Elder Trojan generation fakedebugadh. B Analysis Report

Author: Dong Qing, Wang Huan, Shi Haoran

 

Three months ago, we found a Trojan horse that has been lurking in the mobile phone for many years-the Elders Trojan (fakedebugadh), which was automatically started by replacing the system file/system/bin/debugadh and obtained Root privileges, this allows the trojan author to remotely control the user's mobile phone and tamper with the browser homepage, software promotions, and other malicious behaviors. For details, refer to our previous analysis report [1].

Recently, we have intercepted the latest fakedebugvf variant-fakedebugadh. b. It is similar to the previous one. It will also replace the system file/system/bin/debugadh and get the Root permission when the system is started. At the same time, fakedebugadh. B decrypts the chat records of users, QQ and Skype, and sends them to the Trojan horse author, it also steals users' Wi-Fi passwords, passwords saved in browsers, and passwords (Hash values) of synchronization accounts stored in the system, such as Google accounts. In addition, fakedebugadh. B Also steals text messages, call records, browser history records, calendar information, geographic locations, base station information, installed programs, device models and IP addresses from users' mobile phones.

Fakedebugadh. B is generally disguised as a program named "android Update" or "system update". In a third-party market, users are tempted to install it. If a user finds a similar program in his mobile phone, we recommend that the user use the latest elders Trojan killing tool [2] to scan and kill the mobile phone.

I. fakedebugadh. B behavior Overview

Fakedebugadh. after B is infected with the user's mobile phone, it will continue to run in the background silently, stealing the user's various privacy, it will even hide its own icons, making it difficult for users to find out, even if the user restarts the phone or resets the phone, the trojan still exists on the user's phone. the Code process of B is determined as follows:

Check whether you are a system application (in the/system/app directory). If not, the mobile phone is considered not infected and the infected mobile phone is infected through the infection process, it mainly includes the following parts to copy the virus APK and the so files used to the bin or lib directory of the system partition. In particular, the virus APK file will be backed up, once the virus APK file is uninstalled, the backup file will be installed in the system. Back up the original/system/bin/debugadh file on your mobile phone as the/system/bin/bebugger file, then, use the virus file in the APK package to overwrite the system's/system/bin/debugger file to force the debugadh process in the system to end. The init process automatically restarts debugadh and the virus file will run. The virus file debugadh will silently uninstall the normally installed virus program, and then start the virus APK copied to the system partition. In this way, the virus becomes a system program and cannot be deleted in conventional methods. Run the/system/bin/bebugger file (that is, the original debugadh file of the system) to create a thread for the functions in the original debugadh file, check whether the virus APK process exists every 30 seconds. If it does not exist, reinstall and start the virus APK in step. Virus debugadh creates a thread, creates a socket server to listen to the local port 57274, and then creates a thread to process the commands received by the socket server, the socket server can receive at least four commands: Obtain the database obtained by the chat record database of the mobile QQ edition (the interception and decryption of chat records are implemented in the APK), and calculate the encryption key, then decrypt the database (intercepting chat records in APK) to obtain the Skype database of the mobile phone version (intercepting chat records in APK) obtain the database of the Android synchronization account, the file for saving the WIFI password, and the secret database saved by the browser (the password is intercepted in the APK) always monitor whether the key so used by the virus exists. If not, release the corresponding file to hide the virus APK icon in the Application List to start the service registered in manifest, this service is the main body of virus APK malicious behavior. The virus APK also registers multiple Broadcast referers, which will start this In addition, the virus APK registers a timer and starts the service every five seconds to prevent the service from being killed. In the virus APK service, fakedebugadh. B implements the remote control function based on SMS message. It monitors messages in the inbox. Once a command is received, it calls the corresponding processing function to implement the corresponding function. Some commands return results, for example, the stolen and QQ token records can be sent by text message, email address, or FTP.

Fakedebugadh. B supports 31 remote control commands, some of which have the same functions. The difference is that the command execution result is sent to the virus author via SMS or email, some functions are not listed in the support list, but the code to implement these functions already exists in the Trojan.

 

The commands supported by fakedebugadh. B are as follows:

Stealing a specified number of text messages in the inbox steals a specified number of call records and steals a specified number of address books to steal GPS geographic locations, use the Baidu map SDK to steal browser history. open/close WIFI. open/close mobile networks. Steal base station information. update Recipient Information. Email address. Steal SD card file list update. automatically download files. Install the FTP server address, port number, user name, password, and file information are uploaded. the specified file is sent to the specified person. The specified text message restricts the configuration and list information of the phone called by the user to steal the hardware and system of the mobile phone. information, for example, IMEI, IP address, and disk space are stolen. Information about processes running on mobile phones is stolen. Calendar information is stolen. Software List Installed on mobile phones is eavesdropped, use the open-source avcodec lib to steal audio recordings from the environment in so. Use the QQ chat record to steal chat records. Use the Skype Chat record to steal the secrets stored in the browser, the Wi-Fi password, and the user name and password Hash value of the system synchronization account (if yes)

Ii. Characteristic Analysis of fakedebugadh. B

A special feature in fakedebugadh. B is to steal chat records of popular IM tools. Currently, it supports three popular IM-, mobile QQ, and mobile phone Skype. Among them, in addition to the phone Skype Chat records are stored in the database files in plain text, and the mobile QQ database is encrypted. Although the encryption method is different, it is very easy to decrypt.

Text Chat records are stored in an encrypted sqlite database. The encryption method is to use sqlcipher, an open-source tool. The encryption key is calculated based on the local information and user information. Both the old version (4.x) and the latest version (5.3) use the same method. This method is used to decrypt the database and steal user chat records.

 

Another popular IM tool is mobile QQ. The Chat record of mobile QQ uses a custom symmetric encryption algorithm. The key is a value calculated based on the information of the local machine, older mobile QQ versions, such as QQ2012 (v3.x) and newer versions, such as QQ2013 and the latest v4.7, have slightly changed the encryption algorithm. Considering this situation, fakedebugadh. B has adapted the algorithm and supported all popular mobile QQ versions to steal users' personal chat records and QQ group chat records.

 

Fakedebugadh. B can also steal the Wi-Fi password stored in the system and the password saved in the browser. Due to the design defect of the Android system, these passwords are stored in plain text files or data files of the system. Once the trojan gets the Root permission, it is easy to get the password from it. It is worth mentioning that in the latest versions of Android systems, the default browser is replaced with Chrome, and fakedebugadh. B cannot steal the password stored in Chrome. However, no matter the version of the PC or the mobile version of Chrome, passwords are stored in plain text. It is easy for hackers to steal passwords.

 

 

 

Iii. Solutions

Currently, we have released the exclusive kill tool:

Http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/FakedbgKiller.apk

This exclusive tool can completely clear the elders of fakedebugadh and recommends that users download mobile apps from regular channels, such as Google Play market and 360 mobile assistant. If you encounter virus and other abnormalities, please report to us in time.

Iv. Conclusion

For various reasons, the mobile phone is not very secure, and some key information of the system, such as the password for connecting to WIFI, the password saved in the browser, and the history of accessing the web page, all are stored in the system in plain text; even though the chat records of mobile QQ and other applications are encrypted, the encryption algorithm is very simple and has been published on the Internet as early as possible. Once a user has a mobile Trojan, this Privacy information is easily stolen. Therefore, we strongly recommend that you do not send key information such as bank card accounts and passwords through mobile phone QQ. The software must be downloaded from regular channels, install 360 mobile guard and 360 mobile anti-virus to provide comprehensive protection for mobile phones.

V. References

1. fakedebugadh Android rootkit analysis report by Shen di

Http://blogs.360.cn/360mobile/2014/03/06/fakedebuggerd-android-rootkit/

2. Elder Trojan killing tool

Http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/FakedbgKiller.apk