Analysis on the trojan evolution Report of "Dancing moth"

Analysis on the trojan evolution Report of "Dancing moth"
I. Overview

Recently, the 360 mobile security team detected that a cloud Control Trojan was exploding. The trojan family was first captured by February 2015 mobile security teams in 360, and more than 12 thousand samples have been collected. Since the trojan has evolved from multiple versions and multiple malicious files are downloaded for malicious behavior, we name the trojan as a "Moth ".

The moth Trojan is a typical cloud Control Trojan. It downloads malicious code packages online and releases the elevation code locally. It silently applies for the Root permission of the mobile phone and not only writes malicious files to the system, it also injects system processes to achieve privacy theft, download without permission, silently install other applications, frequently play advertisements, and subscribe to fee deduction services without permission, this vulnerability may cause privacy leaks and economic losses to users.

Our research found that during the evolution of the Trojan Horse "Dancing moth", we constantly improved our power-raising module capabilities and increased support for Samsung Galaxy S6 and mobile phones using MTK chips.

As of the end of February 2016, monitoring statistics showed that the cumulative number of infected Trojans was as high as 340 million. Among them, Samsung and OPPP mobile phone users have the largest number of infections.

Through the search engine, you can find feedback from a large number of online users:

 

 

Ii. number of infections 1. Distribution of infections in China

360 the mobile security team detected that from February 2015 to the end of February 2016, the cumulative infection volume of the "Moth" trojan was as high as 340 million, and the domestic infection volume was close to 3.3 million, the distribution of infected areas shows that Guangdong and Henan are the most vulnerable to Trojan Infection.

 

 

2. Global infections are distributed to mobile phone users around the world. The "Moth" Trojan is mainly infected with countries in Asia. The first three most infected countries are China, India, and Indonesia.

 

 

3. Infected mobile phone brands

According to data from infected mobile phone manufacturers, Samsung and OPPO are the most infected mobile phone brands. As the Trojan horse of the dancing moth increases support for Samsung Galaxy S6 and mobile phones using MTK chips in the later stage, it is also one of the reasons why Samsung and mainstream mobile phones using MTK chips have a large number of infections.

 

 

3. propagation source 1. Monthly incremental sample changes

As of the end of February 2016, 360 mobile security teams had captured more than 12 thousand Trojan Horse samples. From the number of monthly samples, we can see that the growth of the moth began at the end of 2015, nearly February 2016 were captured during the period from January 1, 8000.

 

 

2. propagation source statistics

360 research by the mobile security team found that the Trojan horse of the drug moth was spread mainly through pornographic player malware with attractive names and icons exposed. The name of the pornographic player is as follows, OXPlayer, codeless broadcast, 18 no cinema, codeless broadcast, yellow fast broadcast, love fast broadcast, and so on. As the number of malicious software such as pornographic players has reached tens of millions, this trojan is highly capable of transmitting.

Statistics show that the Trojan horse of the drug moth is mainly disguised as a popular application, for example, meitu xiuxiu, Xiaomi notes, Mango TV, jiasule every day, and elimination of stars.

 

 

 

Iv. In-depth analysis 1. After the trojan flow chart is run, the system uploads configuration information online and requests the core module that contains multiple malicious files. In earlier versions, it also released core modules locally.

 

2. Core module functions

360 analysis by the mobile security team found that the core module of the Trojan contains eight functions. The six malicious behaviors include obtaining Root, tampering with system files, malicious fee deduction, privacy theft, malicious advertisements, and silent download and installation of other applications. In addition, the trojan detects the running environment, monitors file changes for self-protection, and updates the network to upgrade functions.

 

1) Get Root

The "Dancing moth" Trojan will load the Root elevation module libgetroot. so and try to exploit multiple system vulnerabilities to obtain Root permissions.

 

2) tampering with system filesCreate the following files and directories:

 

?  /system/bin/xsxux

?  /system/xbin/xsxux

?  /system/bin/droidamd

?  /system/etc/droidamd

?  /system/bin/droiddbg

?  /system/etc/debuggerd

?  /data/andobs/ob

?  /data/andobs/ob.jar

?  /data/andcort/cort

?  /data/andcort/cort.jar

?  /data/droidamd/droidget

?  /data/droidamd/lock

?  /data/droidamd/wlog

?  /data/droidamd/tmp

Modify system files:

 

?  /system/etc/install-recovery.sh

 

3) malicious fee deduction

Release libmms. jar, libmms. so, and inject, and inject the phone process to send and block text messages.

 

Blocked SMS list

 

4) malicious advertising

Malicious files released by the "Dancing moth" Trojan are lurking in system applications. full-screen advertisements are frequently displayed, seriously interfering with the normal use of mobile phones.

 

5) self-protection

The moth trojan also checks the operating environment and tries to combat sandbox detection.

 

In addition, a self-protection thread will be created to monitor file changes under the "/system/bin", "/system/etc", "/system/app" Directory through inotify_add_watch, prevent deletion.

 

6) download and install

Trojan Horse access hacker.

 

Silent application installation

 

7) Stealing privacyThe trojan horse will steal the privacy and upload the user's mobile phone number, IMEI, IMSI, and other firmware information.

 

8) online updatesThe core modules of online download encryption are decrypted locally to achieve self-updating.

 

3. Evolution of core modules

360 the mobile security team found five typical version changes from the change in the Trojan core module of the "Dancing moth" Trojan.

1) Timeline of different versions

By continuing to pay attention to the first captured Trojan Horse sample, we found three subsequent versions at the end of 2015 in light of its changes. It is worth mentioning that version 5, which was found at the beginning of this year, is more regular and adds date information. Although the functions of the core module are basically the same in version 5, files are updated more frequently and almost every day.

 

 

2) differences between different versions

The trojan author has made many improvements from the development of version 1 to version 5. In the aspect of Trojan horse confrontation, the hidden methods of core modules are constantly upgraded. In the aspect of Trojan horse malicious functions, as the number of released files increases, malicious behaviors are executed more comprehensively. In the aspect of Trojan structure, the structure is more complex. Each module provides function substitutes and mutual protection.

 

3) Elevation of Privilege Vulnerability

During the evolution of the Trojan Horse, the "Dancing moth" constantly enhances its ability to raise the right module. The original version only uses:

? VROOT-CVE-2013-6282 [1]

? TowelRoot-CVE-2014-3153 [2]

In subsequent versions, a vulnerability exploitation module is added for Samsung Galaxy S6 and mobile phones using MTK chips:

? PingPongRoot-CVE-2015-3636 [3]

? Mtkfb-mt658x & mt6592 [4]

 

V. Tracing 1. Relationship between C and C servers

360 when analyzing the trojan C & C server, the mobile security team found that multiple servers related to the Trojan Downloading, updating, and promotion functions are all registered by xiansheng xu, registered mail? A class = "_ cf_email _" href = "/cdn-cgi/l/email-protection" data-cfemail = "protected"> [email protected]; servers related to core module download are all registered by Qiong Yang and registered by mail? A class = "_ cf_email _" href = "/cdn-cgi/l/email-protection" data-cfemail = "protected"> [email protected]. The domain name relationships of the promotion server are as follows:

 

Vi. Summary

360 mobile security team research found that online download of malicious packets with the permission escalation function is a new trend in the emergence of Trojans. The structure of such Trojans is complex. Once a module is deleted, other modules implement functional substitutes to ensure mutual protection between functional modules, making it difficult to completely remove them. Users can use the relevant mobile phone emergency application to thoroughly scan and kill Trojans and repair system files. We will continue to pay attention to such security threats.