Wednesday, March 16, 2016

Triada malware: hitting the android core system (part I)

Kaspersky announced that its researchers have found the most sophisticated Android malware which can be compared to Windows malware in terms of complexity.
In a post from SecureList there is already some information about how this malware works.

Basically, the malware is able to infect the core Android Zygote process, which is the parent process of any application launched in Android. This means that potentially any application executed in the mobile might be infected. Also, it is very a modular malware and it has the ability to download and install additional modules, hence to perform absolutely anything in the compromise device

I have taken a look to a coupe of samples and there are few interesting points.

Sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 was detected almost one month ago.

 

This sample did not work in two devices running Android 4.4 and Android 6.0.1 (although it is supposed that it should work with Android < 4.4.4). It perfectly worked in physical device running Android 2.3.7.




Note that the size of the application is only 100KB once installed.

The application doesn't execute after the installation, but only once the system has been rebooted. The application is not displayed the with the rest of applications. The application can't be stopped, only Uninstalled.

<receiver android:name="com.android.system.AndroidReceiver" android:permission="android.permission.RECEIVE_BOOT_COMPLETED">
            <intent-filter android:priority="2147483647">
                <action android:name="android.intent.action.BOOT_COMPLETED"/>
                <action android:name="com.android.system.guardianship.info.server.monitor"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </receiver>

After rebooting, the application starts doing its job.  A new process is created (app_63) and lot of threads are spawn.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
app_63    1569  1229  98192  21640 ffffffff afd0c76c S com.android.system.op.guardianship.server
app_43    1578  1229  97176  19484 ffffffff afd0c76c S com.bel.android.dspmanager
app_63    1588  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1589  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1590  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1591  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1592  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1594  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1595  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1596  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1597  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1598  1569  0      0     c0094540 00000000 Z dianship.server
app_63    1599  1569  0      0     c0094540 00000000 Z dianship.server
app_29    1631  1229  101316 22936 ffffffff afd0c76c S android.process.media
app_63    1686  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1697  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1700  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1701  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1702  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1703  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1704  1569  0      0     c0094540 00000000 Z Thread-12
app_41    1706  1229  97548  20392 ffffffff afd0c76c S com.android.deskclock
app_7     1742  1229  100292 20436 ffffffff afd0c76c S com.google.android.partnersetup
app_47    1755  1229  99556  21052 ffffffff afd0c76c S com.android.providers.calendar
app_60    1766  1229  96712  19844 ffffffff afd0c76c S de.schaeuffelhut.android.openvpn
app_0     1776  1229  122116 29060 ffffffff afd0c76c S com.android.vending
app_20    1811  1229  98112  22192 ffffffff afd0c76c S com.koushikdutta.rommanager
app_3     1824  1229  312252 54948 ffffffff afd0c76c S com.google.android.gms
app_63    1834  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1837  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1838  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1840  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1841  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1842  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1843  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1844  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1845  1569  0      0     c0094540 00000000 Z Thread-12
app_63    1846  1569  0      0     c0094540 00000000 Z Thread-12
app_3     1850  1229  231080 50988 ffffffff afd0c76c S com.google.android.gms.persistent
app_4     1917  1229  99480  19612 ffffffff afd0c76c S com.google.android.apps.uploader
system    1930  1229  101492 24592 ffffffff afd0c76c S com.android.settings
system    1938  1229  97792  20576 ffffffff afd0c76c S com.cyanogenmod.cmparts
app_23    1946  1229  96124  19052 ffffffff afd0c76c S com.android.protips
app_27    1957  1229  96864  19432 ffffffff afd0c76c S com.android.music
app_6     1965  1229  107572 24300 ffffffff afd0c76c S com.google.android.googlequicksearchbox
app_36    1982  1229  100020 22132 ffffffff afd0c76c S com.cooliris.media
app_12    1994  1229  96200  18776 ffffffff afd0c76c S com.android.voicedialer
app_14    2025  1229  144436 44608 ffffffff afd0c76c S android.process.acore
app_10    2044  1229  96040  18508 ffffffff afd0c76c S com.cyanogenmod.android.fotakill
root      2137  1237  760    360   c0093c7c afd0c5fc S /system/bin/sh
app_3     2144  1229  152788 35944 ffffffff afd0c76c S com.google.android.gms.unstable
root      2181  1237  756    340   c024280c afd0b68c S /system/bin/sh
root      2196  1237  756    332   c0093c7c afd0c5fc S /system/bin/sh
root      2197  2196  2292   1924  c0107d14 afd0ba74 S logcat
root      2214  2137  892    312   00000000 afd0b68c R ps


Later on, it communicates with the C&C ph4.xiaoyisy.com using port TCP/8080. 





Four files are created in the filesystem:


OPBKEY_b4c5d457bf08ab4d2bb9c9cbf12bd68d4c9f 
lastAccessTimes.db
opb_mark_recover.db (empty)
phone.db

Finally a JAR file is pulled from other server, xla.poticlas.com, through normal HTTP




The file downloaded, OPBUpdate_6000.jar, contains 3 more files. There is one APK file and one .DEX file.

bf26f9b2909c429af8d4876c8015a41633eb3d74  GloablBCServiceInfo.apk
95e6ad4c2bc9e6a29ea1f6d90d782be9971450bd  OPBUpdate_6000_opbRelease.db

09d856882b205e1a8f6065334d8d0fa583666acb  classes.dex

The APK and the DEX files are detected as malware as well.








Once GloablBCServiceInfo.apk is installed, process com.bc.android.core.bcservice is spawned, there are new HTTP connections to the C&C, but this time to a different subdomain: ph2.xiaoyisy.com.

Two additional modules are gathered





Those two modules can hook applications using SMS and can send SMS as well.


What we have so far: 

  • The malware doesn't run in devices running Android 4.4 and 6.0.1, so likely it only executes in devices with Android < 4.4
  • The size of the malware is just around 100KB (once installed)
  • The malware doesn't work automatically, but just only after rebooting. 
  • Also, it doesn't display the application, hence it hides from the system. No option to stop it. Only to remove it.
  • It downloads several other modules and APK inside a .JAR file. 
  • The second APK, once installed, downloads several additional modules
  • The C&C server are hosted in different subdomains. Some of the subdomains resolve to the same IP. This looks like kind of redundancy.
  • The additional APK and modules are download from the same server.



Indicators 


C&C: 
ph1.xiaoyisy.com 103.20.249.203
ph2.xiaoyisy.com 103.20.249.203
ph3.xiaoyisy.com 103.6.223.226
ph4.xiaoyisy.com 103.6.223.226


Dropper server
xla.poticlas.com


Files:

Calendar_1002.md f9b5e56e76c5eeea61f224279c756da4abb4d665
Idleinfo_4042.md c1152d2e8c005dad77b3dfac7e1e4cd785031bdc
OPBUpdate_6000.jar d47b0a190af5754625c7edf15d1ecddeae4c7108
classes.dex 09d856882b205e1a8f6065334d8d0fa583666acb
GloablBCServiceInfo.apk bf26f9b2909c429af8d4876c8015a41633eb3d74



To be continued..