Malicious behavior of porn virus Phantom Killer and analysis of black product interest chain

Malicious behavior of porn virus Phantom Killer and analysis of black product interest chain

0x00 Overview

Recently, the Alibaba mobile security team found that a large number of pornographic viruses have begun to flood in some forums or application markets. Unlike previous pornographic viruses, they use more advanced techniques to combat security software detection and removal. These viruses have the following features:

The Code reinforcement technology is used to encrypt and decrypt malicious code from the memory after running. After installation, the system component is disguised as a system component and its own installation is hidden in the system directory, it prevents uninstallation and avoids the scanning and removal of some security software. Through cloud server configuration, it constantly creates fake shortcuts, pop-up dialog boxes, fake notifications, and other methods to force push and install other malware.

Because these viruses usually use beautiful pictures as icons displayed on the app market and some tempting words as application names, inexperienced users are very easy to be cheated, therefore, we name it "Phantom Killer ".

Figure: icon and name used by Phantom Killer

By the end of October, 0.853 million Chinese devices had been infected with the phantom killer virus. Among them, the provinces with the most serious infection are Guangdong, Zhejiang and Jiangsu. On average, one of 45 devices in Guangdong Province installed the virus.

Figure: "Phantom Killer" virus infection trends

Figure: Regional distribution of infected users of phantom killer

0x01 Technical Analysis

To further understand the evolution of the Phantom Killer, we analyzed the samples of the virus family in different periods. The characteristics of the phantom killer virus are summarized from the perspectives of confrontation with security software and malicious behavior:

1. Confrontation with security software

A. Code reinforcement

The introduction of Android reinforcement technology does solve the code security problem to a certain extent, but it also provides an excellent hidden means for various viruses and Trojans. We found that a large number of "Phantom Killer" samples used Reinforcement Technology to hide themselves and try to avoid antivirus software scanning and removal. From the early DEX executable code to the assets Directory for overall encryption, to the java-Layer Code for in-depth obfuscation and shell code, and then to the current dynamic loading of encrypted malicious code on the native layer, this shows that virus developers are also working hard to increase the cost of Reverse Analysis by security companies.

Figure: Evolution of malicious code Reinforcement Technology

Figure: Native layer uses DexClassLoader to load encrypted malicious code

At the same time, there are a lot of variants of this type of reinforcement, and the so name and the corresponding encrypted jar name will be modified at intervals, and the initkey in the native layer will also change.

B. Prevent uninstallation

To stay in users' mobile phones for a long time, these virus samples can also be disguised as system components, activated device management permissions, and copied to System directories, this prevents users or security software from being uninstalled normally.

Figure: Activating device management Permissions

2. malicious behaviors

A. purchase paid services

The "Phantom Killer" virus usually uses "Private fast broadcasting", "Emotional Videos", and "Beauty hot broadcasting" to attract users to click with some attractive names, but its built-in payment module, in the background, the user's phone bill is secretly deducted, or the traffic is directly consumed, resulting in traffic fees. Statistics are made on the general dangers. The biggest harm to users is malicious fee deduction !!!

Figure: Hazards of pornographic applications

Many pornographic applications include multiple payment modules, and each module is connected with each other. After analysis, it is found that some third-party payment sdks have text message blocking behaviors, that is, when users click to pay, no fee deduction confirmation text message (Secondary confirmation) will be received ). This message is blocked because it is the code in a payment module.

Figure: Text message interception

Some pornographic apps even send fee deduction text messages without permission

Figure: SMS deduction silent after startup

B. Privacy theft

During the analysis, some malicious developers package malicious code into pornographic applications. Malicious behaviors include monitoring the receipt of sms mms messages, reading the content in the SMS box, and uploading users' SMS messages and contact lists to emails specified by hackers. After obtaining the information, hackers can sell and defraud the information. Is the email address of a hacker obtained by the analysts.

Figure: Collect User Information

Figure: Reading users' text message box information

C. Force push and install other malware

Analysis of a private fast play. First, the monitoring system is started, and then the RequestTask task is started to "discover that HD playback components are missing in your system: 1. Break Through firewall restrictions and enjoy multiple restricted-level blockbusters; 2. dedicated Express connect has been activated. 3. More exciting content will be available at midnight. Please look forward to it!" Hackers trick users into downloading and installing the app. After the installation, they constantly download malicious push apps in the background, create virtual desktops to induce users to install the app, consume mobile phone traffic, and illegally push malicious advertisements.

Figure: download server address

Access to the center download link:

The value of the "durl" field is the unicode encoding of the "title", "desc" field. After decryption, it corresponds to the pop-up dialog box.

Figure: induction installation

To forcibly push the downloaded app to the mobile phone, the entire process includes checking which apps the user has downloaded, which are installed and run, and which are not installed and run, and constantly create fake shortcuts, pop-up dialog box, fake notification bar and other ways to lure users to click to install, eventually resulting in the installation of a large number of malware in the mobile phone. In this way, the server knows which applications have been installed and run by the user, and obtains and exploits the push.

Figure: Force alert to install the downloaded Application

0x02 black industry benefit Chain Analysis

Because the development and production processes of this type of pornographic APP are simple, the promotion cost is low, and the market space is huge, it can produce economic benefits in a short period of time, so it attracts a large number of criminals to participate in profit sharing, and gradually formed a complete black industry chain. Pornographic APP developers upload samples to some online promotion platforms through a very low promotion cost, such as niche android markets, application promotion platforms, pornographic websites, some games or game plug-ins. This kind of pornographic apps can easily stimulate users' curiosity to download and install them. Once successfully installed on users' mobile phones, they will secretly order some mobile operators' paid services in the background and push more malicious promotion software to users' mobile phones, in this way, the black market participates in the commission of telecom charging projects, and has gained more ad Traffic Sharing.

The following is a chain of benefits of the "phantom killer" virus:

Figure: "Phantom Killer" virus's black industry profit chain

As many domestic application markets have gradually strengthened code security reviews, in order to avoid application dismounting after detecting malicious code, A professional black market reinforcement team encrypts and hides malicious code before publishing it to the application market. Through the analysis of the sample channels, we found that in order to avoid identity leaks, some virus developers even store trojans on their own servers and have applied for a series of domain names to provide download services.

Conclusion: The chain of illegal interests of the "phantom killer" virus: malicious APK-> promotion channels-> pornographic websites or pornographic apps-> lure downloads-> advertising alliances-> malicious fee deduction.

0x03 prevention and Suggestions

Alibaba mobile security reminds you that to avoid viruses, we suggest you download mobile apps from the official website or the trusted Android app market as much as possible, and do not install apps with unknown experience, in particular, apps with tempting words should be more cautious. If you are not sure whether the mobile phone is poisoned, you can install Alibaba money security and other mobile phone security software to detect applications on your opponent's machine to prevent installation of high-risk malicious applications.