Oldboot: another example of a Trojan using cloud Remote Control Technology

I. Behavior Overview

Recently, users reported that they would be installed with four game software on their mobile phones without knowledge, even if they had to uninstall the software and were repeatedly installed within one day. 360 mobile phone security expert analysis, the android mobile Trojan by modifying the system setting Program (setting) the source code and four game software that can be installed or deleted under the/system/base directory under the cloud control command. In addition, the functions implemented by Mu Ma through the adaptation of cloud and local parameters includeAuto Update, ROM update, Apk installation, Apk uninstallation, arbitrary program Command ExecutionAccording to statistics, the trojan is infected by a third-party ROM customized by a professional manufacturer, with more than 180 infected models and more than 100,000 infected users. For more information, see the following section.

 

Figure 1. Four games installed with Trojans

 

Figure 2. online feedback on the theft of users' financial assets

 

Ii. Sample Structure

Both malicious files are pre-installed in the ROM.

File 1

Package name: com. android. settings

File Path:/system/app/HctSettings_vivo.odex

 

File 2

Package name: com. cooee. mcesys

Md5: e42fb505b5d09652d252b09e09ba63c9

File Path:/system/app/Mcesys.apk

 

Iii. Architecture Analysis 1. com. android. settings analysis cloud control installation/uninstall apk

Use ContentProvider to communicate with com. cooee. mcesys to obtain PhoneInfo and send the apk file under installation/system/base.

 

Figure 3. Declared Provider

Figure 4. apk file in/system/base

Get the apk package name and other attributes in the/system/base directory and add them to the app_packs_db database file. The table name is cooee_hide_packs.

 

Figure 5. cooee_hide_packs table

Register the following URI to provide PhoneInfo to com. cooee. mcesys and respond to the installation and uninstallation package sent by com. cooee. mcesys.

UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/ctrl_status", 2 );

UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/package_info", 6 );

UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/all_item_no_pack", 5 );

UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/phone_info", 8 );

Figure 6. Uri type

The factory_id and push_time parameters in PhoneInfo are used for cloud control of com. cooee. mcesys.

 

Figure 7. PhoneInfo obtained

Install and uninstall the apk file under/system/base (QQ Mobile Phone Manager will be excluded when the package is uninstalled)

 

Figure 8. Install/uninstall a package

2. Introduction to the six modules of com. cooee. mcesys Analysis

1. The Background module is responsible for silently querying the cloud in the Background and distributing the response command results to callback.
2. The Common module encapsulates Common operations such as compression, root, http, log, calc md5, and reboot recovery.
3. The Download module encapsulates the Download and distributes callback.
4. The Localdata module encapsulates an Sqlite database for interaction with managers and Management of cloud control packages.
5. The Update module encapsulates sub-Command Parsing, execution, and distribution of downloaded files to callback.
6. The Xml module encapsulates the description of the BackgroundRequest return package.

 

Figure 9. submodule list

BackgroundRequest category for server requests

Cloud control server configuration information

BackgroundRequest. SERVER_CONFIGURE_INFO_REQ

Promotion package information returned by the server

BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_FORCE

BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_NORMAL

BackgroundRequest. UPGRADE_INFO_LIST_REQ

BackgroundRequest. UPGRADE_PACKAGE_INFO_GET_REQ

Single promotion package information

BackgroundRequest. UPGRADE_PACKAGE_FILE_INFO_GET_REQ

BackgroundRequest. UPGRADE_PACKAGE_FILE_DOWNLOAD_REQ

Send download/install to cloud

BackgroundRequest. UPGRADE_PACKAGE_FILE_DOWNLOAD_FINISH_CONF

BackgroundRequest. UPGRADE_PACKAGE_INSTALL_COMPLETE_CONF

 

Get user privacy and upload

All the requests mentioned above obtain the privacy information of the device and send it to the server.

Http://rota01.nt928.com/airpush

Http://rota01.nt928.com/app

Http://rota01.nt928.com/saveinfo

 

Figure 10. Privacy information obtained

Mcesys permission

 

Figure 11. Permission usage

Cloud control automatic online download configuration file

Mcesys does not have an icon after installation. It responds to BOOT_COMPLETED, CONNECTIVITY_CHANGE, PACKAGE_ADDED, and other broadcasts, and finally triggers to com. cooee. mcesys. service. rotaService. this service enables the BackgroundThread thread to monitor the current machine environment and sends BackgroundRequest requests over the Internet if certain conditions are met. Specifically, the number of current contacts, call records, inbox, and senders exceeds 20, and the number of airpush request packets in BackgroundRequest has not been sent for more than four hours since the start of the service.

The harsh trigger conditions increase the difficulty of analysis, and cause many automated analysis tools to become invalid. On the other hand, malicious behaviors may also occur on real user devices.

 

Figure 12. settings of related triggers

 

 

Figure 13. Networking Conditions

After the network is connected, the request package related fields returned by BackgroundRequest. SERVER_CONFIGURE_INFO_REQ are used to determine whether to forcibly install/uninstall the apk under/system/base (executed by the com. android. setttings module ). In this step, the logic is to determine whether the local PHONE_RUNTIME, SMS_COUNT, CALL_COUNT exceeds the value returned by the server, and the RETURN_CODE field value is not equal to 0 × 262.

 

Figure 14. SERVER_CONFIGURE_INFO

 

Figure 15. update local configuration and synchronize with the server

Send the installation/uninstall request to com. android. settings and execute it (through ContentProvider)

 

Figure 16. Send the installation and uninstallation request

Send the AirPush request. The BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_NORMAL response package is as follows:

 

Figure 17. AirPush return package structure

The FILE_ID field is the key. If the DESCRIPTION field contains "com. cooee. mcesys "and" MCE_YZFA_COMMON_MTK001 "are distributed to callback for self-update. If" ROTA_DELETE "is included, the local path is deleted. Otherwise, the notification bar appears to induce users to click Install.

 

 

Send UPGRADE_PACKAGE_FILE_INFO_GET_REQ and UPGRADE_PACKAGE_FILE_DOWNLOAD_REQ to download the promotion package. The returned compressed package structure is

 

Figure 18. File_Download returned package structure

The Cmd. xml file identifies the composition of sub-commands and parameters.

 

Figure 19. cmd. xml file structure

Cloud control automatically updates ROM, installs/uninstalls APK, executes arbitrary commands, and updates

The cmd name is ROTA_INSTALL. sub-commands are classified as follows:

UpdateCommandEnum. DEFF-update ROM

UpdateCommandEnum. ROTA_COPY-copy files in res to the system directory

 

UpdateCommandEnum. ROTA_DELETE-delete an object

 

UpdateCommandEnum. ROTA_INSTALL-silently install apk

 

UpdateCommandEnum. ROTA_UNINSTALL-silently uninstall apk

 

UpdateCommandEnum. ROTA_SHELL_CMD-run any command with root permission

 

UpdateCommandEnum. ROTA_SHELL_REBOOT-not implemented yet

UpdateCommandEnum. ROTA_UPDATE-Self-update mcesys

 

 

 

Iv. Infected Models

According to incomplete statistics, in the last half month alone, the number of infected models of the Trojan reached more than 180, and the number of infected models was nearly 30 thousand.

Some models are listed as follows:

 

5. Solutions

Currently, we have released the exclusive kill tool:

Http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/OldbootKiller_v2.apk

The kill tool performs In-depth and precise scanning on Android devices to determine whether there are remote control trojans on the cloud and their variants. We have developed a new detection and removal technology to effectively protect your mobile phone from cloud Remote Control Trojans.

If your device or kill tool cannot work properly on your mobile phone, we recommend that you:

1. Regularly check the update of this kill tool. We will gradually enhance the defense capability of this tool;
2. After detecting remote control trojans on the cloud, the dedicated kill tool reports your model information and samples to us, which helps us develop scan and kill codes suitable for your models faster and better;
3. Join our technical support QQ Group to provide us with more information and receive technical guidance from our emergency response engineers;
4. Install 360 mobile phone security guard and enable the cloud detection and removal function to defend against associated threats caused by remote control trojans on the cloud.

Vi. Summary

Implements all operations of remote control. You only need to configure the cloud to return information based on different factory IDS (haocheng), PhoneInfo, and other conditions. In addition, the rom package can be freely updated, resulting in excellent scalability. the server can issue different programs and commands according to different client conditions, which leads to hidden dangerous behaviors and increases the difficulty of being scanned and killed. By communicating with users and collecting information from the Internet, we think that the dangerous behaviors we pointed out in our analysis report are only the tip of the iceberg. We speculate that this cloud Control Trojan will put a large number of malicious programs on the cloud, once a user's mobile phone involves sensitive behaviors such as financial operations, the cloud can distribute more malicious programs to achieve financial theft and other behaviors. In addition, the remote control Trojan can also be used to catch large fish online when the number of users reaches a certain level. In this regard, the 360 security center once again reminded the majority of users to go to the regular store to try to buy electronic equipment from regular Manufacturers