The first difference is that the malicious code is inside an application which shows in the list of applications, opposite to the previous one which was 'hidden'. Moreover, the size of the APK is significantly bigger (1.5MB vs 100KB)
The application has a strange name: anefjlb.cdioclg.nfffpjj.jidondl.gkibaap.lmkgcmk and it requests a bunch of permissions, if compared to the sample analysed in previous post
But the interesting part comes when analysing the behaviour of the malicious APK.
I managed to capture some of the temporal files used by the application to become persistent in the system. There are several binaries and scripts:
One of the files is Busybox, which provides many Linux/Unix tools in a singe binary. Really interesting :)
The install script contains the following set of commands
Basically the script is remounting the filesystem in order to be able to copy some script "install-recovery.sh" and some binaries "conbb" and "configopb". This is done to keep them persistently in the filesystem.
The install-recovery.sh script contains the following:
The file 'mksh' is a compressed file which contains a set of scripts which reference to an APK named com.baidu.easyroot, which it is a rooter. The content of the scrips is the following:
The last interesting file 'core' is an APK already reported in VirusTotal.
The mentioned APK is almost the same than b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 which Is the one I analysed in my previous post
In terms of traffic, the behavior is very similar to the previous sample. There are several connection to different C&C hosts:
ph3.elsyzsmc.com:8080, cr3.rurimeter.com:8080, ph1.rurimeter.com:8080, ph2.elsyzsmc.com:8080, ph1.elsyzsmc.com:8080. Those domains resolve to the following IP:
Note that host 22.214.171.124 also is linked to ph3.xiaoyisy.com and ph4.xiaoyisy.com, used by the sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8
Moreover, some additional modules are gathered from xla.poticlas.com, which it is exactly the same used by sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8
This time the modules pulled are different:
Im summary, the points to highlight from this sample are: its root capabilities through some scripts and rooting APK. Moreover, it is able to use / install some additional tools like Busybox, which provides some additional Linux / Unix functionalities. The way it becomes persistent in the system, remounting the filesystem in order to be able to copy some scripts and binary files makes very difficult to clean it up.
The communication with the C&C and the installation of additional modules is similar to sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 from the same malware family.