More than 20 control commands: Remote Control Trojan Dendoroid. B Analysis Report

More than 20 control commands: Remote Control Trojan Dendoroid. B Analysis Report

Recently, the 360 team intercepted a powerful professional spyware program, which can be used to remotely control the mobile phone number of users through the PC. It can control more than 20 commands and steal users' mobile phone addresses and text messages, photos and other important private data. This remote control Trojan is very similar to the famous Android. Dendoroid Trojan family method last year. Therefore, we name it Android. Dendoroid. B.

1. malicious behavior analysis on Android Controlled Terminals of Trojans

1. Release files, hide icons, and start malicious services

Android. dendoroid. after B is started, it will release the testv7 or testv5 files in the Assets Directory of the system to the/data/{packagename} directory and rename it as test. Apply for the Root permission, release the su backdoor file ssu to the/system/bin directory. Hide your own icon and run the test file:



Test is an ELF file. The main function is to start the WorkServer of the malicious service through command line:



2. Frequent termination of security software processes

We found that the trojan often ends the mainstream security software processes in China on important malicious behavior nodes, undermining the normal operation of the security software. The self-protection of the Trojan brings greater security risks to users' mobile phones:




End the following security software:



3. Automatic Recording during a call

Call recording is implemented by monitoring the phone status change. When the phone is called by the controlled phone, Trojan automatically enables the recording function and saves the recording file:



4. Remote Control through online command acquisition

Send different commands to the mobile phone to implement corresponding behavior control. Command name, function, and response to PC:


 
5. Other functions not yet implemented

In addition to the above functions, the trojan controlled end also found some codes for decrypting chat records and code remotely controlled by using SMS commands, but this part of the code was not called:


Ii. FTP Server Analysis
From the preceding command list, we can find that most of the private data is uploaded to the FTP server of the virus author. The address is 121.199.2 *. * ** the user name and password are root. After logon, the FTP file list is as follows:

On the server, we found and sorted out the following important files, some of which are user privacy that has been actually uploaded from the monitored mobile phone:

In bf.zip, It is a Java code named "SimpleServer". By analyzing this project code, we find that its main function is to resolve the communication between the PC master and the mobile phone APK master.

Code for parsing commands sent by Android Controlled Terminals:

Code for parsing the instructions sent by the PC master:

Another file named "Trojan", called "Trojan", has to attract our attention. We found that there are a large number of such files. the PHP file and the image below are found. We can see that this is the Android broadcast last year. dendoroid source code, which is also called Android. dendoroid. another reason for B.

Iii. Analysis of Trojan PC host
The PE file mysocketserver.exe on ftpis is the master end of Trojan Android. Dendoroid. B. The master end is used to send remote control commands and receive private information returned by the controlled end.

We clicked the contact button in the actual verification and quickly returned the contact list in the mobile phone of the target user:

In addition, we also found a web site on the software http://www.yunkong8.com/, the web site shows a professional monitoring software sales site, the software function page describes how to use a mobile phone or other computers to browse webpages to remotely control specified PC clients, we guess this may be an undisclosed software feature or a customized version.

Iv. Infected users

According to data from the 360 Internet Security Center, several users have been infected with this Trojan horse in the last two months, including Bengbu, Jingzhou, Wuhan, and Haikou.

V. Virus author

From the sample code of the controlled terminal, we found a QQ mailbox: 84777 *** @ qq.com in an uncalled Mail class, which has no calls, through the computation check of 360 full samples of big data, it is found that the QQ mailbox was used in multiple malicious samples, and these samples have the same Mail class and can be called normally. Therefore, it can be concluded that the trojan is evolving and evolved. In history, it used emails to steal user privacy. However, it has evolved to use FTP to steal back-to-back privacy, richer content and more concealed Methods

We searched for this QQ number and found that it was a programmer named "old a" in Luzhou, Sichuan.


Through further tracking, the specific information of "old a" is located:
Yang ** (common nickname: lzyyf, old)
Level 2 Luzhou No. 2 Middle School
From September 2013 to September 2017, I attended the Ulsan University in South Korea.
I used another QQ account: 139 ******** and spread similar Trojans in multiple forums in early 2014.





He also posted Trojan Information multiple times on his Weibo:

Through big data analysis such as 360 background cloud query information, we found that some other people are also related to Trojans, which may be Trojans.
Mobile phone serial number location
35291106045 **** Harbin, Heilongjiang Province, Northeast China
35713905461 **** China South China Guangdong Shenzhen City, Guangdong Province
35260505594 *** China East China Jiangxi Nanchang City

Vi. Summary

From Android. dendoroid. as you can see from the Trojan family B, this kind of camouflage is the remote control privacy stealing trojan family of system applications. Instead of relying on third-party marketing, it is sold through websites or underground black market transactions, then it is implanted into a specified Monitoring object by an unauthorized person. It has the characteristics of single-point propagation, infection of a specific object, long latent time, and large single-point loss. We recommend that you increase your privacy awareness and install security software to regularly scan and check the software security.

We will continue to pay close attention to the development of such Trojan families and provide security protection solutions.