Fakekakao Trojan Analysis

This is a virus analysis article we saw during the summer vacation. I think there are many things worth learning. I just translated them when I was free these days. Please correct me if something is wrong!

Fakekakao Trojan Analysis

Virus Bulletin is a magazine about malware and spam protection, detection, and removal. It often provides some analysis on the latest virus threats, publishes the latest developments in the anti-virus field, interviews with anti-virus experts, and evaluates existing Anti-Virus products.

1. Counterfeit kakaotalk Security plug-in Analysis

Android/fakekakao Trojans disguise themselves as a kakaotalk Security plug-in to induce users to install. Once the plug-in is installed, it monitors sent and received messages, sends spam messages, collects sensitive information, and submits it to the remote server. More seriously, it combines the anti-debugging and anti-Simulator tracking functions, which makes some security software ineffective. Unlike other malware, The Dex file of this trojan is mainly used as a loader. In this article, we will see some debugging and analysis methods by analyzing the behavior of this malware.

1.1 app Loader

The loader registers three components: mainactivity, actioncycler, and moriservice. Mainactivity is used to start a well-designed user interface to mislead users, as shown in 1:

 

Actioncycler is used to receive broadcasts from Android. Intent. Action. user_present. when the device is awakened, the system sends this broadcast. To ensure that this broadcast is received as early as possible, the malware sets the intent filter permission value of the attacker to 0x7fffffff. When a broadcast arrives, the moriservice component starts in the background. The call method of this service is in the local library libeglsv1.so. To run the malware smoothly, it requests the following permissions:

• Read_sms • Read_contacts • Read_phone_state • Send_sms • Write_external_storage • Write_sms • Internet • Receive_sms

1.2 anti-debugging and JNI Initialization

The started service first loads libeglsv1.so to the process address space of the malware. When a library is initialized, it tries to check whether it is being debugged or running in the simulator. If one of the two is found, an anti-debugging and simulator mark will be set for subsequent operations:

• Strace • Ltrace • Android_server • Gdbserver • GDB • Tcpdump • Ro. kernel. qemu •/System/bin/qemu-props •/System/bin/qemud

After initialization, it registers 6 native methods through registernatives. Call the setjnievn method to initialize the JNI environment variable. This variable is used to call other native methods. However, if the anti-debugging mark is true, the remaining native methods will not do anything to prevent security personnel from analyzing them. Figure 2 shows the native method registration process:

 

1.3 C & C communications

Malware collects private user information for infected devices and then encrypts this information using AES-192 algorithms. Before sending the encrypted information to a remote server, it extracts the list of remote servers from the encrypted config. js file, which is included in the APK file and encrypted using the AES-192. It not only encrypts the configuration file, but also uses the uncompress API to decompress the remote server list. Figure 3 shows the decrypted Server LIST:

 

In, we can see two server information entries: the first is used for network testing, and the other is the real C & C server information.

The collected information is divided into two parts: ID and MD. The ID part contains the following information:

• ID IMEI • Token product brand and Model • Target build version • RD flags existence of/system/bin/su or/system/xbin/su • Fo compromised phone number

The MD part contains the following information:

• MD same as ID • Fo compromised phone number • DS contact name and number list

Malware first sends the ID to the remote server to register the infected device. If the server returns '0', it sends the MD part. If the returned value is '1', it will not be sent. Figure 4 shows an example:

 

Then, it requests filter rules from the remote server. These rules are used to filter received SMS messages and SMS databases. Malware uses the following keywords to filter information:

• Plist matches phone number of message • Klist matches message content • Blist matches nickname of message • Allmsgs spam message content • Snumber specific phone number by malware • Smsg message which is sent to snumber • Allmsg another spam message content • Checked flag, sends spam message or not • Unlock flag, stores the contact list or not

Figure 5a and 5b show an example of a filtering rule:

 

 

Malware records the start time of the service. when the service is started next time, it resends the collected information. If the interaction interval is greater than 30 minutes, A new filter rule is also requested.

1.4 Monitoring SMS

To monitor text messages, the software first registers a new broadcast receiver through registerreceiver. Then, it sets the intent fileter permission of the attacker to 0x7fffffff to ensure that it has the highest receiving priority, and then processes the text message immediately. No matter when the SMS is reached, the software will use the rules mentioned above for filtering, such as matching phone numbers and searching for message content. The software will also call the abortbroadcast method to prevent messages of interest from being sent to other low-priority referers.

To monitor changes in the SMS database, the software registers a content observer through registercontentobserver. No matter when the database changes, it will detect each message in a way similar to text message detection.

The software encrypts and sends the matched messages to the remote server, regardless of whether they are from the receiver or observer. The software resends the collected information and requests a new filtering rule as long as the attacker or observer is triggered.

1.5 send SMS

Whether to send spam messages is determined by the value of the keyword "checked", "allmsgs", and "allmsg" in the filter rule. If the "checkes" value is not 0 and "allmsgs" or "allmsg" is not empty, the software sends spam messages to each contact in the contact list. The interval between sending spam messages is 40 seconds. If the infected device number is empty, it sends the content of the keyword "smsg" to the number specified by the keyword "snumber. In addition, it also deletes its own text message records from the local database to destroy evidence.

1.6 self-protection mechanism

Here, the software tries to install fotakill.apk to the/system/APP/folder directory. Fotakill is a third-party application that prevents FOTA (firmwate over-the-air Update Service ). In fact, FOTA was originally designed to prevent users from removing privileges, such as root permissions, after firmware update. To install this APK, the software uses getuid to detect the user's uid. If the UID is root, it reads the/data/system/packeges. list file, which records all installed APK information on the device. If the list contains any of the following security-related strings, it will close the software using the "PM disable" command:

• Com. Avira. Android • Com. Antivirus • Com. kms • Com. wsandroid. Suite • Com. qihoo360.mobilesafe • Com. ijinshan. Duba • Com. Tencent. qqpimsecure • Com. anguanjia. Safe • Com. LBE. Security • Com. netqin. mobileguard • Com. Avast. Android. mobilesecurity • Com. estsoft. alyac • Com. lookout • Com. Zoner. Android. Antivirus • Com. Symantec. mobilesecurity • Com. drweb. Pro • Com. drweb • Com. drweb. Pro. Market • Com. Symantec. mobilesecurity • Com. Symantec. Monitor

1.7 Analysis Method

As we all know, the disadvantage of native encoding on Android is that it increases the complexity of applications. This software uses this feature to protect itself by increasing the difficulty of reverse analysis. A common method for debugging the native library is to attach the debugger to the target process. However, in this case, we may not be able to attach the process because the application has run the address we want to break the breakpoint. Therefore, we need to know how to place the first breakpoint at the address we want to debug. The simplest and most effective way is to use a single command to enter the infinite loop state. We can use an unconditional jump command to replace our original command at the address where we want to place the breakpoint. Since the native library is based on the ARM architecture, the changed command format is as follows:

Set	Formate	Byte Code
Thumb	1110 0xxx xxxx	Fe E7
Arm	1110 1010 XXXX... xxxx	Fe FF EA
Note: Replace the command at the place where you want to break the breakpoint with the byte code above to complete the {B self} command, which enables unconditional unlimited jump.

You do not need to re-package the modified APK. We only need to replace the current library with ADB. The following analysts can gradually analyze the virus.

 

Fakekakao Trojan Analysis