I. Behavior Overview
Recently, users reported that they would be installed with four game software on their mobile phones without knowledge, even if they had to uninstall the software and were repeatedly installed within one day. 360 mobile phone security expert analysis, the android mobile Trojan by modifying the system setting Program (setting) the source code and four game software that can be installed or deleted under the/system/base directory under the cloud control command. In addition, the functions implemented by Mu Ma through the adaptation of cloud and local parameters includeAuto Update, ROM update, Apk installation, Apk uninstallation, arbitrary program Command ExecutionAccording to statistics, the trojan is infected by a third-party ROM customized by a professional manufacturer, with more than 180 infected models and more than 100,000 infected users. For more information, see the following section.
Figure 1. Four games installed with Trojans
Figure 2. online feedback on the theft of users' financial assets
Ii. Sample Structure
Both malicious files are pre-installed in the ROM.
File 1
Package name: com. android. settings
File Path:/system/app/HctSettings_vivo.odex
File 2
Package name: com. cooee. mcesys
Md5: e42fb505b5d09652d252b09e09ba63c9
File Path:/system/app/Mcesys.apk
Iii. Architecture Analysis 1. com. android. settings analysis cloud control installation/uninstall apk
Use ContentProvider to communicate with com. cooee. mcesys to obtain PhoneInfo and send the apk file under installation/system/base.
Figure 3. Declared Provider
Figure 4. apk file in/system/base
Get the apk package name and other attributes in the/system/base directory and add them to the app_packs_db database file. The table name is cooee_hide_packs.
Figure 5. cooee_hide_packs table
Register the following URI to provide PhoneInfo to com. cooee. mcesys and respond to the installation and uninstallation package sent by com. cooee. mcesys.
UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/ctrl_status", 2 );
UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/package_info", 6 );
UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/all_item_no_pack", 5 );
UriMatcher. addURI ("com. android. settings. CooeeAppCtrlDataProvider", "users/phone_info", 8 );
Figure 6. Uri type
The factory_id and push_time parameters in PhoneInfo are used for cloud control of com. cooee. mcesys.
Figure 7. PhoneInfo obtained
Install and uninstall the apk file under/system/base (QQ Mobile Phone Manager will be excluded when the package is uninstalled)
Figure 8. Install/uninstall a package
2. Introduction to the six modules of com. cooee. mcesys Analysis
- The Background module is responsible for silently querying the cloud in the Background and distributing the response command results to callback.
- The Common module encapsulates Common operations such as compression, root, http, log, calc md5, and reboot recovery.
- The Download module encapsulates the Download and distributes callback.
- The Localdata module encapsulates an Sqlite database for interaction with managers and Management of cloud control packages.
- The Update module encapsulates sub-Command Parsing, execution, and distribution of downloaded files to callback.
- The Xml module encapsulates the description of the BackgroundRequest return package.
Figure 9. submodule list
BackgroundRequest category for server requests
Cloud control server configuration information
BackgroundRequest. SERVER_CONFIGURE_INFO_REQ
Promotion package information returned by the server
BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_FORCE
BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_NORMAL
BackgroundRequest. UPGRADE_INFO_LIST_REQ
BackgroundRequest. UPGRADE_PACKAGE_INFO_GET_REQ
Single promotion package information
BackgroundRequest. UPGRADE_PACKAGE_FILE_INFO_GET_REQ
BackgroundRequest. UPGRADE_PACKAGE_FILE_DOWNLOAD_REQ
Send download/install to cloud
BackgroundRequest. UPGRADE_PACKAGE_FILE_DOWNLOAD_FINISH_CONF
BackgroundRequest. UPGRADE_PACKAGE_INSTALL_COMPLETE_CONF
Get user privacy and upload
All the requests mentioned above obtain the privacy information of the device and send it to the server.
Http://rota01.nt928.com/airpush
Http://rota01.nt928.com/app
Http://rota01.nt928.com/saveinfo
Figure 10. Privacy information obtained
Mcesys permission
Figure 11. Permission usage
Cloud control automatic online download configuration file
Mcesys does not have an icon after installation. It responds to BOOT_COMPLETED, CONNECTIVITY_CHANGE, PACKAGE_ADDED, and other broadcasts, and finally triggers to com. cooee. mcesys. service. rotaService. this service enables the BackgroundThread thread to monitor the current machine environment and sends BackgroundRequest requests over the Internet if certain conditions are met. Specifically, the number of current contacts, call records, inbox, and senders exceeds 20, and the number of airpush request packets in BackgroundRequest has not been sent for more than four hours since the start of the service.
The harsh trigger conditions increase the difficulty of analysis, and cause many automated analysis tools to become invalid. On the other hand, malicious behaviors may also occur on real user devices.
Figure 12. settings of related triggers
Figure 13. Networking Conditions
After the network is connected, the request package related fields returned by BackgroundRequest. SERVER_CONFIGURE_INFO_REQ are used to determine whether to forcibly install/uninstall the apk under/system/base (executed by the com. android. setttings module ). In this step, the logic is to determine whether the local PHONE_RUNTIME, SMS_COUNT, CALL_COUNT exceeds the value returned by the server, and the RETURN_CODE field value is not equal to 0 × 262.
Figure 14. SERVER_CONFIGURE_INFO
Figure 15. update local configuration and synchronize with the server
Send the installation/uninstall request to com. android. settings and execute it (through ContentProvider)
Figure 16. Send the installation and uninstallation request
Send the AirPush request. The BackgroundRequest. UPGRADE_INFO_AIRPUSH_INFO_REQ_NORMAL response package is as follows:
Figure 17. AirPush return package structure
The FILE_ID field is the key. If the DESCRIPTION field contains "com. cooee. mcesys "and" MCE_YZFA_COMMON_MTK001 "are distributed to callback for self-update. If" ROTA_DELETE "is included, the local path is deleted. Otherwise, the notification bar appears to induce users to click Install.
Send UPGRADE_PACKAGE_FILE_INFO_GET_REQ and UPGRADE_PACKAGE_FILE_DOWNLOAD_REQ to download the promotion package. The returned compressed package structure is
Figure 18. File_Download returned package structure
The Cmd. xml file identifies the composition of sub-commands and parameters.
Figure 19. cmd. xml file structure
Cloud control automatically updates ROM, installs/uninstalls APK, executes arbitrary commands, and updates
The cmd name is ROTA_INSTALL. sub-commands are classified as follows:
UpdateCommandEnum. DEFF-update ROM
UpdateCommandEnum. ROTA_COPY-copy files in res to the system directory
UpdateCommandEnum. ROTA_DELETE-delete an object
UpdateCommandEnum. ROTA_INSTALL-silently install apk
UpdateCommandEnum. ROTA_UNINSTALL-silently uninstall apk
UpdateCommandEnum. ROTA_SHELL_CMD-run any command with root permission
UpdateCommandEnum. ROTA_SHELL_REBOOT-not implemented yet
UpdateCommandEnum. ROTA_UPDATE-Self-update mcesys
Iv. Infected Models
According to incomplete statistics, in the last half month alone, the number of infected models of the Trojan reached more than 180, and the number of infected models was nearly 30 thousand.
Some models are listed as follows:
5. Solutions
Currently, we have released the exclusive kill tool:
Http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/OldbootKiller_v2.apk
The kill tool performs In-depth and precise scanning on Android devices to determine whether there are remote control trojans on the cloud and their variants. We have developed a new detection and removal technology to effectively protect your mobile phone from cloud Remote Control Trojans.
If your device or kill tool cannot work properly on your mobile phone, we recommend that you:
- Regularly check the update of this kill tool. We will gradually enhance the defense capability of this tool;
- After detecting remote control trojans on the cloud, the dedicated kill tool reports your model information and samples to us, which helps us develop scan and kill codes suitable for your models faster and better;
- Join our technical support QQ Group to provide us with more information and receive technical guidance from our emergency response engineers;
- Install 360 mobile phone security guard and enable the cloud detection and removal function to defend against associated threats caused by remote control trojans on the cloud.
Vi. Summary
Implements all operations of remote control. You only need to configure the cloud to return information based on different factory IDS (haocheng), PhoneInfo, and other conditions. In addition, the rom package can be freely updated, resulting in excellent scalability. the server can issue different programs and commands according to different client conditions, which leads to hidden dangerous behaviors and increases the difficulty of being scanned and killed. By communicating with users and collecting information from the Internet, we think that the dangerous behaviors we pointed out in our analysis report are only the tip of the iceberg. We speculate that this cloud Control Trojan will put a large number of malicious programs on the cloud, once a user's mobile phone involves sensitive behaviors such as financial operations, the cloud can distribute more malicious programs to achieve financial theft and other behaviors. In addition, the remote control Trojan can also be used to catch large fish online when the number of users reaches a certain level. In this regard, the 360 security center once again reminded the majority of users to go to the regular store to try to buy electronic equipment from regular Manufacturers