Mobile phone virus analysis report of "brain worm"

Mobile phone virus analysis report of "brain worm"
I. background

At the end of 2015, the mobile security team continuously received feedback from users. The mobile phone was inexplicably downloaded and installed with other applications, and the mobile phone automatically subscribed to the fee deduction service. After the mobile phone was restored to the factory settings, the problem persists. Similar user feedback is growing recently. The mobile security team tracked and found that the culprit of such symptoms is a linux system-layer virus. The core module of the virus includes an ELF System File conbb (configopb) and an APK file core of a disguised system application, we found that the virus provides a complete set of implementations and interfaces, which can be conveniently packaged and called by different APK applications, thus causing widespread spread of the virus and adverse effects. According to background data analysis, there are hundreds of applications for packaging the virus module. Therefore, the virus is named "Hundred brains and insects.

Through the search engine, you can easily find feedback from other users:

Figure 1 feedback from netizens infected with "hundred brain worms"

2. Dissemination

The worm virus is embedded in a variety of applications in the form of plug-ins. Among them, many of them are pornographic applications with many problems and some popular High-and-wide applications, these repackaged problem programs spread wildly through third-party electronic markets or certain pornographic websites.

1. pornographic video applications

The name of the porn APP embedded with the worm virus is extremely attractive, such as adult cinemas, Mei Niang audio and video, dry sister videos, and banned videos. Once the otaku user is tempted by these extremely attractive APP names, click to install such apps.

Figure 2 pornographic applications embedded with the wannacache

2. Common applications with high popularity

Normal applications with high popularity are also the hardest hit area for the spread of the virus. For example, the new year's edition of qianniu fishing, the best timetable, and the full name of diamond mining are all tampered with by ulterior motives of virus authors, embedding the wannacoma virus. If the user's security awareness is weak and the application is not downloaded and installed through official or regular third-party electronic markets, it is easy to be infected with the virus.

Figure 3 embedding the normal application of apsaradb for memcache

Iii. Introduction to viruses

Relationships between apsaradb for memcache modules

Figure 4 relationships between apsaradb for memcache modules

After the application is started, it will escalate the permission to release an unillustrated APK to the system application path. This APK runs silently in the background, making it hard for users to find out. This APK is the core module of the worm virus. Its main functions include checking security software, stealing user privacy, Silent Promotion and installation of other applications and virus files.

The execution flow chart of the worm is as follows:

Figure 5 Execution Process of a worm

1. After the application for packaging and starting the worm program, first decrypt all the important modules from the encrypted data file in the assets folder. It contains third-party root elevation tool, su file, core module, conbb virus installation script, install-recovery.sh, etc.

2. Determine whether the user's mobile phone is in the root state. If it is not the root state, report the user model, system version, and other information to the cloud, and download the root elevation file with known vulnerabilities corresponding to the model and system version from the cloud, use a third-party tool to perform root Elevation of Privilege.

3. Copy the core module to the/system/app to become a system application, so that the user cannot uninstall the application through the normal method.

4. The core module is always running in the background and determines whether it is in the sandbox environment of the security vendor. If yes, exit without further action.

5. The core module determines whether security software services are running. If yes, it tries to forcibly terminate the service process.

6. The core module deletes all other root tools and root authorization management applications, so that other applications cannot obtain root permissions.

7. Periodically download and install many other applications and virus files from the background.

Iv. Detailed Analysis

1. Re-package the code

The worm virus is propagated after being repackaged by other applications. For a repackaged application, a line of virus startup code is added to the entry function. When this application is running, the code of the worm will get the execution permission.

Figure 6 startup code of the worm virus

After the virus code is executed, obtain the KEY and configuration information from the 64-byte starting from the beginning of the krLib (variable file name) encrypted data file in the assets folder.

Figure 7 obtain key and operation-related configuration information

The key obtained from the actual virus sample is 10249832931963293212373431424213, run

The configuration information is 00000000000000010000000000000336 ". The key will be used to decrypt other modules and strings of the worm virus. There are two decryption algorithms for the APP layer of the parent package: dn_1 and dn_2. Dn_1 is used to decrypt other brain worms, and dn_2 is used to decrypt Key Strings.

 

Figure 8 key encrypted strings

Figure 9 decryption functions

You can use the obtained key together with the decryption algorithm to restore the key string:

Figure 10 code snippet after decryption

Figure 11 the decrypted files of the hundred worms

After that, the worm detects whether the running environment is real. If the sandbox environment is detected, the virus automatically exits.

After the environment detection, virus checks whether the system contains files "/sytem/bin/conbb", "/system/xbin/conbb", "/system/bin/su", and "/system/xbin ". any service process "com. android. browser. internal. server ". If yes, the mobile phone is already in the root state. The verification result is reported to the remote server and the subsequent process is executed. If the virus determines that the mobile phone is not root, the librgsdk is loaded. the so module executes root Elevation of Privilege. Librgsdk. so was originally the root Privilege Escalation module of a regular manufacturer, but the interface was exposed to the virus author because the caller's verification was not rigorous.

Figure 12 process of Elevation of Privilege for apsaradb hybriddb

After the root node is successfully installed, the core module is installed in the system directory. First, copy the core file to the system path ("/system/app/BrowserInfoServer. APK") and grant the system application permission of 644, so that users Cannot uninstall the application in normal mode. Run the "am startservice-n com. android. browser. internal. server/com. android. phone. BrowserService" command to start the core service.

Figure 13 install and execute a core application

2. apsaradb core Module

The core module is the core module of the worm virus. It stores malicious behaviors in the system space to download and promote it. it registers a worker to enable the module when the system starts up or the network status changes.

Figure 14 Cycler registered by the core Module

After the core module is started, it clears all cached dex files in the installation path and loads the main entry "com. android. xb. init" of all JAR packages in the installation path ".

Figure 15 load the JAR package

To better hide itself, almost all strings in the core module are encrypted and executed by calling getSystemDecodeVaule for dynamic decryption during execution.

Figure 16 dynamically decrypt Key Strings

Figure 17 decryption functions

Because the decryption function is a static function, you can use the java reflection mechanism to load core applications and call getSystemDecodeVaule to decrypt Key Strings.

Figure 18 code snippet for simulating a decryption function call

Figure 19 Key Strings after decryption

After core Initialization is complete, its core functions will be executed. First, the user's mobile phone information and virus running results are reported to the remote server ph1.opnixi.com. The uploaded information includes the current version of the virus, the mobile phone imsi, the current virus runtime interval, whether it is a built-in rom, whether the virus runtime environment is secure, the list of installed applications, and downloaded JAR packages..

 

Figure 20 upload information by a worm

The cloud selects the returned content based on the mobile phone upload information. If the upload information goes smoothly, the server will return to the JAR package download list. "Http: // [removed]/download/modules/OPBUpdate _ 6000. JAR" is returned during the test ".

Figure 21 download the JAR package

The JAR package contains APK and installation configuration information. Configure the information virus to determine whether to install APK as a system application or a normal application. Once installed as a system application, it will be difficult to clean up.

Figure 22 installation Configuration

Figure 23 install APK from the downloaded JPR package

In addition, the worm will back up its own APK and installation configuration information to the directory "/mnt/sdcard/Android/com/usbdevice/dbinfo, it can be restored immediately after being uninstalled by the user. Therefore, it is generally impossible for the user to manually clear it.

Figure 24 apsaradb for memcache backs up its own files

The analysis found that apart from executing the malicious function when the mobile phone starts or the network connection status changes, the virus also sets a time period, that is, every other hour, then connect to the virus server to download the application and back up the downloaded files. Once the files are deleted and uninstalled, reinstall them.

V. Problem Application

According to background data analysis, there are hundreds of applications for packaging a worm program. Here we will briefly introduce some application programs with a wide spread volume. For details, see Appendix 1.

1. "ban video": in addition to having the virus function of a hundred brains and insects, its own behavior is extremely bad. Not only does it maliciously promote other applications, but it also causes economic losses to users by secretly subscribing to the deduction service without the user's permission. Because the "no video broadcast" operation will block "successful subscription service", "Verification Code" and other fee deduction-related sensitive text messages, it is difficult for users to immediately notice.

Figure 25 access the subscription service website from the background of banned videos

Figure 26 deduction Verification Code

2. "Thunder fighter 2015 New Year edition": this game was originally a normal and recently popular shooting mobile game. Once a user downloads and installs a re-packaging application embedded with the "hundred brain worms" virus from an unofficial channel, the "hundred brain worms" virus is also secretly installed along with this application. Because of the absence of icons for the "brain worm" virus, and disguised as a system, it is difficult for users to detect its existence.

6. detection, removal, and repair

As the number of users in first-aid kits increases, more and more Trojans are found. The full-depth scanning exclusive to first-aid kits can thoroughly scan and eliminate the underlying ELF and APK viruses. Currently, the mainstream mobile phone security products on the market almost do not support the complete in-depth ELF scanning function.

Currently, the mobile phone first aid kit supports Trojan Detection and repair:

Figure 27 mobile phone first aid kit detection and repair page

One of the main reasons for the spread of the worm virus is the weak security of users. To prevent the virus from being infected with the "cerebral worms" virus, we recommend the following:

Do not download and install video applications related to the so-called porn category. When downloading an application, try to download and install it through official or formal third-party electronic markets. In case of security-related exceptions such as Silent Installation of other applications or malicious fee deduction, immediately report to formal security

Vendor.

Install regular mobile phone security software to protect system security in real time.

Phone first aid kit: 

Appendix 1: Application of part of the application that contains the Worm Virus

Application name

MD5

Scenario Switching

Cedca3abced18acef0ff0953cb162f4f

Violent chariot

E0f7a130214877a4e8f73ae1b4acf2fd

One-click lock screen

9d272f102949dd19b57e0a1c77918107

Beauty bathroom

409b1c1356fd5a5b468f901a3b4b62e2

Calendar

2cb438b6c73a7e98ae81a36f37af7133

Yueda Browser

A78e2c08f54ecdae88fa3238d4677aaa

Yan Feng jiansheng

C33ff5de90a139ef67e8c7a2aebf9928

Signal reminder

Bb9d20dd63f1375475ddf8eca344b5ba

Browser

95708f24ddfb70194b5abff2705f78e1

Read free Novels

Health Consultation

Fcb22aed96d977c6168b864c331845db

Calendar

Ce47594720a7c4997f2da62f66c0d077

File Manager

Cfc6326ea59147a3098b12250ee1c372

Health Consultation

B6440e161927ccc3ff0848d72426e941

Precise Power Supply

31812f98ff7fe69b129e6d6764f3bc66

Beauty bathroom

02524acb83cee4e5506348b6fd9521b1

Ticket snatching alarm

96ba321e68adde0622ef95d4132d8dba

Sex play

Ad4e837f316947dd50cc1e8929b215ed

Zhi

Df5103929e41df3a9b84dd7a0fe4e3c9

Pink Broadcast

D114d1150160466835ff2e902f63e6d6

Eliminate starfish

Ca8b63f2bcc34fca8e87633fe55c7160

Thunder fighter 2015 New Year

8dbbbbaa60c81db4395422ee1982135f

Dual Mahjong

487edc48ddb19d8908fab870bed9dd6c

Sister-in-law video

F633ed5dbe53f0c1090d38b5afa68e50

Mei Niang audio and video

11004a50fe620e94257a77b143bd8e9a

Banned videos

9e5e4b744bf2b9b9374a3203c2595ac3

Diamond mining

85976b9dffa85e0e6a917da2e64671eb

Great wisdom

27a753751fb9505906cfd5b8dc515773