Three generations of "Elder elder Trojan" find the "drug lord" behind the scenes"

Three generations of "Elder elder Trojan" find the "drug lord" behind the scenes"

 

I. Tip of the iceberg

Recently, many Android mobile phones have "inexplicably" applications such as "flashlights" and "calendar", which cannot be uninstalled without root. Even if the root permission is obtained, it will not be long before it appears again. According to statistics from the 360 Internet Security Center, more than one million infected users have been involved.

2. Initiator

After a large number of user feedback and careful analysis and investigation by the 360 Internet Security Center, we found that the author was the latest variant of the family of "elders Trojan (fakedebugadh, this trojan replaces the native/system/bin/debugadh of the system. It is started upon startup and stays in the background for a long time. It steals user information and malicious promotion software. We name it fakedebugadh. C.

(1) fakedebugadh. C Flowchart

(2) fakedebugadh. C specific behavior analysis

1. Initialization

After startup, create the directory/sdcard/sysv/AND/data/. 3q/in the/sdcard and/data Directories respectively to save the communication data and running information with the server.

2. replace system files

First, an empty file/system/bin/. cw will be created when fakedebugadh. C is started for the first time to determine whether/system needs to be remounted.

Second, rename/system/bin/debugadh to/system/bin/debuggerd_deamon.

 

Then, find your own image file, copy your image file to/system/bin/, and rename it debugnames. After the original debugadh process is terminated, the system automatically restarts the debugadh process. At this time, fakedebugadh. C is restarted.

3. Stealing privacy from online uploads

Read the/data/. 3q/rc file. This file is used to save information related to ELF download, file md5, and so on. Obtain Network Information (network type and network name), call the service call iphonesubinfo (service call iphonesubinfo 1) service, and obtain SIM card information (mobile phone system, DeviceId, and IMEI ); obtain Mobile Phone firmware information (mac address, cpu information, and mobile phone system version)

Get sim information:

Obtain the mac address:

Other information (for example, nettype-network type, netextra-network name, andrsdk-system api ):

4. Silent download and Installation

(1) obtain the instruction configuration table online

Before decryption

After decryption

(2) The ELF File for silent download. Download Directory:/data/. 3q/ld/. default file name: aplo _ [MD5]

 

(3) Determine whether the system has installed the embedded apk

(4) release the APK file named * PSD.apk from the downloaded ELF file to the/system/app/directory to complete installation.

(5) change the/system/app/* PSD.apk permission to 420.

5. Clear traces

(1) Delete files in the/data/. 3q/ld/directory.

(2) Hide processes. Fakedebugadh. C after the system starts, it calls fork () to derive a sub-process. The sub-process tries to execute the debuggerd_deamon file (the original debugadh file of the system ). After the sub-process is successfully started, the sub-process Exits normally. If the sub-process fails to be started, the sub-process becomes a "zombie process ". In this case, the system process list will see two debugnames, and then fakedebugnames. c. Replace the corresponding process name in/proc/pid/cmdline (changed from debugadh to kworker/0I: 2 H: 1J) and check the process list again, the previous two debugnames are changed to one debugdate and one kworker/0I: 2 H: 1J.

Before change:

After modification:

(3) modify the Time of the write-back file to avoid file changes.

Iii. surfaced

 

From the analysis, we can't help wondering where fakedebugadh. C came from? It's impossible to appear for no reason, right? The Analysis on the range of infected models is not a Trojan with ROM, so it must be released through APK. We passed a series of user feedback to further test the waiting for recurrence, and the "culprit" finally emerged-"power-saving household ".

 

(1) Analysis of "power-saving household:

1. The software uses the DexGuard tool. The class name and string are highly obfuscated and encrypted to defend against static analysis.

2. release seed at runtime. jar file. the actual content of the released file is distributed and stored in several Java classes in the form of byte arrays. The following are part of an array:

Used to splice and combine the relevant code:

Release jar files

3. Load the run method of com. core. seed. SeedThread running seed. jar in reflection mode

(2) seed. jar Analysis

1. seed. jar running Flowchart

 

2.com. core. seed. SeedThread's run method triggers seed. jar to release and decrypt the resource files under seed. jar \ res. Namely, fakedebugadh. C.

 

3.use loopholes to escalate permissions and run logo.jpg

Goldbean, greenbean, yy1, s2, and s4 contain multiple known android Elevation of Privilege vulnerabilities, including FramaRoot and TowelRoot.

Permission escalation using jar packages (goldbean or yy1 file)

Run the Shell command "export ANDROID_DATA = 1; export CLASSPATH =/PATH/; app_process 1 com. tj. goldbean. app 1 'res/logo.jpg-setup id tag' "completes the entire process. The PATH is the PATH of the Seedjar package, the id is the command number, and the tag is seed. jar callers use SeedThread. setTag.

If the command is successfully executed, the main method of com. tj. goldbean. App is called.

The TowelRoot () method carries out the Elevation of Privilege by loading the so file in the Jar package (goldbean/yy1, run the Shell command 'res/logo.jpg-setup id tag' to start the debugadh file.

Use ELF to escalate permissions (greenbean, s2, or s4 files)

Privilege Escalation and execution of the shell command for running the logo.jpg file, for example:

You can directly use Shell commands to start the ELF File For Elevation of Privilege, "res/logo.jpg-setup id2 tag" is passed as a parameter to the corresponding ELF file. In the ELF File, select whether to execute debugadh Based on the elevation result. The command format is as follows:

Cat res/logo.jpg-setup id2 tag> $ FilesDir/tmp

Res/$ ELF $ FilesDir/tmp

($ ELF is the path of the elf File .)

 

After the permission escalation is completed, start the fakedebugadh. C operation.

 

(3) "calendar" and "Flashlight" Analysis

1. Find that the "Flashlight" will be connected to the background, and silently download and install the promotion software.

2. The analysis of "calendar" shows that it contains an advertisement plug-in "TJ". The advertisement plug-in will push the advertisement through the notification bar and create multiple shortcuts for Software Promotion.

In addition, we also found that "TJ" will download the encrypted seed. jar file from the specified server. After decryption, it will also call the run method of com. core. seed. SeedThread for loading and running.

Iv. Tracing

From the above analysis, we can see that the running malicious file seed is loaded. the jar mobile phone will be infected with fakedebugadh. c, seed. jar is disguised as a commonly used software to be downloaded from Java code release and "TJ" advertisement online. We found that the total number of samples for these two classes has reached more than 1000, that is, fakedebugadh. the reason for the high number of C infections.

Common camouflage software:

List of software embedded with "TJ" advertisements:

At the same time, we tracked the earlier versions of seed. jar file, after comparative analysis, it is found that its main functions have not changed, and its "Evolution" is mainly for confrontation analysis, thus causing a large deformation.

(1) From "linear" to "mesh"

Combine the original seed. jar and its derivative mlgb. jar into one, and implement a set of communication mechanisms to complicate the execution process and increase the difficulty of analysis. Earlier versions of seed. jar by releasing mlgb. jar, and then by mlgb. jar executes the operation to release resource files and raise permissions. The entire process is almost straight and the idea is clearly visible. However, the new version implements a complex communication mechanism and has evolved into a communication network, this can be realized by comparing the package structure of the new and old versions.

 

(2) From "streaking" to "beyond sight"

Another change from the new version to the old version is serious confusion and encryption of sensitive strings. It implements an encryption algorithm for each key class. These algorithms are similar but dependent on the implementation of specific classes, this makes it impossible for analysts to decrypt data in a unified manner, making static analysis more difficult at a large layer.

V. Connecting man

Interestingly, we are analyzing fakedebugadh. during the whole spread of C infection, another malicious Trojan family Trojan was launched. dropper. android. fakeinfo. a. The family uses malicious samples as media for promotion and dissemination. We will take the promotion of "power-saving household" as an example to describe the entire operational relationship diagram. The software involved includes:

L tampered yuehui (Trojan. Dropper. Android. Fakeinfo.)

L com. android. provider. confirm

L System

L AndroidRoot

L System

(1) Trojan. Dropper. Android. Fakeinfo. A propagation Relationship Diagram

(2) Trojan. Dropper. Android. Fakeinfo. A malicious behavior analysis

Overview: this vulnerability can be exploited to release encrypted files and malicious APK packages. After obtaining Root permissions, the malicious APK package com. android. provider. confirm and System to the/system/app directory, and automatically restart the mobile phone to complete the installation.

The sensitive files and malicious APK packages are encrypted through double encryption. First, the info.mp4 file is decrypted using the standard desalgorithm. The key is a1f6R: Tu9q8.

Secondly, the decrypted zip package is encrypted with the key 6f95R: T29q1

 

 

In this example, the root_000133 command is used to upload the APK package of system. androidrtservice.apk is the APK package of com. android. provider. confirm, And the other root_001 ~ 008 is used to obtain the Root permission for a file with known Elevation of Privilege or omission.

(3) "com. android. provider. confirm" Behavior Analysis

Overview: The Trojan Horse club uploads the Software List on the mobile phone in the background, obtains cloud control commands, and executes downloads, Silent Installation, silent uninstallation, and the notification bar, and starts specified applications.

1. Cloud Control Command Parsing. We found that there are three types of cloud control commands: "[Down]", "[Uninstall]", and "[Notification]", which represent downloading, uninstalling, and pushing notifications respectively. Each Command returned by the server is separated by "[-]" And split into various parts of each command.

(1) [Down]: contains the software id, md5, software package name or component service name to be downloaded, and other information;

(2) [Uninstall]: contains the name of the software package to be detached;

(3) [Notification]: contains the Notification column id, software package name, component service name, and Notification column content.

During the analysis and test, we obtained two different commands returned by the "[Down]" command.

(4) [Down] T71656 [-] as [-] true [-] 4197529 [-] [MD5] [-] 1 [-] [PACKAGENAME] [-] http: // [REMOVED]. com/[REMOVED]. apk [-] false [-] false [-] false [-] true [-] http: // [REMOVED]/status. jsp

(5) [Down] T71659 [-] as [-] true [-] 169202 [-] [MD5] [-] 1 [-] [SERVICENAME] [-] http: // [REMOVED]. com/appapk/[REMOVED]. apk [-] false [-] false [-] false [-] true [-] http: // [REMOVED]/status. jsp

2. Run the pm install-r command to perform Silent Installation.

3. Execute pm uninstall to uninstall the SDK Based on the command content.

4. Run the specified software in command line mode. Start the component service name in the cloud control command in am startservice Mode

 

5. Push notification bar

During actual dynamic debugging, we found that the software downloaded and installed was controlled by the content returned by the server. What we actually saw was: "game hall", "connotation joke", "billiards master", and "AndroidRoot" (multiple AndroidRoot with different package names ), the software is downloaded and installed to the data/app directory silently.

The main behaviors of the downloaded "AndroidRoot" are basically the same as those of the tampered "yuehui". It also uses known vulnerabilities to escalate permissions and release the local APK file to the system/bin directory, then restart the mobile phone to complete the installation. The difference is that only one APK file is released. The released APK includes "power-saving household" and "child care treasure.

(4) "System" malicious behavior analysis

Overview: Download, silently install, and uninstall a specified application in the background; modify the APN settings of the mobile phone

Receives multiple system broadcasts to start core services. Obtain the list of applications to be installed from the control server. The applications are automatically downloaded in the background and installed silently. After the installation is complete and running, uninstall the application within the specified time.

Receives commands returned by the server to update the database content, obtains information about the applications to be installed from the database, downloads and installs these applications.

Download Application

Install the application and repair the corresponding values in the database.

Reads data from the database and detaches the specified application.

When receiving system. intent. action. OPEN_WAP or system. intent. action. OPEN_NET broadcast, select the APN configuration of the corresponding carrier based on the IMSI number.

 

 

"System" and "com. android. provider. the main malicious behaviors of confirm are similar. They are controlled by the server to download and install the specified application, and can receive commands to uninstall the application. The main difference is that "com. android. provider. confirm starts the service of the installed application, and System starts the activity of the installed application.

(5) "system" malicious behavior analysis

Overview: after running the SDK, it decrypts and releases malicious sub-packages. The sub-packages send messages to subscribe to paid services and intercept text messages with specified keywords, causing economic losses to users.

A service is created for the main package. The main function of this service is to decrypt gamelib. so under the assets Directory of the main package. The decrypted file is a jar package and the sub-package is loaded through DexClassLoader. Sub-bag name: cn. andriod. system. SlotSocket

How to start a sub-package after it is loaded

After the sub-package is run, server commands are obtained online. Commands include the specified keywords intercepted and sent mobile phone numbers.

Interception keywords include:

Vi. Solutions

Currently, only the first-aid kits for 360 computers and the elder's Trojan killing tool can be used. Once a mobile phone user finds that there are more "flashlights", "calendars", and other applications on the phone, the phone bill is abnormal, be sure to use the 360 cell phone first aid kit and the elder Trojan killing tool as soon as possible to clear three generations of "Elder Trojan.

Phone first aid kit: http://www.360.cn/jijiuxiang/

Elder Trojan killing tools: http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/FakedbgKiller.apk

 

VII. Summary

From the malicious trojan family fakedebugadh we found this time. c. It can be seen that. A [1] and fakedebugadh. compared with promotion channels, B [2] is more difficult to find, clear more difficult, more countermeasure means, and use professional Countermeasure Analysis and security detection.

360 suggestions for the Internet Security Center:

(1) For App developers: they should carefully screen ads to avoid embedding malicious ad plug-ins and causing unnecessary losses to their own software and users;

(2) advertisers: they should strengthen the software review, so as not to leave a good opportunity for the spread of malware.

(3) for general users, please download and install the App through regular channels, install professional security software, and enable security monitoring. Pay attention to your phone bills and traffic usage. If any exception is found, report it to the carrier and 360 Internet Security Center in a timely manner.