EvilGuard: New Attack method of the Anroid Platform

EvilGuard: New Attack method of the Anroid Platform
Recently, we discovered the first Trojan using Process Protection Technology on the Android platform. This trojan executes its own released malicious executable files to protect itself against anti-virus software cleanup. We named this trojan family "EvilGuard ", and exclusively released the demon guardian Trojan killing tool (download) to help users avoid harm. Sample Structure

EvilGuard consists of the main package android. system. manager and the sub-package com. android. tservice released from the main package. The main package and the sub-package respectively contain the ELF executable files libesmanager. so and safe.

Behavior Overview

EvilGuard is disguised as a software that requires Root privilege escalation, such as "built-in Software Uninstall". Trojans try to use multiple public vulnerabilities to increase Root privilege, and release your own Root backdoor ELF Executable File sl under/system/bin. The libesmanager is loaded through the main package when the malicious APK sub-package disguised as system software is initiated. the so file is released and installed under system/app, and the main package runs the sub-package immediately.

When the sub-package is started, the malicious ELF file is released safe to system/bin. The safe file backs up the Sub-package to the SD card, and the background continuously checks whether the Sub-package and backup are deleted, if one of them is deleted, it is immediately restored to prevent the sub-package from being detached. In addition to preventing uninstallation, the sub-package also receives Remote Server commands online, including sub-package self-Update, uploading mobile phone information, firmware information, and downloading unknown APK files for Silent Installation and running.

Principle Analysis MAIN package Analysis

The sample triggers malicious behaviors when the main interface com. system. manager. HomeActivity is started. After it is started, the doAll and writeApkFile methods are called in sequence to complete system Elevation of Privilege, release, install, and run sub-packages.

The doAll method first checks whether the Sub-package already exists. If it does not exist, it loads its own ELF Executable File libesmanager. so and calls the escalatefast and escalate methods for permission escalation.

The writeApkFile method first calls libesmanager. the so getApkData method releases the APK package from ELF to the SD card and disguise it as a GoogleService. log, and then redirect to the/system/app path to delete GoogleService. log, and then start running the sub-package in broadcast mode.

 

 

 

GetApkData method to obtain the APK sub-Package

The main package also uploads the firmware information of the mobile phone through socket. Internet address core.mdot.cn, port 8888

Sub-package Analysis

After the sub-package is called through the main package, the malicious service TService of the sub-package will be started. This service will also be started by a variety of broadcast systems that frequently occur, such as boot broadcast, slide unlocking, and date setting.

 

Different command operations are initiated when TService is created. These Commands include:

1. Self-update of sub-packages

2. Upload the mobile phone number, IMEI, and Mobile Phone firmware information.

3. Download Silent Installation of unknown third-party applications, etc.

After TService is started, it first checks the self-update and requests the server command.

The ELF executable file safe will be released to the/system/bin path.

Finally, start the safe file.

New attack methods

The safe file function is to ensure that sub-packages run smoothly to prevent uninstallation. The first operation will back up the Sub-package to the SD card and disguise it as run. log File, and check the backup file run of the sub-package or sub-package every 30 s. whether or not the log is deleted. If one of the logs is deleted, the log is immediately restored. It also checks whether the Sub-package process exists. If not, the sub-package is called to re-run the log. This is an infinite loop, as a result, even if the anti-virus software detects a threat, the sub-package is cleared immediately and cannot be completely cleared.

 

Clear Solution

Currently, we have released the exclusive kill tool:

Http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/ExpAbuseKiller.apk

This tool can completely remove the EvilGuard Trojan. It is also recommended that you download and install the application software from the regular APP market, such as 360 mobile assistant, install 360 mobile guard, and perform regular security scans on your mobile phone.

 

Trend

With the rapid development of the mobile Internet, the wide application of mobile devices has attracted more and more attackers to gain economic benefits. As a result, traditional attacks on PCs have gradually emerged on mobile terminals. Android malicious sample development trend from initial code obfuscation, string encryption, anti-decompilation, debugging, to the beginning of this year we first found the bootkit Trojan Oldboot, by modifying the system startup Item, hiding itself at a deeper level. The range has been changed from the application layer to the underlying system attacks.

Today, we found that EvilGuard is a malicious trojan family with the characteristics of traditional PC attacks. Compared with Oldboot, it shares the same self-protection measures with APK files, the difference is that Oldboot uses the built-in ROM to recover the malicious APK file after each restart, evilGuard is the first malicious trojan family we discovered that relies on third-party markets to spread infections. It releases ELF executable files to the system for real-time monitoring and self-recovery, similar to traditional PC process protection attacks.

As far as we know, the detection and removal of malware on most traditional security software rivals only stop at the removal of APK files. With the emergence of this self-protected malicious trojan family, security Software cleanup capabilities and a little insufficient, which requires comprehensive analysis and monitoring of derived files from system startup to APK release. We will continue to pay close attention to the development of such attack methods and provide security protection solutions.