the victim device is already rooted from the InfamousChisel toolset’s modified “netd”, which gains root access via replacing the legitimate “netd”. The Deblind app runs hard-coded commands by using the “su'' binary. These hard-coded commands are AES encrypted and base64 encoded using an AES key generated by concatenating the class and method names of the calling function with a hardcoded string, and hashing the resulting value with the MD5 algorithm. 

These commands were run by classes that run on boot as well as from the MainActivity class and serve to ensure the above configuration items are enabled. The same onAccessibilityEvent() method in class AS, described above, monitors for an accessibility event for a button click (TYPE_VIEW_CLICKED) that starts with the string “[OpenVPN “. If such an event occurs, the AS class checks if ADB is enabled on the device and enables it if it is not already enabled with the following commands:

su -c settings get global adb_enabled

su -c settings put global adb_enabled 1

Next, the AS class checks for whether the developer options are enabled on the device, and enables them if not, with the commands:

su -c settings get global development_settings_enabled

su -c settings put global development_settings_enabled 1

A count value is also incremented, which is stored in shared preferences for Deblind. The count seems to be used for tracking the number of times an OpenVPN button click has occurred.

Enabling of ADB on infected devices is consistent with the Sandworm attack chain detailed in the SBU report. SBU reporting indicated that part of the Sandworm attack chain included scanning for devices running ADB by looking for devices with an open port 5555. However, by default ADB works over USB and ADB over TCP needs to be enabled explicitly. The Deblind app doesn’t handle enabling ADB over TCP which might indicate that there is another tool that handles enabling of ADB over TCP or Sandworm expects this setting to be already enabled. Such devices can be accessed with ADB as long as the desktop machine connecting to the Android device over ADB is in the same network as the Android device.

Suppressing Security Warnings

Finally, a series of commands are executed to disable a prompt in third party apps. Normally, the prompt would lead the user to disable ADB via the Android Settings menu if the targeted application detects that ADB is enabled. Deblind disables this prompt by modifying configuration files for the military app.

A class called FS, which is launched on boot, carries out similar commands to enable ADB and developer options, providing some redundancy for the functionality in the AS class, which fires on an accessibility event. FS is also an “exported” class, which means it can be started from an external process. 

A foreground service handled by the class S is started either from the default-launcher MainActivity class, or can fire on an accessibility event. The service again checks for whether ADB is enabled and enables it if needed, using the same commands as above. It also enables accessibility services via the commands:

su -c settings put secure enabled_accessibility_services com.android.system.update/.AS

su -c settings put secure accessibility_enabled 1

Sandworm APT’s activities doesn’t just concern the Russian-Ukraine War

Lookout’s analysis of the Deblind Android app component of Sandworm’s Infamous Chisel tooling revealed a relatively simple, but powerful, system-level surveillance tool that closely monitors victim user activity and enables future access to the victim device. Deblind’s surveillance and access enablement features support, and rely on, other components of Infamous Chisel in targeting and conducting espionage against Ukrainian military targets.

While Infamous Chisel is part of Sandworm APT’s targeted efforts to support Russian wartime operations in Ukraine, the Sandworm APT group has historically carried out destructive and espionage campaigns against a wide range of victims, including critical infrastructure, election events, and large enterprises. Sandworm’s operations typically align with Russian state interests and Infamous Chisel, including the Deblind component, are a continuation of that strategic pattern of activity. 

Lookout customers are protected from the Infamous Chisel threat. Contact us if you have been targeted or would like to consult with our research team on mobile threats.