Oncake: a malicious code module built into the mobile ROM.
The AVL mobile security team recently joined LBE to find a malicious code module built into the mobile ROM. Because the author of the malicious code calls the module running and releasing this malicious module "Cake", we name it "oncake )".
During the analysis, we also found that the malicious code identified by the malicious code author tjj and ruanxiaozhen, and the final compilation time was, January 1, August 26, 2014.
The malicious behaviors of this malicious module are as follows:
PoisonCake can be run independently, decrypted to release the relevant main function module, monitor its own processes in the background and execute the following malicious behaviors:
1. Inject the Phone process, intercept text messages and send text messages. 2. SMS and WAP fee deduction. 3. Steal mobile phone information and upload it to a remote server. 4. download files online in the background. 5. Ability to update itself.
After analysis, we found that the malicious behavior of the malicious module is similar to that of the elder Trojan three generations, but there are great differences in implementation methods. The following provides a detailed analysis of the malicious module PoisonCake.
I. PoisonCake Operating Mechanism
When running mongooncake, it will port itself to a hidden directory/data/. 3q, and monitor the running status of its processes in the background to prevent its processes from being terminated.
At the same time, it will create multiple directories and files during execution, mainly including:
/Data /. 3q/dm/data/usr (directory)/data/usr/dalvik-cache (directory)/data/usr/plugins (directory)/data /. l1/data /. l6/data /. maid/mnt/sdcard/sysv/lv/mnt/sdcard/sysv/lg
The main modules of javasoncake are divided into reactore. dex. jar core framework and 8 plug-in modules. The plug-in module provides malicious fee deduction, online upload/download, and mobile Phone information retrieval functions, and can be injected into the system Phone process, monitors and sends text messages, and controls the internet.
The overall operating framework is as follows:
Ii. dm Module
The dm module is the core of pythoncake. It mainly initializes malicious code and reactor. dex. jar is released and run, and the background monitors whether the process exists, and encrypts key string information.
1. Malicious Code Initialization
The dm module accepts the "-setup" parameter to complete initialization:
1) decrypt the key string information as a string array. 2) determine whether/data/. dmtjjexit exists. If yes, the process exits. 3) set the process environment variable and change the process name to jworker/0I: 2 H: 1J. 4) copy itself to/data/. 3q/dm, create the/data/usr directory, and delete itself. 5) fork itself and exits. The sub-process executes/data/. 3q/dm, and the remaining work is completed by the sub-process. 2. Background monitoring
The dm module uses the file lock and thread mode to continuously monitor its processes to keep running in the background. There are two processes in the background when dm is running, as shown in.
Create a sub-thread, create self-body processes repeatedly, and use the File lock to ensure that the created sub-process is blocked when the parent process exists:
If any of the parent or child processes is killed, a new process is created.
3. reactor. dex. jar decryption release and run
Finally, the dm process decrypts and releases reactor. dex. jar to/data/usr:
Dm then loads and runs the released reactore. dex. jar, and uses JNI_CreateJavaVM in libdvm. so to run the jar. Its Parameter List is
-Djava. class. path =/data/usr/reactore. dex. jar-Djava.compiler = NONE-verbose: jni
Then register the native function getGirls, and finally execute the Main method of com/tj/main.
4. getGirls Method
Dm also provides the native method for reactore. dex. jar. It accepts two parameters to decrypt the specified jar file to the specified path.
Iii. reactore. dex. jar Module
Reactore. dex. jar is a framework module and several plug-in modules Responsible for Environment initialization, cyclic traversal of execution events, and commands. It divides function modules into four main categories:
1) Infrastructure Infrastructor. 2) Business Repository. 3) Service, responsible for performing related functions in the background. 4) Component.
The overall execution logic process is as follows:
Iv. Plug-in Module
Reactore. dex. jar has eight built-in plug-in modules by default. Each plug-in performs different actions:
Table 1 plug-in name and its Functions
The following describes the key plug-in modules.
1) bean Module
The bean module injects the phone process, listens to the local port 10023, and obtains information such as the mobile phone number, imsi, imei, apn, and Internet, it also controls SMS sending, interception, and networking.
It first releases the executable module whitebean, libblackbean. so, and redbean. dex. jar to be injected, and then runs the following commands in sequence to complete the injection:
A. whitebean-check libblackbean. so
Check the running environment. Here we mainly check for obtaining android: AndroidRuntime: mJavaVM and android: AndroidRuntime: getRuntime.
B. whitebean com. android. phonelibblackbean. so readbean. dex. jar cache Release/data/usr/server. log
It injects libblackbean. so and readbean. dex. jar into the phone process and runs the com. android. phone. OS. Program class.
Delete itself.
After the injection is complete, the system listens to port 10023 to accept the request. At this time, because the Phone process has the permission, you can intercept and send SMS messages, manage the APN network, and obtain information such as mobile Phone numbers and data connections.
2) honeybee Module
The honeybee module records the running log information, stores it in the/data/usr/honey file in AES encrypted form, and uploads it to the remote server http://slasty.hada1billi.info/honeycomb/ums/postevent.
The decryption result of the honey file is as follows:
3) sun Module
The sun module provides a network connection function and establishes a Heartbeat connection with the remote server. The connection url is http://ubaj.tndmnsha.com/throne.
V. Summary
Javasoncake is a perfect backdoor program. It has good architecture features and is easy to expand. During its operation, it will quickly delete its released modules, all files stored on mobile phones are encrypted. Its execution is relatively concealed, and it is difficult to be found and killed.
AVL mobile security team analysts pointed out that users can run the "psdm" command to check whether malicious code processes exist or whether/data/exists /. 3q/dm,/data/usr directory to determine whether the pythoncake Trojan is infected. You can also download the deleoncake kill tool to detect and kill the Trojan.