Trading mobile Security United Cheetah Mobile first Uncovered "Operation Manul" suspected spyware behavior on Android side

Objective

Last August, the Black Hat Congress published a public report revealing a large-scale cyber-attack and eavesdropping by an organization known as "Operation Manul" for the country's stakeholders, as well as an analysis of its eavesdropping technology and domain names used on the PC side.

Through an internal search comparison of multiple C2 server domain names disclosed in the report for command control and file uploads, the mobile security United Cheetah moved a number of related malicious samples and found that the spy software sneaked into the target user's mobile phone disguised as a well-known overseas application. After acquiring the permission, a series of eavesdropping behaviors are opened: taking photos, recording and stealing the private information of user's text message, Address Book, geographical location, and then uploading the relevant data to the remote server.

This is the first time since the report was published that the "Operation Manul" organization suspected of attack on the Android platform, the following is a detailed analysis of our captured Android spyware.

First, a brief analysis

Trading mobile security and the Cheetah Mobile joint discovery of this batch of spyware, are disguised as well-known overseas applications and inject malicious code into it, and thus to target users to implement malicious attacks. There are many well-known applications disguised as instant messaging software WhatsApp, traffic encryption software Orbot and Internet Agent service software Psiphon and so on.

The structure of the application package that was implanted into the malicious module is as follows:

Second, the analysis of the object description

We found that the malicious modules that the attackers implanted in different well-known applications were almost identical, so select one of the samples for detailed analysis below. The analysis objects are as follows:

Third, malicious behavior analysis

Through am file can be seen, the spy software in order to achieve the theft of text messages, calls, recordings and other user sensitive privacy information, registered a large number of receiver and related permissions. The following are the related properties of a malicious module:

Depending on the program run logic, the overall malicious behavior of the attack route is broadly divided into 3 steps:

Step1 Sensitive permissions Get

The virus will first ask the user to give the appropriate permissions, such as calling the camera, recording, obtaining geographical location, access to call logs and reading text messages and other rights, for subsequent theft of sensitive information of the target user to prepare for the attack.

The virus's PMS and Pmscmd modules then confirm that the current program has access to critical permissions. If you do not have the appropriate permissions, then re-launch the request for permission to ensure that the right hand for information theft.

STEP2 Execute REMOTE Control instructions

The execution of the malicious behavior of the virus is basically completely dependent on the instructions sent by the remote server. The virus runs a malicious module immediately after booting and receives control instruction information sent by the remote control server over HTTPS. Execute the corresponding malicious behavior based on instruction information, finally realize the stealing of private information and the purpose of code self-updating. We'll take a detailed description of the process next.

Resere is a self-starting item that is used to start the Trojan's primary malicious service Myse:

Myse the most important malicious module for this program, OnCreate will start thread F:

Thread F includes receiving remote commands, parsing remote commands, and executing malicious behavior:

Remote control instructions include a large number of user privacy information stealing instructions, such as stealing user text messages, contacts, call records, geographical location, browser information, mobile phone file information, network information, mobile phone basic information, private photography, recording and so on, collect information and then upload these user sensitive data to the remote server.

Step3 executing other malicious modules within the code

Recording a user's environment by Rese a malicious module:

Myphre is mainly the role of monitoring calls:

Iv. Traceability Analysis

Through the analysis, we find the C&C server for communication from the code:

After decrypting the above address, get the plaintext c&c address and decrypt the key to bar12345bar12345:

Also, based on the domain name of the c&c server, we found the same domain address in a report published last year by the Black Hat conference. The original report counted the server information (as shown) used by Operation Manul in a series of attacks such as phishing implemented on the PC side, which included the adobeair.net domain name, which in some way confirms that the Android virus we captured originated from the original report operation The possibility of Manul organization.

Note: Reports from the Black Hat conference

After using Whois to reverse-check the domain name adobeair.net, we found a suspected developer's email address: [email protected], the time it held adobeair.net domain name is consistent with the attack time proposed by the original report.

At the same time, through further search, we found the email user developed for the application of the Web page http://www.androidfreeware.net/developer-3195.html. And the Android apps that they promote are developed for them. So guess the mailbox user should also be a developer with Android programming capability. This degree is also associated with the traceability of the Android spyware activity in this article.

V. Summary

In recent years, with the popularity of smartphones and mobile networks in the world, mobile targeted attacks have gradually increased, and the emergence of high-end PC-based trend. The two often cooperate with each other, get high-value information with personal identity attribute, become an important link in malicious attack. At the same time, due to mobile device boundary attributes and high social, high privacy attributes, once the attack is successful, it is very likely to cause the attack result avalanche effect, the loss continues to expand. This "Operation Manul" attack is not only a case of a suspected PC-and Android-side attack, but also a typical event for targeted attacks by a specific target population.

Targeted attacks against high-value users are often the classic long-tailed problem in mobile threat confrontation. Because of its explicit audience, direct attack intention, and the characteristics of users ' privacy, the tail-end security event often brings an incomparable loss to the target victim group. For this security vendors need to pay close attention to and continue to improve the long-tail threat of confrontation, and really for the user side of the mobile security escort.

Appendix

IOC (Android):

For more information, see our website: http://www.avlsec.com

Reprint please indicate source: http://blog.avlsec.com/?p=4898

Trading mobile Security United Cheetah Mobile first Uncovered "Operation Manul" suspected spyware behavior on Android side