Cert avl combined with cheetah for in-depth analysis of "Domino" malicious APP market apps

Cert avl combined with cheetah for in-depth analysis of "Domino" malicious APP market apps

Once, there was a malicious APP in front of me, and I didn't recognize it,

I will not regret it until I download it,

The most painful thing is,

I don't know until the Internet is running,

It is no longer a malicious APP,

Instead, it is an APP that secretly downloads and installs more viruses!

This is beyond my understanding of malicious apps. It's terrible!

What about my traffic? What about my phone bill?

Potholes!

As mentioned above, "apps that will secretly download and install more viruses in the APP market" is a Root virus download device recently intercepted by the AVL mobile security team and the cheetah mobile security lab. This application is extremely tricky. It is disguised as a normal APP market APP to avoid antivirus software detection and removal.

The most terrible thing is that it will have a domino effect. Once a user accidentally installs the virus, the virus will download and load malicious subprograms without permission after the infected mobile phone connects to the network for the first time, attackers secretly extract Root permissions from users' mobile phones and install malicious applications in a large number of mobile phone system directories, causing serious loss of user traffic!

In addition, all malicious apps downloaded will be started by itself, including extremely high-risk viruses such as toxic cakes. by sending malicious fee deduction text messages without permission, users' charges will be lost, the user Cannot uninstall and clear it!

After in-depth analysis by the cert avl mobile security team and the cheetah mobile security lab, it was found that the virus mainly contains the following malicious behaviors:

1. download malicious subprograms silently and load and run them immediately after startup;

2. decrypt the resource files in the subroutine, obtain the list of downloaded application URLs, silently download a large number of malicious applications to the user's mobile phone without permission, obtain the Elevation of Privilege file, and perform Root operations on the user's mobile phone without permission;

3. Run the shell script to redirect the downloaded malicious application to the system directory and start the newly downloaded malicious program;

4. Upload the Root status of the user's device, whether the "virus cake" Advanced malware and device information, IMEI, IMSI, mac address, and system information to the server.

 

 

Figure 1 virus malicious behavior path

I. Detailed analysis of 1.1 malicious program information

Package name: com. joy7.apple. appstore. The program icon is as follows:

 

The program icon shows that the virus completely imitates the iOS app store name and icon. The structure of the malicious package contained in the package is as follows:

 

 

1.2 download malicious subroutines

After the program is started, the malicious program function module is started by listening to the user's startup, unlocking, and network changes. The code is shown in:

 

After the malicious program function module is started, it decrypts the field to obtain the token of the malicious sub-package:

 

 

 

1.3. A large number of malicious applications are pushed in the background, and control commands are updated online.

Use the action Method to decrypt the resource file data0 under the Assets Directory of the main program, and parse and obtain the URL of the push APK and update command. The decrypted data is as follows:

 

 

Download the apk to the. rtkpa hidden directory of the SD card online, and decompress the library file in the APK to the directory. The file is as follows:

 

 

Most of the pushed APK files are malicious applications, as shown in the following table:

 

The malicious program accesses the update instruction URL and parses the latest instruction for starting the application. Command structure: contains the package name and component name and switch variable.

 

 

1.4 decrypt and release core files

Hosts file.

Local Self-decryption releases generation. ci.036, and sets the path for saving the. ci.036 file. Shows the Code:

Write the self-decrypted raw data to. ci000036, as shown in the Code:

Write the self-decrypted raw data to. ci000036, as shown in the Code:

 

 

 

Other files use similar decryption methods. B .zip,onme.zip is the Elevation of Privilege file ,. ci.036 ,. sv. qq ,. sys. us ,. sys. the attr file is an ELF executable file. When running, start the corresponding daemon to start the shell environment and execute the passed shell script command ,. sys. irf replaces the install-recovery.sh with the shell script file. Sysbbench. ydg. dm is detected as pythoncake. a, which is redirected to/system/bin/dm at runtime. The virus injects the Phone process, intercepts text messages and sends text messages, steals mobile Phone information, uploads it to a remote server, downloads files online, and updates itself, causing great harm to users' mobile phones.

1.5 get the Root permission of the mobile phone

Malicious Code uses a fixed string in the Self-decryption code to generate a local file/data/com. joy7.apple. appstore/files/prog16_ B */B .zip

And/data/com. joy7.apple. appstore/files/prog_om */onem.zip, return the exitcode to determine whether the Elevation of Privilege is successful, and then delete the Elevation of Privilege file.

Shows the related code:

 

 

The Local Elevation file is as follows:

 

 

 

1.6 tamper with the startup script and redirect malicious applications to the system directory

The program executes the created shell script to replace the system file after the Root user's mobile phone without permission, redirects the malicious APK and corresponding library files to the system directory and runs the malicious program by running the am start-n and am startservice commands. sys. arrt executes the + ia command to lock the malicious apk in the system directory. Use the. sys. irf file to replace the install-recovery.sh script. nbwayxwzt,. 360 asshole, dm file (core module of the virus cake) run in the background when the system starts.

The Shell script is as follows:

 

 

 

1.7 upload user information to the server

The malicious program also displays the user's device information such as IMEI, IMSI, MAC address, linux version, package name, city, language, and Root status, the/system/bin/dm file is encrypted by des. Upload the file to the server through http: // 115.28.191.170: 8080/WZDatasServer/RecordInfo. Shows the Code:

 

 

 

 

Ii. Summary

The emergence of the Root virus downloader reflects the increasingly severe malicious code confrontation situation. Through the analysis of the Root virus downloader and the long-term attention to various malicious code attacks, we can preliminarily summarize the following trends of virus development:

1. malicious code writers are gradually good at virus camouflage. By disguising normal applications, they first enter the user terminal to avoid detection of some pure static analysis anti-virus software, after the program runs smoothly, it downloads and loads malicious subprograms online, and then carries out various malicious behaviors on the user terminal, which brings great harm and troubles to the user.

2. More Root viruses are emerging. By silently extracting Root privileges from the user system without permission to prevent viruses from being uninstalled, this poses great difficulties for the virus detection and removal of security software. It is hoped that ROM vendors will cooperate with security vendors in depth to protect user terminal systems, strengthen identification and resistance to malicious Root behaviors, and protect user security at the Root.

3. Malicious Code pays more and more attention to the protection of its own programs. By using third-party code obfuscation or reinforcement services, it strengthens its own viruses to prevent analysis, and further avoids antivirus software detection and removal; it is strongly recommended that the code obfuscation vendor and reinforcement vendor should strengthen the review process of the service object when providing services, refuse to provide any obfuscation or reinforcement services for the virus, and further curb the development of the virus from the source.

For this type of Android virus, please promptly use the relevant security applications for comprehensive detection and removal. At the same time, do not download any apps from an unofficial website or an unknown application market.