"Shutdown and eavesdropping"-Virus analysis report and eavesdropping Analysis Report

"Shutdown and eavesdropping"-Virus analysis report and eavesdropping Analysis Report

I. Introduction

During the first GeekPwn competition in October this year, experts from KeenTeam demonstrated the whole process of Android mobile phones being eavesdropped by hackers through the receiver when their phones are shut down. Recently, Baidu security lab found a "shutdown and eavesdropping" virus. The virus uses the Hook system shutdown method to implement shutdown interception. When a user shuts down, a custom black interface is displayed, putting the phone in the "false shutdown" status; the background steals user text messages, contacts, call records, location information, and call recordings and uploads them to the server.

 

Figure 1

 

Ii. malicious behaviors

 

Figure 2 Flowchart

 
 
The specific process for shutting down and listening to the virus is as follows:

 

1. Request the Root administrator permission. After obtaining the Administrator permission, copy the following files to the system directory.
Injector: process injection is completed.
Libhook. so: Call ksremote. jar malicious code
Libhookjava. so: dynamically load ksremote. jar
Libshutdown. so: hook system shutdown request
Ksremote. jar: The key service of the hook system. The "false shutdown" interface is disguised.

 
2. Call the injector executable file to inject libhook. so, libhookjava. so, and libshutdown. so files
System _ server system service process.

 
3. Call libhookjava. so in the system_server process to dynamically load the malicious sub-package ksremote. jar.

 
4. Call libshutdown. so in the system_server process to complete the shutdown HOOK;

 
5. The system_server process calls libhook. so and libhook. so to call the relevant method RSDServerImpl. hkshutdownmythod () in ksremote. jar to complete the system service HOOK.

 
Iii. Detailed Analysis

 

(1) process injection: Call the injector executable file to inject the so file into the system process,

1. Request the Root administrator privilege. After obtaining the administrator privilege, copy the malicious files in the raw package to different directories of the system. After the replication, call injector to inject the so file into the system process.

Figure 3

 
2. Run injector to inject the libhookjava. so and libhook. so files into the system_sever system process;
Among them, libhookjava. so provides the hook_entry_java method, libhook. so provides the hook_entry method and external communication, mainly used to dynamically load malicious files ksremote. jar and class RSDServerImpl, and execute related methods.

Figure 4

 
(2) malicious behaviors of so and jar files: hook system Binder and replace it with the specified Binder; Hook system shutdown method to create a "false shutdown" black screen status of the mobile phone

1. libhookjava. so inject the ksremote. jar sub-package into the system_sever process, and DexClassLoader dynamically loads the class com.sd.hk. impl. RSDServerImpl in the sub-package.

Figure 5

 
2. libhook. so calls ksremote. jar in the same process and DexClassLoader loads hkShutdownMethod. Method: complete the hook system Binder and replace it with the specified Binder;
 
Libhook. so Method for loading hkShutdownMethod

Figure 6

 
Ksremote. jar hook system Binder and complete replacement

Figure 7 hook system Binder

 
3. libshutdown. so Hook system reboot method to block shutdown calls;

Figure 8

 
4. libhook. so DexClassLoader loads hkShutdownMethod, registers BroadcastReceiver, hooks the PowerManagerService Power Service, blocks the screen from being lit up, and pops up the custom black interface. After the phone is shut down, the phone is in the "false shutdown" status.

Figure 9 register a broadcast Receiver

Figure 10 hook the PowerManager Power Supply Service

Figure 11 custom black shutdown page

 
(3) Stealing privacy
 

AndroidClientService sends a timer, registers a broadcast receiver, triggers malicious methods, steals messages, contacts, call records, location information, call recordings, and other information, and uploads the privacy information to the remote server.

Figure 12