PermAd Analysis Report
Recently, the AVL mobile security team found a POPBIRD game application in the GooglePlay application market (which is now dismounted). Once installed, the app immediately pops up with three lively and cute bird icons, quickly mobilize users' desire to start the application.
Figure 1 application icon
This application is packaged with a malicious Elevation of Privilege ad PermAd. After the application runs, the start interface is immediately displayed, and malicious behaviors of various rogue nature are hidden behind the colorful opening interface. The specific malicious behaviors are as follows:
1. automatically download the permission escalation tool to improve the application permission.
2. Boot automatically.
3. Monitor related malicious sub-package applications to improve the permissions of malicious sub-packages.
4. Upload user system information.
5. Update the malicious sub-packages and push third-party advertisements.
6. Prevent uninstallation.
Figure 2 Application activation page
1. Overall execution process of malicious code
The following describes how to run the malicious ad PermAd.
Figure 3 Detailed operation process of PermAd
When the application is running, the app .perm.apk,.perm.apk will be downloaded and executed by DexClassLoader. Multiple files will be released and application permissions will be improved. The following lists the released files and their information:
The running process of the released file is shown in step 4.
Figure 4 running process and function of the released File
2. Process of the Elevation of Privilege Module
Figure 5 authorization process
1. After the application runs, the application accesses http: // *****/RootsdkUpdate/Index over the Internet to obtain the latest address of the elevation of permission application, and download and save it at the specified address.
2. After DexClassLoader .perm.apk, call the relevant method to release the file and raise the permission.
3. Execute the permission escalation callback command:
> Write the command into the Startup File install-recovery.sh to start up.
> Release the .dler.apk file, modify permissions, and silently install the application com. android. service. utc0.
> Copy the released file to the relevant directory to escalate the permission and execute. rt_daemon for background listening.
Figure 6 background listening
Create a thread for listening every 3.6 seconds. If there is no com.android.service.utc0process, read and execute the am command in the .exe am file to start com. android. service. utc0
4. run/system/xbin /. rt_bridge write the am command to/data/local /. exeam file, add the MD5 of the package to/data/local /. bridge file. rt_daemon sends a request.
Process of the third anti-uninstall Module
.Perm.apkrelease .catr.apk (actually an ELF file) and run the lock-related file. After the file is locked, it cannot be deleted even after the application is uninstalled.
You can use the lsattr command to view the hidden properties of the file. The ia parameter is added to other files, so that the file cannot be deleted:
4. Release the DownLoader sub-package Execution Process
1. Run com. android. service. utc0/com. example. demo10.WakeActivity in rt_daemon am Mode
2. Specify a URL for Internet access to obtain the latest address of the DownLoadr application. During the test, the DownLoader is still being updated.
3. Update yourself and release/files/.catr.apk to lock the file to prevent deletion.
4. Access a specific website to obtain the advertisement list and push the advertisement.
Summary and Security suggestions
The sub-packages released by this application can be found through install release-recovery. sh is started, and the sub-package is always running in the background listening, and the application in its/data/app is locked through chattr. The sub-package still exists after being uninstalled through application management, and passes through after it is started. rt_daemon is started with the am command, so that it cannot be easily uninstalled. You can only delete the task by using chattr to revoke permissions and then using rm.
In addition, the application will delete the su file, so that the Root permission cannot be obtained on any mobile phone that has been Root.
In the face of such complicated and malicious applications, the AVL mobile security team recommends:
1. Although this is a face-recognition society, we do not need to download it if it looks nice!
2. Before using the newly installed application, you can install and enable the mobile phone security software AVL Pro for Comprehensive scanning to avoid enabling malicious applications and avoiding malicious application threats.