"Shutdown eavesdropping"-Virus analysis Report

First, Introduction

At the first Geekpwn competition of October this year, the master from Keenteam demonstrated the entire process of hacking through the handset by hackers on Android phones in the shutdown state. Recently, Baidu Security Laboratory found a "shut down the computer eavesdropping" virus. The virus through hook system shutdown method to achieve shutdown interception, when the user shuts off the definition of black interface, so that the phone in a "false shutdown" status, the background to steal user text messages, contacts, call records, location information, call recording, upload to the server.

Figure 1

Second, malicious acts

Figure 2 Flowchart

The specific operating flow of the virus shutdown eavesdropping is as follows:

1, Request root Administrator permissions, get administrator rights, copy the following files to the system directory
INJECTOR: Complete process injection.
Libhook.so: Calling Ksremote.jar malicious code
libhookjava.so: Dynamic load Ksremote.jar
Libshutdown.so:hook System shutdown Request
Ksremote.jar:hook System Key Services, "fake shutdown" interface camouflage.

2. Call the injector executable to inject libhook.so, libhookjava.so, libshutdown.so files into
System_ Server system service process.

3, the System_server process calls libhookjava.so dynamically load the malicious child package Ksremote.jar.

4, in the System_server process call libshutdown.so complete shutdown hook;

5, in the System_server process call libhook.so, libhook.so call Ksremote.jar in the relevant method Rsdserverimpl.hkshutdownmythod () Complete the system service hook.

Third, detailed analysis

(1), Process injection: Call the injector executable, inject so files into the system process,

1, the request root administrator permission, obtains the administrator privilege, copies the malicious file in the raw package to the system different directory; After the copy is complete, call injector to inject the so file into the system process

Figure 3

2. Run injector to inject libhookjava.so and libhook.so files into system_sever system process;
Among them, Libhookjava.so provides Hook_entry_java method, Libhook.so provides Hook_entry method and external communication, It is primarily used to dynamically load malicious files Ksremote.jar and class Rsdserverimpl, and to execute related methods.

Figure 4

(2), so and the malicious behavior of JAR file: Hook system Binder and replace the designated Binder;hook system shutdown method, manufacturing "fake shutdown" mobile phone black screen status

1, libhookjava.so the Ksremote.jar child package into the system_sever process, Dexclassloader dynamically load the class Com.sd.hk.impl in the child package. Rsdserverimpl

Figure 5

2, libhook.so call the same process Ksremote.jar,dexclassloader load Hkshutdownmethod method: Complete hook system binder, replaced with the specified binder;

Libhook.so Loading Hkshutdownmethod method

Figure 6

Ksremote.jar Hook System Binder, and complete the replacement

Figure 7 Hook System Binder

3, libshutdown.so Hook system reboot method, intercept shutdown call;

Figure 8

4, libhook.so dexclassloader load Hkshutdownmethod, register Broadcastreceiver,hook live Powermanagerservice Power service, prevent the screen to light up, A custom black interface that puts the phone in a "fake shutdown" state after it's turned off

Figure 9 Registering a broadcast receiver

Figure Ten Hook PowerManager power supply Service

Figure 11 Customizing the Black Shutdown Interface

(3) Stealing privacy

Androidclientservice sends a timer, registers a broadcast receiver, triggers a malicious method, steals messages, contacts, call logs, location information, call recording and other information, and uploads the privacy information to the remote server.

Figure 12

"Shutdown eavesdropping"-Virus analysis Report