"Chatbots"-ptrace process injection Virus

Recently, Baidu security lab has discovered a "chatbots" virus that can inject malicious code into QQ and program processes through ptrace, malicious Code can monitor mobile QQ, chat content, and contact information in real time. This virus is the first virus detected to maliciously steal private data through ptrace injection.

 

 

 

Introduction

 

This virus mainly injects QQ and processes through ptrace to steal information. The main program calls inject_appso and libcall in assets. so And conn. jar joint "committing crimes" in conn. jar to obtain the chat information/recent contacts, and send the broadcast to start the main program broadcast receiver, send the privacy information to the remote address. The behavior of the virus is shown as follows:

 

 

 

Code Analysis:

 

The main malicious program code structure is as follows:

 

 

1. Portal startup:

After the main malicious program starts, it immediately tries to obtain the ROOT permission and copies the files to be executed under assets to different directories in the system:

 

Inject_appso->/system/bin/

Libcall. so->/system/lib/

Conn. jar->/data/qy/

 

After the file is copied, run the inject_appso program as the administrator for program injection:

 

Run inject_appso

 

2. inject malicious code into QQ/process:

After running the inject_appso executable file as the Root user, the inject_appso can call the ptrace function to obtain control of QQ and processes. After obtaining control, the target process loads and runs the malicious code libcall. so:

 

 

After the ibcall. so code is run, obtain the Dalvik runtime environment and use Dexclassloader to dynamically load the attached conn. jar malicious code:

 

 

 

 

 

3. Malicious Code HookQQ and key data acquisition of user privacy

 

The conn. jar code structure is as follows:

 

 

Conn. jar monitors QQ or chat interfaces through Java hook.

QQ chat interface: com. tencent. mobileqq. activity. ChatActivity

Chat interface: com. tencent. mm. ui. chatting. ChattingUI

When the chat content changes, malicious code will receive a notification and get the chat content:

 

HOOK chat interface

 

Monitor chat interface changes

 

Get chat content

 

Not only can the page content be monitored, but also/data/com. tencent. mobileqq/directory or/data/com. tencent. mm. db database file to obtain Chat History and recent contact information:

 

Obtain recent contact information

 

4. Upload the chat information to the server:

After obtaining the chat message, conn. jar broadcasts the message "learn. yincc. CHAT_UPDATE. The broadcast is received by the main malicious program. After the main malicious program parses the broadcast content, it sends the chat content to the remote server:

 

Conn. jar send Broadcast

Main malicious program receives Broadcast

 

The main malicious program sends the chat content to the remote server