The world's first new Android Trojan Golem virus infected tens of thousands of mobile phones

The world's first new Android Trojan Golem virus infected tens of thousands of mobile phones

When the mobile phone is recharged on the desk, the screen is suddenly highlighted. When no one is touched, a mobile phone game runs, slides, and executes many commands. After the execution, the phone quietly closes the screen display, and nothing happens. The mobile phone owner will find that his cell phone battery often loses power, and the traffic consumption is much higher than usual. This is not a zombie, but a mobile phone poisoning.

On September 6, March 2, the mobile security lab of cheetah found a new Android trojan named Golem, a variant of Ghost Push. The virus has been detected in dozens of countries around the world. Currently, the number of active mobile phones is 40 thousand, and the cumulative number of infections is estimated to be more than 0.1 million. The three most infected countries are India, Indonesia, and the Philippines, which are favored by many Internet companies and have invested a lot of money to promote their own apps, part of these promotion fees flow into the pockets of virus senders.

In the past, some advertising alliances used virus infected computers (BOTS) to click on online advertisements to obtain ad fees. However, it was the first time in the world to intercept viruses that could simulate user behavior on Android phones. This means that the mobile advertising fraud industry has entered a new stage, which will put forward higher requirements for security companies and AD anti-fraud technologies.

Golem Trojan details Analysis

Golem FILE MD5: bdaeef30e40b0ae2abcac5b87074682b

Through a detailed analysis of the Golem Trojan, the trojan in the User Screen to unlock, or boot, will download a dex from the cloud (http://down.onowcdn.com/myroapk/update_two.txt.

 

Then load and download dex directly, and call the class com. facebook. mini. service. RunService.

 

In the latest dex (MD5: 16E931588E63BE8E533D94D4BC2D1CD3) We tracked, the virus will run the specified App (of course, it will determine whether the App exists) and perform the click operation.

 

 

As shown in the preceding code, the App is cyclically executed three times, and the logic in the specified coordinate is clicked each time, which is about the top-down position in the middle of the screen.

The input command is used for viruses. Normally, Android devices will basically prefabricate the input tool. This tool is mainly used to help developers perform automated testing.

 

Normally, you can run this command under the permission of the root user or shell user or the permission of android. permission. INJECT_EVENTS applied for by a system application.

 

 

However, the virus does not meet the following two conditions. We found that the Golem virus uses the backdoors left by other ROOT viruses to obtain the ROOT permission.

 

Run the question and let it go back to the virus. It's not just a simulated click. It just lights up the screen, runs the App, clicks the button, slides the screen, and finally triggers the specified function in one breath.

 

Then add some random elements, as if someone is using this App. logging.

Summary

Golem can remotely control devices and automatically start and run applications without your knowledge. These malicious behaviors consume a large amount of network data, battery power, and local device resources, the result is that the mobile phone runs slowly.

Behind-the-scenes promoter of Golem

Golem is a new member of the Ghost Push root Trojan family, but plays a very important role in the black market profit chain. Undoubtedly, the developer of the Golem Trojan must develop this Trojan out of financial motives. Because Golem can imitate normal user behavior and forge realistic active data, thus earning a large amount of advertising fees. For example, if an attacker installs a promotional application on a device, the attacker can earn RMB 1. If the application is opened, the attacker can earn RMB 2 or more.

As this Trojan can bring huge economic benefits, the malicious behavior of Golem implies the new trend of Android Trojan. Fortunately, security companies around the world are looking for strategies to protect user security.