Ghost Push -- Explanation of Monkey Test & Time Service virus Analysis Report
On September 21, August 2015, after the mobile phone users installed the official system upgrade package, they were pre-installed with unknown software such as MonkeyTest and TimeService. By September 18, the number of daily infections of this type of virus has increased to a maximum of 0.7 million servers/day, and tens of thousands of models have been affected by Ghost Push, typical models include codu, Samsung, and MOTO (Appendix 1 provides a list of all affected models ).
According to data analysis 1, we found that Ghost Push virus infected users are mainly distributed in the United States, Russia, India, and China. Yunnan and Guangdong have the highest infections in China.
Figure 1 infection distribution chart
We call this virus A Ghost Push virus. This type of virus software runs automatically upon startup. It pushes advertisements through user data traffic, and silently downloads and installs applications without the user's permission. Users cannot even manually uninstall the virus through anti-virus software on mobile phones. 2 after mobile phone infection.
Figure 2 example of a mobile phone infected with the Ghost Push Virus
The Ghost Push virus has plagued Android users. This article analyzes the execution process of Ghost Push in detail, and also puts forward solutions and Security suggestions for such viruses.
During execution, the Ghost Push virus will obtain the Root permission to Push ads and silently download and install applications through user data traffic. The specific process is shown in step 3.
Figure 3 Ghost Push virus Execution Process
First, the attacker injects malicious code into a valid application and uses the second package to pretend to be the original legal application (the list of infected applications is shown in Appendix 2 ). Once a user downloads a "normal" application injected with malicious code, the malicious code in the application is executed as follows.
Virus release Installation Process Analysis get Root permission
Malicious Code first configures information such as the mobile phone number sent to the server http://api.aedxdrcb.com/ggview/rsddateindex. Then obtain the Root toolkit from the server http://down.upgamecdn.com/onekeysdk/tr_new/rt_0915_130.apk. The Root toolkit uses a mobile phone vulnerability to obtain the Root permission of the mobile phone. Currently, it can be adapted to tens of thousands of models and the Root privilege escalation operation is successful.
This article lists the Root Execution Code for Samsung and MTK vendors, as shown in Figure 4. a and Figure 4. B.
Figure 4.a Samsung ROOT solution
Figure 4. B MTK ROOT solution
After obtaining Root privileges, malicious code performs four types of operations: 1) Replace the debugadh file; 2) modify the install-recovery.sh file; 3) release the malicious binfile; 4) install the ROM virus.
Replace the debugadh File
The virus will save the debugadh file of the original system as the debugadh-test file, and save its malicious bind file as the system's debugadh file, as shown in Figure 5.
Figure 5 replace the debugadh File
1.3 modify install-recovery.sh files
The install-recovery.sh file for the virus modification system, as shown in 6.
Figure 6 modifying the install-recovery.sh File
Release malicious bind files
The virus embeds the binary code of malicious binfiles in Java code and releases the binary code to the/system/xbin directory during execution.
Figure 7 release a binfile
1.4 install ROM Virus
During malicious code execution, the virus mother of the camera_update application is written to the system directory/system/priv-app or/system/app, as shown in figure 8.
Figure 8 virus mother release
With the Root permission, the malicious code first checks whether the camera_update virus parent is installed in the/system/priv-app directory. The virus mother will remain in the ROM of the mobile phone under the protection of the binfile to prevent uninstallation. For details, see section 2.
After installation, the virus mother silently installs Time Service, Monkey Test, and other applications. These applications will use the short connection mode to log on to the server (Monkey Test corresponds to the server: http://u.syllyq1n.com/mmslow/api/821 .) Obtain Application Information and download and install the application without the user's permission, as shown in Figure 9 and 10.
Figure 9 obtain application information from the server using the Monkey Test sub-Package
Figure 10 installing an application in the ROM when the user is unknown
2. Analysis of the virus mother daemon process (as shown in the blue section in figure 3)
2.1 binfile daemon ROM virus mother
At system startup, The install-recovery.sh and debugadh files are executed. These two files will execute the released malicious binfile. The binfile will remain running and guard the virus mother released in the ROM. Obtain the latest virus installation package from the server.
Figure 11 obtain the latest virus package
After the virus mother is deleted, the binfile will automatically download again and install the virus mother in the ROM, as shown in Figure 12.
Figure 12 virus parent daemon process
Figure 13 process of installing a virus mother
2.2 binfile deletion prevention
In addition, the chattr + I operation shown in figure 14 makes it impossible for users to delete malicious binfiles during mobile phone operation.
Figure 14 using chattr + I to prevent users from deleting binfiles
2.3 apk unmount Protection
The Ghost Push virus makes it impossible to uninstall the installed apk application through the chattr + I operation, as shown in Figure 15
Figure 15 preventing users from detaching an apk through chattr + I
Iii. Virus and malicious behavior analysis
Applications installed with the Ghost Push virus have two types of malicious behaviors: data traffic advertisement Push and Silent Installation of application software.
3.1 advertisement push
Applications installed and released on users' mobile phones through the Ghost Push virus will Push advertisements to users through mobile data traffic. The specific process is as follows. When the screen is turned on, the push advertisement push is triggered.
Figure 16 enable screen-based ad push
It is worth noting that during the process of pushing advertisements, the Ghost Push virus will first turn off the Wi-Fi connection of the user's mobile phone and obtain the advertisement content to be pushed through the user's mobile phone traffic, 15. A large amount of data traffic is stolen without your knowledge or permission.
3.2 application push
The Time Service and Monkey Test sub-packages released by the Ghost Push virus mother will also Push and install applications to users, as shown in figure 17. The virus has been popularized from http://m.aedxdrcb.com/gcview/api/910.
Figure 17 obtain the application to be promoted
The returned results have different promotion types, such as direct background download, quick icons, and notification bar. 18.
Figure 18 get the application request to be promoted and return
For example, the following example shows the promotion applications downloaded directly from the background. The virus is automatically installed after being downloaded in the background, as shown in Figure 19.
Figure 19 background application installation
The sqllite database is used as a transit for various promotion tasks in the Ghost Push virus, as shown in Figure 20.
Figure 20 sqllite intermediate promotion task
In our test, we can see the following promotion data, as shown in-24.
Figure 21 push Application log files in the background
Figure 22 install an application
Figure 23 push an application to remind users of Installation
Figure 24 List of push and install applications (installed on the test machine)
3.3 Silent Installation Without Root
To further ensure successful installation and download of the application, the virus also induces the user to enable the auxiliary function, as shown in Figure 25. In the code shown in the following 26, the virus successfully installs the application by simulating the user's click operation through the auxiliary function. In addition, the file list on the left of Figure 26 shows the installation methods that can be adapted to different system markets (GooglePlayer, Lenovo, MIUI, etc.
Figure 25 enable the secondary feature
Figure 26 Silent Installation through auxiliary functions
Iv. Solutions and Security suggestions
4.1 Solutions
The user can choose to use the cheetah killing tool https://play.google.com/store/apps/details? Id = com. cleanmaster. security. stubborntrjkiller (coming soon) or manually delete virus software. The manual deletion method is as follows:
Use the fl software to obtain the ROOT permission with one click. Download and install the adb tool at http://developer.android.com/tools/help/adb.html. Download and install the busybox tool at http://www.busybox.net /. On the computer side, use the adb shell to connect to the mobile phone and use the su command to obtain the ROOT permission. Ps | grep. base # obtain the pid of the. base File
Kill pid
Delete malicious bind files
Mount-o remount rw/system # different system commands may be different
Chattr-ia/system/xbin/. ext. base
Chattr-ia/system/xbin/. bat. base
Chattr-ia/system/xbin/. zip. base
Chattr-ia/system/xbin/. word. base
Chattr-ia/system/xbin/. look. base
Chattr-ia/system/xbin/. like. base
Chattr-ia/system/xbin/. view. base
Chattr-ia/system/xbin/. must. base
Chattr-ia/system/xbin/. team. base
Chattr-ia/system/xbin/. type. base
Chattr-ia/system/xbin/. B
Chattr-ia/system/xbin/.sys.apk
Chattr-ia/system/xbin/. df
Chattr-ia/system/bin/daemonuis
Chattr-ia/system/bin/uis
Chattr-ia/system/bin/debugadh
Chattr-ia/system/bin/nis
Chattr-ia/system/bin/daemonnis
Chattr-ia/system/bin/. daemon/nis
Chattr-ia/system/bin/uis
Chattr-ia/system/bin/. sr/nis
Chattr-ia/system/bin/mis
Chattr-ia/system/bin/daemonmis
Chattr-ia/system/bin/. daemon/mis
Chattr-ia/system/bin/. SC/mis
Rm/system/xbin/. ext. base
Rm/system/xbin/. bat. base
Rm/system/xbin/. zip. base
Rm/system/xbin/. word. base
Rm/system/xbin/. look. base
Rm/system/xbin/. like. base
Rm/system/xbin/. view. base
Rm/system/xbin/. must. base
Rm/system/xbin/. team. base
Rm/system/xbin/. type. base
Rm/system/xbin/. B
Rm/system/xbin/.sys.apk
Rm/system/xbin/. df
Rm/system/bin/daemonuis
Rm/system/bin/uis
Rm/system/bin/debugadh
Rm/system/bin/nis
Rm/system/bin/daemonnis
Rm/system/bin/. daemon/nis
Rm/system/bin/uis
Rm/system/bin/. sr/nis
Rm/system/bin/mis
Rm/system/bin/daemonmis
Rm/system/bin/. daemon/mis
Rm/system/bin/. SC/mis
Cp/system/bin/debuggerd_test/system/bin/debugadh
Run the following command to clear malware that cannot be cleared.
Chattr-ia/system/priv-app/cameraupdate.apk
Chattr-ia/system/priv-app/com.android.wp.net.log.apk
Rm-rf/data/com. android. camera. update
Rm-rf/data/com.android.wp.net. log
Rm/paiam/priv-app/cameraupdate.apk
Rm/mongoam/priv-app/com.android.wp.net.log.apk
Adb shell
Cp/system/etc/install-revcovery.sh/sdcard/
Adb pull/sdcard/install-revcovery.sh
Adb push install-revcovery.sh/sdcard/
Cp/SDK/install-revcovery.sh/system/etc/
Open the/system/etc/install-recovery.sh and comment or delete the following code snippet.
/System/bin/daemonuis-auto-daemon &
#! /System/bin/sh
/System/xbin/. ext. base &
#! /System/bin/sh
/System/xbin/. ext. base &
4.2 Security suggestions
We recommend that you download the application from the regular application market and carefully download and install the application in Appendix 2. At the same time, install the cheetah Security Master to verify the validity of the downloaded application and perform real-time security monitoring on the mobile phone.
V. Summary
The Ghost Push virus spreads widely through advertisement sdks or browser advertisements. By tracking and analyzing the virus, it is found that the virus software Ghost Push is disguised as legal software. Once the user is infected, the malicious code runs install-recovery at startup, and uses the chattr + I command to prevent the user from being created or manually uninstalled through anti-virus software. Malicious Code pushes advertisements through user data traffic, and silently downloads and installs applications without the user's permission. This has brought inevitable impact and harm to many Android users.
After analyzing the virus execution process, this article provides a method for you to manually clear the virus. Finally, after analyzing the virus source, we found that most of the signatures of the virus software were C = CN/O = xinyinhe/OU = ngsteam/CN = ngsteam, from a company named xinyinhe. Based on the principle of root planning, we also conducted a comprehensive investigation on the xinyinhe company in Appendix 3.
We recommend that you download the application from a regular channel and install the cheetah Security Master to ensure the validity of the application and ensure the security of your mobile phone in real time.
[Appendix 1] list of infected Models
[Appendix 2] list of infected applications (39 items)
WiFi Enhancer extends Indian Sexy Stories 2 dynamic Ive Touch Accurate Compass All-star Fruit Slash Happy Fishing MonkeyTest PinkyGirls XVideo Codec Pack Amazon/Application Center Hubii News itouch Light Browser XVideo Memory Booster WordLock Fast Booster Talking 3 Photo Clean Super Mario SmartFolder Simple Flashlight Daily Racing SettingService boom pig WhatsWifi Hot Video Lemon Browser Multifunction Flashlight Tips/cute Ive Touch Hot Girls Sex Cademy iVideo Fruit Slots Wifi Speeder WiFi FTP Ice Browser PronClub
[Appendix 3] Shenzhen xingalaxy Technology Co., Ltd.
Intuition tells us that this new galaxy Technology Co. Ltd. is closely linked to master ROOT with one click. Don't ask where our instincts come from ~~
Are there any relationships between the two companies? First, Baidu and Google visited the new Galaxy official website, and the results showed that the company had no official website. So --
We found a link to the company through Referer recruitment.
From the recruitment information we know that http://www.ngemob.com and http://root.ngemob.com are the site of Shenzhen new galaxy Technology Co., Ltd.
After finding the company's official website, the truth gradually emerges !!! Now one-click ROOT master http://www.dashi.com/and http://www.ngemob.com have used the same ip.
In addition, foreign forums also often appear a key master ROOT and the relationship between http://root.ngemob.com.
In addition, we have collected some evidence.
Example 1: Search for encyclopedia.
Evidentiary 2: A screen lock APP was developed by Shenzhen xinyinhe Technology Co., Ltd.
After all, there is no official website and no explicit line is provided to indicate the contact between the two companies. We also make inferences and have no conclusions. You can judge them by yourself.
Finally, I hope everyone can work together and believe that the cheetah will build a security wall for hundreds of millions of users !!!