PoisonCake In the ROM

PoisonCake In the ROM
Summary recently, AVL mobile security team found a malicious code module under ROM, which is an executable file in ELF format. The AVL mobile security team analyzed the malicious code and found that the malicious code behavior is similar to that of the three generations of elders Trojan, because the malicious code can run completely independently, in addition, the implementation is significantly different from the previous three generations of "Elder Trojan", and the malicious code author calls its running and releasing module "Cake", so we name it "mongooncake ".
PoisonCake can be run independently and decrypted to release the relevant main modules. The background monitors its processes and executes the following malicious behaviors:
1. Inject the Phone process, intercept text messages and send text messages
2. SMS and WAP fee deduction
3. Steal mobile phone information and upload it to a remote server
4. download files online
5. Ability to update itself

 

During the analysis, we also found that the malicious code identified by the malicious code author tjj and ruanxiaozhen, and the final compilation time was, January 1, August 26, 2014.

 

The following provides a detailed analysis of javasoncake.

I. PoisonCake Operating Mechanism

When mongooncake is running, it will port itself/data /. 3q hides directories and monitors the running of processes in the background to prevent termination of processes. multiple directories and files are created during the execution process, including/data /. 3q/dm/data/usr (directory)/data/usr/dalvik-cache (directory)/data/usr/plugins (directory)/data /. l1/data /. l6/data /. maid/mnt/sdcard/sysv/lv/mnt/sdcard/sysv/lg1

Its main modules are reactore. dex. the jar core framework and 8 plug-in modules provide various behavior implementations. The plug-in module provides functions such as fee deduction, online upload and download, and mobile Phone information retrieval, and can be injected into the system Phone process, monitors and sends text messages, and controls the internet.

The overall operating framework is as follows:

Ii. dm Module

 

The dm module is the core of pythoncake. It initializes malicious code and reactor. dex. jar is released and run, and the background monitors whether the process exists, and encrypts the key string information.

 

1. Initialization

Dm accepts the "-setup" parameter to complete initialization:

1) decrypt key string information as a String Array
2) determine whether/data/. dmtjjexit exists. If yes, the process exits.
3) set the process environment variable and change the process name to jworker/0I: 2 H: 1J.
4) copy itself to/data/. 3q/dm, create/data/usr directory, and delete itself
5) fork itself and exits, the sub-process executes/data/. 3q/dm, and the remaining work is completed by the sub-process. 2. Background monitoring

Dm adopts the file lock and thread mode to continuously monitor its own processes to keep running in the background. As shown below, there are two processes in the background when dm is running.

 

Create a sub-thread, continuously create self-body processes cyclically, and use the File lock to ensure that the created sub-process is congested when the parent process exists:

 

If any parent or child process is killed, a new process is created.

 

3. Release and run the reactor. dex. jar file for decryption.

Finally, the dm process decrypts and releases reactor. dex. jar to/data/usr:

Dm will then release the reactore. dex. jar is loaded and run using libdvm. in so, JNI_CreateJavaVM runs jar, and its parameter list is-Djava. class. path =/data/usr/reactore. dex. jar-Djava. compiler = NONE-verbose: jni then registers the native function getGirls, and finally executes the Main method of com/tj/main.

4. getGirls Method

Dm also provides the native method for reactore. dex. jar. It accepts two parameters to decrypt the specified jar file to the specified path.

Iii. reactore. dex. jar Module

 

Reactore. dex. jar is a framework module and several plug-in modules Responsible for Environment initialization, cyclic traversal of execution events, and commands. It divides function modules into four main categories:

 

1) Infrastructure Infrastructor
2) Business Repository
3) Service: responsible for performing related functions in the background
4) Component

The overall execution logic process is as follows:

Iv. Plug-in Module

Reactore. dex. jar has eight built-in plug-in modules by default. Each plug-in performs different actions:

 

The following describes the key plug-in modules.

 

1. bean Module

The bean module injects the phone process, listens to the local port 10023, and obtains information such as the mobile phone number, imsi, imei, apn, and Internet, it also controls SMS sending and interception and networking. It first releases the executable module whitebean, libblackbean. so and redbean. dex. jar with injection, and then runs the following commands in sequence to complete the injection:

A. whitebean-check libblackbean. so checks the runtime environment. Here we mainly check the acquisition of android: AndroidRuntime: mJavaVM and android: AndroidRuntime: getRuntime.
B. whitebean com. android. phone libblackbean. so readbean. dex. jar cache Release/data/usr/server. log it to libblackbean. so and readbean. dex. jar is injected into the phone process and com. android. phone. OS. program class. Delete itself.

After the injection is complete, the system listens to port 10023 to accept the request. At this time, because the Phone process has the permission, you can intercept and send SMS messages, manage the APN network, and obtain information such as mobile Phone numbers and data connections.

 

 

2. honeybee Module

The honeybee module records the running log information and stores it in the/data/usr/honey file as AES encryption, and uploads it to the remote server http://slasty.hada1billi.info/honeycomb/ums/postevent.

3. sun Module

The sun module provides a network connection function and establishes a Heartbeat connection with a remote server.

V. Summary

Javasoncake is a perfect backdoor program. It has good architecture features and scalability. During its operation, it will quickly delete its released modules, all files stored on mobile phones are encrypted. Its execution is relatively concealed, and it is difficult to be found and killed.

You can run the "ps dm" command to check whether a malicious code process exists, or check whether/data/. 3q/dm or/data/usr directory exists to determine whether the PoisonCake Trojan is infected.