Basically, the malware is able to infect the core Android Zygote process, which is the parent process of any application launched in Android. This means that potentially any application executed in the mobile might be infected. Also, it is very a modular malware and it has the ability to download and install additional modules, hence to perform absolutely anything in the compromise device
I have taken a look to a coupe of samples and there are few interesting points.
Sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 was detected almost one month ago.
This sample did not work in two devices running Android 4.4 and Android 6.0.1 (although it is supposed that it should work with Android < 4.4.4). It perfectly worked in physical device running Android 2.3.7.
Note that the size of the application is only 100KB once installed.
The application doesn't execute after the installation, but only once the system has been rebooted. The application is not displayed the with the rest of applications. The application can't be stopped, only Uninstalled.
The application doesn't execute after the installation, but only once the system has been rebooted. The application is not displayed the with the rest of applications. The application can't be stopped, only Uninstalled.
<receiver android:name="com.android.system.AndroidReceiver" android:permission="android.permission.RECEIVE_BOOT_COMPLETED"> <intent-filter android:priority="2147483647"> <action android:name="android.intent.action.BOOT_COMPLETED"/> <action android:name="com.android.system.guardianship.info.server.monitor"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </receiver>
After rebooting, the application starts doing its job. A new process is created (app_63) and lot of threads are spawn.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | app_63 1569 1229 98192 21640 ffffffff afd0c76c S com.android.system.op.guardianship.server app_43 1578 1229 97176 19484 ffffffff afd0c76c S com.bel.android.dspmanager app_63 1588 1569 0 0 c0094540 00000000 Z dianship.server app_63 1589 1569 0 0 c0094540 00000000 Z dianship.server app_63 1590 1569 0 0 c0094540 00000000 Z dianship.server app_63 1591 1569 0 0 c0094540 00000000 Z dianship.server app_63 1592 1569 0 0 c0094540 00000000 Z dianship.server app_63 1594 1569 0 0 c0094540 00000000 Z dianship.server app_63 1595 1569 0 0 c0094540 00000000 Z dianship.server app_63 1596 1569 0 0 c0094540 00000000 Z dianship.server app_63 1597 1569 0 0 c0094540 00000000 Z dianship.server app_63 1598 1569 0 0 c0094540 00000000 Z dianship.server app_63 1599 1569 0 0 c0094540 00000000 Z dianship.server app_29 1631 1229 101316 22936 ffffffff afd0c76c S android.process.media app_63 1686 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1697 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1700 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1701 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1702 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1703 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1704 1569 0 0 c0094540 00000000 Z Thread-12 app_41 1706 1229 97548 20392 ffffffff afd0c76c S com.android.deskclock app_7 1742 1229 100292 20436 ffffffff afd0c76c S com.google.android.partnersetup app_47 1755 1229 99556 21052 ffffffff afd0c76c S com.android.providers.calendar app_60 1766 1229 96712 19844 ffffffff afd0c76c S de.schaeuffelhut.android.openvpn app_0 1776 1229 122116 29060 ffffffff afd0c76c S com.android.vending app_20 1811 1229 98112 22192 ffffffff afd0c76c S com.koushikdutta.rommanager app_3 1824 1229 312252 54948 ffffffff afd0c76c S com.google.android.gms app_63 1834 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1837 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1838 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1840 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1841 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1842 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1843 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1844 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1845 1569 0 0 c0094540 00000000 Z Thread-12 app_63 1846 1569 0 0 c0094540 00000000 Z Thread-12 app_3 1850 1229 231080 50988 ffffffff afd0c76c S com.google.android.gms.persistent app_4 1917 1229 99480 19612 ffffffff afd0c76c S com.google.android.apps.uploader system 1930 1229 101492 24592 ffffffff afd0c76c S com.android.settings system 1938 1229 97792 20576 ffffffff afd0c76c S com.cyanogenmod.cmparts app_23 1946 1229 96124 19052 ffffffff afd0c76c S com.android.protips app_27 1957 1229 96864 19432 ffffffff afd0c76c S com.android.music app_6 1965 1229 107572 24300 ffffffff afd0c76c S com.google.android.googlequicksearchbox app_36 1982 1229 100020 22132 ffffffff afd0c76c S com.cooliris.media app_12 1994 1229 96200 18776 ffffffff afd0c76c S com.android.voicedialer app_14 2025 1229 144436 44608 ffffffff afd0c76c S android.process.acore app_10 2044 1229 96040 18508 ffffffff afd0c76c S com.cyanogenmod.android.fotakill root 2137 1237 760 360 c0093c7c afd0c5fc S /system/bin/sh app_3 2144 1229 152788 35944 ffffffff afd0c76c S com.google.android.gms.unstable root 2181 1237 756 340 c024280c afd0b68c S /system/bin/sh root 2196 1237 756 332 c0093c7c afd0c5fc S /system/bin/sh root 2197 2196 2292 1924 c0107d14 afd0ba74 S logcat root 2214 2137 892 312 00000000 afd0b68c R ps |
Later on, it communicates with the C&C ph4.xiaoyisy.com using port TCP/8080.
Four files are created in the filesystem:
OPBKEY_b4c5d457bf08ab4d2bb9c9cbf12bd68d4c9f
lastAccessTimes.db
opb_mark_recover.db (empty)
phone.db
Finally a JAR file is pulled from other server, xla.poticlas.com, through normal HTTP
The file downloaded, OPBUpdate_6000.jar, contains 3 more files. There is one APK file and one .DEX file.
bf26f9b2909c429af8d4876c8015a41633eb3d74 GloablBCServiceInfo.apk
95e6ad4c2bc9e6a29ea1f6d90d782be9971450bd OPBUpdate_6000_opbRelease.db
09d856882b205e1a8f6065334d8d0fa583666acb classes.dex
The APK and the DEX files are detected as malware as well.
Once GloablBCServiceInfo.apk is installed, process com.bc.android.core.bcservice is spawned, there are new HTTP connections to the C&C, but this time to a different subdomain: ph2.xiaoyisy.com.
Two additional modules are gathered
Those two modules can hook applications using SMS and can send SMS as well.
What we have so far:
- The malware doesn't run in devices running Android 4.4 and 6.0.1, so likely it only executes in devices with Android < 4.4
- The size of the malware is just around 100KB (once installed)
- The malware doesn't work automatically, but just only after rebooting.
- Also, it doesn't display the application, hence it hides from the system. No option to stop it. Only to remove it.
- It downloads several other modules and APK inside a .JAR file.
- The second APK, once installed, downloads several additional modules
- The C&C server are hosted in different subdomains. Some of the subdomains resolve to the same IP. This looks like kind of redundancy.
- The additional APK and modules are download from the same server.
Indicators
C&C:
ph1.xiaoyisy.com 103.20.249.203
ph2.xiaoyisy.com 103.20.249.203
ph3.xiaoyisy.com 103.6.223.226
ph4.xiaoyisy.com 103.6.223.226
Dropper server
xla.poticlas.com
Files:
Calendar_1002.md f9b5e56e76c5eeea61f224279c756da4abb4d665
Idleinfo_4042.md c1152d2e8c005dad77b3dfac7e1e4cd785031bdc
OPBUpdate_6000.jar d47b0a190af5754625c7edf15d1ecddeae4c7108
classes.dex 09d856882b205e1a8f6065334d8d0fa583666acb
GloablBCServiceInfo.apk bf26f9b2909c429af8d4876c8015a41633eb3d74
To be continued..