Oncake: a malicious code module built into the mobile ROM.

Oncake: a malicious code module built into the mobile ROM.

The AVL mobile security team recently joined LBE to find a malicious code module built into the mobile ROM. Because the author of the malicious code calls the module running and releasing this malicious module "Cake", we name it "oncake )".

During the analysis, we also found that the malicious code identified by the malicious code author tjj and ruanxiaozhen, and the final compilation time was, January 1, August 26, 2014.

The malicious behaviors of this malicious module are as follows:

PoisonCake can be run independently, decrypted to release the relevant main function module, monitor its own processes in the background and execute the following malicious behaviors:

1. Inject the Phone process, intercept text messages and send text messages. 2. SMS and WAP fee deduction. 3. Steal mobile phone information and upload it to a remote server. 4. download files online in the background. 5. Ability to update itself.

After analysis, we found that the malicious behavior of the malicious module is similar to that of the elder Trojan three generations, but there are great differences in implementation methods. The following provides a detailed analysis of the malicious module PoisonCake.

I. PoisonCake Operating Mechanism

When running mongooncake, it will port itself to a hidden directory/data/. 3q, and monitor the running status of its processes in the background to prevent its processes from being terminated.

At the same time, it will create multiple directories and files during execution, mainly including:

/Data /. 3q/dm/data/usr (directory)/data/usr/dalvik-cache (directory)/data/usr/plugins (directory)/data /. l1/data /. l6/data /. maid/mnt/sdcard/sysv/lv/mnt/sdcard/sysv/lg

The main modules of javasoncake are divided into reactore. dex. jar core framework and 8 plug-in modules. The plug-in module provides malicious fee deduction, online upload/download, and mobile Phone information retrieval functions, and can be injected into the system Phone process, monitors and sends text messages, and controls the internet.

The overall operating framework is as follows:

Ii. dm Module

The dm module is the core of pythoncake. It mainly initializes malicious code and reactor. dex. jar is released and run, and the background monitors whether the process exists, and encrypts key string information.

1. Malicious Code Initialization

The dm module accepts the "-setup" parameter to complete initialization:

1) decrypt the key string information as a string array. 2) determine whether/data/. dmtjjexit exists. If yes, the process exits. 3) set the process environment variable and change the process name to jworker/0I: 2 H: 1J. 4) copy itself to/data/. 3q/dm, create the/data/usr directory, and delete itself. 5) fork itself and exits. The sub-process executes/data/. 3q/dm, and the remaining work is completed by the sub-process. 2. Background monitoring

The dm module uses the file lock and thread mode to continuously monitor its processes to keep running in the background. There are two processes in the background when dm is running, as shown in.

 

Create a sub-thread, create self-body processes repeatedly, and use the File lock to ensure that the created sub-process is blocked when the parent process exists:

 

If any of the parent or child processes is killed, a new process is created.

3. reactor. dex. jar decryption release and run

Finally, the dm process decrypts and releases reactor. dex. jar to/data/usr:

Dm then loads and runs the released reactore. dex. jar, and uses JNI_CreateJavaVM in libdvm. so to run the jar. Its Parameter List is

-Djava. class. path =/data/usr/reactore. dex. jar-Djava.compiler = NONE-verbose: jni

Then register the native function getGirls, and finally execute the Main method of com/tj/main.

4. getGirls Method

Dm also provides the native method for reactore. dex. jar. It accepts two parameters to decrypt the specified jar file to the specified path.

Iii. reactore. dex. jar Module

Reactore. dex. jar is a framework module and several plug-in modules Responsible for Environment initialization, cyclic traversal of execution events, and commands. It divides function modules into four main categories:

1) Infrastructure Infrastructor. 2) Business Repository. 3) Service, responsible for performing related functions in the background. 4) Component.

The overall execution logic process is as follows:

Iv. Plug-in Module

 

Reactore. dex. jar has eight built-in plug-in modules by default. Each plug-in performs different actions:

Table 1 plug-in name and its Functions

The following describes the key plug-in modules.

1) bean Module

The bean module injects the phone process, listens to the local port 10023, and obtains information such as the mobile phone number, imsi, imei, apn, and Internet, it also controls SMS sending, interception, and networking.

It first releases the executable module whitebean, libblackbean. so, and redbean. dex. jar to be injected, and then runs the following commands in sequence to complete the injection:

A. whitebean-check libblackbean. so

Check the running environment. Here we mainly check for obtaining android: AndroidRuntime: mJavaVM and android: AndroidRuntime: getRuntime.

B. whitebean com. android. phonelibblackbean. so readbean. dex. jar cache Release/data/usr/server. log

It injects libblackbean. so and readbean. dex. jar into the phone process and runs the com. android. phone. OS. Program class.

Delete itself.

After the injection is complete, the system listens to port 10023 to accept the request. At this time, because the Phone process has the permission, you can intercept and send SMS messages, manage the APN network, and obtain information such as mobile Phone numbers and data connections.

2) honeybee Module

The honeybee module records the running log information, stores it in the/data/usr/honey file in AES encrypted form, and uploads it to the remote server http://slasty.hada1billi.info/honeycomb/ums/postevent.

The decryption result of the honey file is as follows:

 

3) sun Module

The sun module provides a network connection function and establishes a Heartbeat connection with the remote server. The connection url is http://ubaj.tndmnsha.com/throne.

V. Summary

Javasoncake is a perfect backdoor program. It has good architecture features and is easy to expand. During its operation, it will quickly delete its released modules, all files stored on mobile phones are encrypted. Its execution is relatively concealed, and it is difficult to be found and killed.

AVL mobile security team analysts pointed out that users can run the "psdm" command to check whether malicious code processes exist or whether/data/exists /. 3q/dm,/data/usr directory to determine whether the pythoncake Trojan is infected. You can also download the deleoncake kill tool to detect and kill the Trojan.