Here is Part 2 of our Android.BackDoor journey. Let's get started~!
Today we'll be tackling another Android.BackDoor variant that reportedly uses two other malicious components to stay inside the infected device even if the user uninstalls it already, keeping the device infected.
Initially, Android.BackDoor.176 monitors the infected device if it's OS has been booted(BOOT_COMPLETED), if the screen is unlocked(USER_PRESENT) and if there is a change in network connection(CONNECTIVITY_CHANGE). If any of those actions have been performed by the infected device, the Trojan will be activated.
When the Trojan is launched for the first time, it will send a POST request to a remote command and control server with the following information:
• IMEI
• IMSI
• Information about the state of internal and external memory
• GPS coordinates
• Screen resolution
• Model name
After getting the information from the infected device, the trojan extracts a malicious module from its code and launches it. The trojan uses Binder to connect to the module. This module is known to be responsible for downloading and installing various programs and monitoring the infected device's incoming and outgoing calls and messages.
Android.BackDoor.176 also uses has two other components, Android.Rootkit.1 and Android.Rootkit.2. These components are used by Android.BackDoor.176 to gain root access to the infected device.
Android.Rootkit.1 is an executable ELF file with the .rt bridge name into the /system/xbin folder. This file has the same features as the SU utility. After running Android.Rootkit.1, it will check that it is run by an allowed process and then starts a root terminal.
Android.Rootkit.2 is an executable ELF file with the .rt daemon name into the /system/xbin folder. This file also has the same features as the SU utility.
When Android.BackDoor.176 gains root access on the infected device, it will download the 'chattr' utility from the Internet and sets the 'immutable' attribute for its own APK file via the terminal. By doing so, if the user discovers and uninstalls the Trojan, whenever the system is rebooted, the malicious program will be reinstalled and the user's device will remain infected.
Today we'll be tackling another Android.BackDoor variant that reportedly uses two other malicious components to stay inside the infected device even if the user uninstalls it already, keeping the device infected.
Initially, Android.BackDoor.176 monitors the infected device if it's OS has been booted(BOOT_COMPLETED), if the screen is unlocked(USER_PRESENT) and if there is a change in network connection(CONNECTIVITY_CHANGE). If any of those actions have been performed by the infected device, the Trojan will be activated.
When the Trojan is launched for the first time, it will send a POST request to a remote command and control server with the following information:
• IMEI
• IMSI
• Information about the state of internal and external memory
• GPS coordinates
• Screen resolution
• Model name
After getting the information from the infected device, the trojan extracts a malicious module from its code and launches it. The trojan uses Binder to connect to the module. This module is known to be responsible for downloading and installing various programs and monitoring the infected device's incoming and outgoing calls and messages.
Android.BackDoor.176 also uses has two other components, Android.Rootkit.1 and Android.Rootkit.2. These components are used by Android.BackDoor.176 to gain root access to the infected device.
Android.Rootkit.1 is an executable ELF file with the .rt bridge name into the /system/xbin folder. This file has the same features as the SU utility. After running Android.Rootkit.1, it will check that it is run by an allowed process and then starts a root terminal.
Android.Rootkit.2 is an executable ELF file with the .rt daemon name into the /system/xbin folder. This file also has the same features as the SU utility.
When Android.BackDoor.176 gains root access on the infected device, it will download the 'chattr' utility from the Internet and sets the 'immutable' attribute for its own APK file via the terminal. By doing so, if the user discovers and uninstalls the Trojan, whenever the system is rebooted, the malicious program will be reinstalled and the user's device will remain infected.
Article Refs: http://vms.drweb.com/virus/?_is=1&i=7730974 (for Android.BackDoor.176.origin), http://vms.drweb.com/virus/?_is=1&i=7733030 (for Android.Rootkit.1), and http://vms.drweb.com/virus/?_is=1&i=7733033 (for Android.Rootkit.2)
No comments:
Post a Comment