Sadstrot Trojan Analysis Report

Sadstrot Trojan Analysis Report

The AVL mobile security team intercepted a malicious trojan that steals user QQ and accounts, friend lists, and message records, the subtrate hook framework is used to monitor any input information on the keyboard. In addition, the application will receive commands from the cloud, execute module updates, delete specified files, and other remote control operations, seriously affecting system security.

1. Trojan behavior and hazards

1. Once running, the trojan immediately applies for root permissions, paving the way for subsequent malicious behaviors.

2. Create a detect process. The module plug-in the process communicates with the main process and collects user privacy by calling back the Java-Layer Code and hook.

3. Listen for keyboard input. All characters typed by the user will be stolen, including the bank account password and social APP account password.

4. Receive cloud commands, execute module updates, delete specified files, and so on, which poses great security risks to the system.

2. Trojan Execution Process

Inter-process communication protocol

LibnativeLoad. so and libPowerDetect. cy. so of the com. sec. android. service. powerManager process will create a large number of service listeners. When receiving a socket communication request from the plug-in module in the detect process, the first two bytes of the buffer are matched as magic characters and the corresponding operations are performed.



3. Detailed Analysis

1. Apply for root permission and run the cInstall Executable File

1) The cInstall file will create the working directory and data storage directory in the private path of the application, and detect and plugin the cache. dat, dtl. dat, glp. copy uin to the specified directory.

2) read plugin. dat, parse and obtain the plug-in name corresponding to the specified id module, and rename it to write "/data/com. sec. android. service. powerManager/cores/Users/All Users/Intel directory.

The preceding directories and files will be granted the readable and writable executable permissions, paving the way for subsequent malicious behaviors.

Copy the super cached by the cache to the/system/bin/directory and raise the permission. Then, copy files such as libPowerDetect. cy. so and libnativeLoad. so to the specified directory, and silently install the substrate hook framework.

Figure cInstall File Execution Process

Copy super to the/system/bin directory and raise the permission.


Silently install the substrate framework:


2. Call the Substrate framework and use the hook technology to monitor keyboard input.

Run the substrate framework, libPowerDetect. cy. so when initializing the init_array segment, it calls the api provided by the Substrate framework to hook character input, end input, hidden keyboard, and other methods in the input method operation, and send the collected characters to the detect process.




3. Create a large number of listening services and run the detect Executable File

LibnativeLoad. so will call the following jni method to create a large number of listening services and run super executable files. Super obtains Privilege Escalation by setting the user and the user's group id, and fork generates a detect process.






4. initialize the main plug-in

The detect executable file searches for the Initialplugin and NetWorkStateChanged symbols under the main plug-in and calls them for initialization.




5. The main plug-in loads and calls other modules

WSDMoo. dat calls the SetCallbackInterface method of other modules and passes in a set of function pointers as parameters so that it can obtain the working directory, plug-in configuration, and other information through the corresponding callback function, you can also add an upload task to the plug-in.

6. Collect privacy information such as QQ accounts and friends lists

Winbrrnd. the SetCallbackInterface method of the dat plug-in creates a startListernQQMsgThread to obtain information such as QQ and account, friend list, and message record, output it to a specified file, and calls back the CbAddUploadFileTask function of the main plug-in to add an upload job.





7. Socket online upload and obtain commands to perform remote control operations

The Socket network sends Mobile Phone firmware and plug-in information, recording the privacy information files collected from other modules. Receive messages sent from the server, parse the commands (see the table below), and perform the corresponding operations.


Iv. Summary

This trojan is characterized by a highly modular operation process. ELF files communicate with each other and cooperate with each other to achieve privacy theft and remote control backdoor functions. In addition, it uses the substrate framework for hook monitoring and keyboard output. The trojan also collects information about QQ and WebChat accounts. Hackers may exploit this information to send fraud information to QQ friends or friends, posing a huge potential threat to users. The AVL Mobile Security Team reminds you to download Mobile Phone software only from official sites or trusted application markets. Do not download plug-ins at will to avoid the risk of mobile phone viruses.