Secrets behind the Wolf: an in-depth analysis of a malicious trojan

Secrets behind the Wolf: an in-depth analysis of a malicious trojan

A type of malicious virus is recently captured by the hab analysis system. The virus loads malicious sub-packages, downloads the root tool to obtain root privileges, installs backdoor applications as system applications, and receives remote commands in the background, silent download and installation of promotional applications. In addition, such viruses send, intercept, and upload user text messages based on remote control commands. The virus uses more than 10 encryption algorithms to encrypt and decrypt strings, resource files, and network download resources. Meanwhile, it encrypts and disguise malicious sub-packets as image formats, this greatly increases the difficulty of analysis and recognition. Because the virus has installed a large number of malicious applications to the system directory, We will regard it as a "hungry wolf ".

Dissemination and impact scope:

More than 40 variants of the virus have been captured by the harbo analysis system. The following lists the packages with many variants:

1. Overview of malicious behaviors:

The virus is installed without icons and listens to various types of broadcasts in the System for Automatic startup. After the virus is started, it decrypts and loads malicious resource files, sends, intercepts, and uploads fee-deducted text messages, and downloads the root tool and permission management tool, install the malicious installation package to the/system/app directory, obtain remote commands, and silently install the program to promote the application.

(Flowchart)

2. Detailed analysis:

2.1 After the virus is started, it will send a text message without permission, monitor the user's text message status, and intercept, forward, or upload the user's text message according to the instructions:

2.2 The virus spoofed the ELF file into a PNG file to avoid identification. After the startup, copy the tools.png file to the Cache directory and rename it to sdktools. Then the ELF file will be loaded and the registration method will be called:

Native Methods registered by sdktools. These native methods are used to load and call the malicious plug-in myplug. jar:

2.3 The virus forcibly opens the mobile network, downloads the malicious plug-in myplug. jar, and loads it using the native method registered by sdktools. After myplug. jar is loaded, the root tool will be downloaded for root operation. Once the root permission is obtained, the application will be downloaded and installed silently according to the command:

1) Use the natvie method to load and call the mylpug malicious plug-in:

2) the malicious plug-in myplug. jar will download the root tool and perform the root operation:

3) after obtaining the root permission, the plug-in will silently download and install and Promote the application to the/system/app directory:

2.4 The virus decrypts and loads the malicious agent xbox. so, the plug-in is encrypted by the DES symmetric algorithm and decrypted as the DEX file. The virus encrypts the malicious plug-in to avoid Analysis of Static tools:

After you decrypt the xbox. so file, analyze it using a static tool. The sub-package intercepts the specified text message and performs malicious operations according to the command:

2.5 another resource file base_3.4.0_en.jar of the virus is also encrypted and decrypted as the DEX file. After the DEX file is loaded, it will be repeatedly poll for the pay method to perform fee deduction related operations, and will also intercept related text messages; base_3.4.0_en.jar will also start the service PLService of the parent package, the malicious package bom will be downloaded after the service is started:

1) decrypt base_3.4.0_en.jar as the DEX file and load it:

2) After the sub-package is loaded, the sub-package will be continuously poll for the pay method to perform fee deduction related operations, and the relevant text messages will be intercepted:

3) decrypt the image at http://js.xxxxxx.com/myapk/xxooaa/bom. download the bommalicious package:

 

4) after the bom is encrypted and decrypted, It is a compressed package and can be decompressed to boDat and bobolib:

2.6 The Sub-file boDat is also encrypted and decrypted as the DEX file. After the DEX file is loaded, it will download the root tool for root operation. At the same time, boDat will also decrypt the bobolib file, after bobolib is decrypted, It is a compressed package, including permission management tools and malicious applications:

1) The root tool downloaded by boDat:

2) the decrypted bobolib is a compressed package containing permission management tools and malicious applications:

3) install permission management tools and malicious applications in boDat:

4) The three malicious applications installed by boDat will download and install and promote the applications to the/system/app directory according to the instructions:

3. Summary:

Because the "wolf" virus not only sends fee deduction text messages without permission, but also intercepts and uploads user text messages. It also uses complex encryption algorithms to encrypt and decrypt strings, resource files, and network download resources, at the same time, the malicious sub-package is encrypted and disguised as an image format, which greatly increases the difficulty of analysis and recognition. Therefore, effective protection measures can be used to promptly discover and clear the malicious trojan horse to avoid more serious consequences.