Control commands up to 20 kinds: Remote Control Trojan DENDOROID.B Analysis report (Turn)

Control commands up to 20 kinds: Remote Control Trojan DENDOROID.B Analysis reportIt Community referral information-itindex.netAPR

Recently, the  team intercepted a powerful professional spy software, it can be remotely controlled by the PC to recruit users of mobile phones, control commands up to more than 20 kinds of, to steal the user's phone address book, text messages, photos and other important privacy data. This remote control Trojan is very similar to last year's famous android.dendoroid Trojan family means, so we named it android.dendoroid.b.

First, Trojan Horse Android controlled end malicious behavior Analysis

1. Release the file, hide the icon, start the malicious service

ANDROID.DENDOROID.B will release the TESTV7 or TESTV5 file under its assets directory to the/data/data/{packagename directory under the system version after startup, and rename it to test; Release the SU backdoor file ssu into the/system/bin directory. Hide your own icon and run the test file:

Test is an elf file, and the main function is to start the malicious service Workserver by means of a command line:

2. Frequent end of security software processes

We found that the trojan in all the important malicious behavior node frequently end the domestic mainstream security software process, destroy the normal operation of security software, Trojan self-protection to the user mobile phone brings greater security risks:

The ability to end the following security software:

3. Automatic recording during the call

By monitoring the phone status change, to achieve the call recording, whenever the mobile phone calls, the Trojan will automatically turn on the recording function, and save the recording file:

4. Remote control by means of Internet access instructions

By sending different instructions to the mobile phone in order to achieve the corresponding behavior control. The command name, function, and response to the PC are shown in the following table:

5. Other features not implemented in the temporary

Trojan controlled side In addition to these features, we also found in the code to decrypt the chat record part of the code, as well as the remote control by SMS instructions code, but the part of the code is not called:

second, the FTP server Analysis

From the above instruction list, you can find that most of the private data is uploaded to the virus author's FTP server, the address is 121.199.2*.***, username and password is root, log in, FTP file list is as follows:

In the server we found and combed the following several important files, some of which are already from the monitored phone in the actual transmission of user privacy:

Where Bf.zip is a project named "Simpleserver" Java code, we analyze the project code to find its main function is to resolve the PC console and the phone APK host between the control end of the communication, relationship

Code to parse the instructions sent by the Android controlled side:

The code that resolves the command sent by the host terminal of the PC:

Another file "Muma.rar" with "trojan" Pinyin naming has to attract our attention, We found that there are a lot of. php files and found the following image, which can be seen in the last year we broadcast the source of the android.dendoroid, which is also our name of the Trojan android.dendoroid.b another reason.

Third, Trojan PC main control End analysis

The PE file on FTP MySocketServer.exe is the main control side of Trojan android.dendoroid.b, which is used to send remote control instructions and receive the private information returned by the controlled side.

We clicked the contact button in the actual verification and quickly returned to the contact list in the mobile user's phone:

In addition, we also found a URL http://www.yunkong8.com/on the software, the site is a professional monitoring software sales of the website, the software features page describes the use of mobile phones or other computers to browse the Web to remote control the designated PC client, The Web site does not mention that it can be remote from the PC end of the mobile phone, we suspect that this may be an undisclosed software features or custom versions.

Iv. Infection of users

V. about the virus author

From the managed side sample code found, we also found in a non-invoked mail class, a QQ mailbox: 84777**** @qq. com, the class without any calls, through the full-size sample of large data back, found that the QQ mailbox has been used in a number of malicious samples, These samples have the same mail class and can be called normally. Therefore, it can be concluded that the Trojan has evolved in the past, the history of the use of mail to steal user privacy, and has now become the use of FTP to steal back privacy, the content of the return more rich, more subtle way

For this QQ number we carried out a search, found to be from the Sichuan Luzhou nickname "Old A" programmer.

Through further tracking, the specific information of "old A" is located:

Yang * * (Common nickname: LZYYF, Old a)

Level 2010 Luzhou Two medium

From September 2013 to September 2017, the University of Ulsan, Korea

Ever used another QQ number: 139*******, and had spread like a trojan in several forums in early 2014

In his microblog also published several times Trojan information:

Through the background cloud search information and other big data analysis, we found that there are other people also related to Trojans, speculation may be to buy horse people.

Mobile phone serial number location

35291106045****, Harbin, Heilongjiang province, northeast China

35713905461**** South China Guangdong province Shenzhen City

35260505594**** Nanchang, east China Jiangxi Province

Vi. Summary

From the android.dendoroid.b Trojan family can be seen, this camouflage into the system application of the remote control class privacy theft Trojan family, not relying on the third party market spread but through the site sales or underground black production transactions, and then the illegal personnel implanted into the designated monitoring object, it has a single point of transmission, infection of specific objects, latent time long, resulting in a single Point loss of large and other characteristics. Users are advised to improve their personal privacy awareness while installing security software to periodically scan for software security.

We will continue to pay close attention to the development of such Trojan families and provide security protection solutions.

* Reference source "Androwa Control Trojan black industry chain gradually struggling, beware of mobile phone change" broiler ", reproduced please indicate from FREEBUF hackers and Geeks (freebuf.com)

Control commands up to 20 kinds: Remote Control Trojan DENDOROID.B Analysis report (Turn)