General Overview:
The AVG MobilationT research team analyzed the Trojan version found in 3rd party application stores purporting to be the popular, legitimate Android application ‘Angry Birds Space’ from Google Play.
In addition to sharing a similar name and icon to the legitimate application, the Trojan version is fully functional so users that install it might believe it is the legitimate application and will be not aware of its malicious activities.
Its malicious functionality contains usage of GingerBreak exploit, C&C communication, botnet functionality, modification of files and more.
Visual Appearance:
When the application is installed on an Android device the user can see the following icon:
After pressing on the icon we can see that the game is played as seen in the legitimate application:
Package name
The malware package is called ‘ com.rovio.new.ads’.
This fact by itself is suspicious as the Angry Birds applications family, released by Rovio, its creators have the following structures:
com.rovio.angrybirdsspaceHD
com.rovio.angrybirdsspace.ads
com.rovio.angrybirdsrio
com.rovio.angrybirds
com.rovio.angrybirdsseasons
com.rovio.angrybirdsspace.premium
As can be seen, the package name of the malware is not compatible with the structure of the applications released by Rovio.
Permissions
The malware requests the following permissions:
Those permissions allow the malware to take the following actions:
- Allow applications to access information about networks
- Allow an application to write to external storage
- Allow applications to access information about Wi-Fi networks
- Allow an application to access coarse (e.g., Cell-ID, WiFi) location
- Allow applications to open network sockets.
- Allow read only access to phone state.
- Allow an application to read the low-level system log files.
Payload
The payload of the malware can be found hidden inside seemingly harmless JPG image file named ‘mylogo’ found in assets folder inside the APK:
Inside the image two malicious ELF files can be found as seen in the print screens below:
Services
The malware uses the ‘UpdateCheck’ service declared in the AndroidManifest.xml file:
This service can be seen in the ‘running services’ tab after the game is activated:
The service takes care of handling the ELF file hidden in the image mentioned above and related to the exploitation process:
For example in the picture above we can see the malware using the IMEI of the device (‘getDeviceId’), ‘chmod’ command that changes the file system mode and the ‘exec’ command which executes the specified command and its arguments in a separate native process.
Usage of encryption in the ELF files
Inside ELF#1 we could spot encrypted strings:
Those strings can be decrypted to the following:
/system/libc/libc.so
/devices/platform/msm_sdcc.2/mmc_host/mmc1
/system/bin/setprop
r0.bot.id
r0.bot.ch
Inside ELF#2 we could spot encrypted strings:
Those strings can be decrypted to the following:
ystem/bin/setprop
r0.bot.run
r0.bot.val
r0.bot.ch
r0.bot.id
ril.imei
net.hostname
ro.product.brand
ro.product.model
ro.build.version.sdk
gsm.sim.operator.numeric
/system/default.prop
/system/build.prop
/system/lib/libd1.so
/system/etc/.rild_cfg
system_server
/data/local/tmp/.rsid_log
/data/local/tmp/.rsid_log.1
/system/bin/am start -n
/system/bin/pm uninstall
/system/bin/pm install -r
/system/bin/am start -a android.intent.action.VIEW -d
/system/bin/cp
/system/bin/cat
/system/xbin/cp
/system/app
/system/bin
/data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml
http://ad.pandanew.com:8511/search/
http://ad.phonego8.com:8511/search/
http://ad.my968.com:8511/search/
s1.php
s2.php
s3.php
self
&v=17
chattr
/system/bin/rild
/system/bin/pm
/system/framework/svc.jar
/system/bin/debuggerd
/system/bin/vold
/system/framework
/system/bin/rm
/system/bin/move
/system/bin/mount
/system/bin/ifconfig
/system/bin/chown
/system/etc/init.d
/system/bin/svc
/system/bin/ifconfig
/data/.bootemp
rm
move
mount
ifconfig
chown
debuggerd
vold
libd1.so
dhcpcd
installd
/system/xbin
/system/bin/toolbox
/proc/self/exe
ARG
SYS
StartDown
DownNet
DownSys
DownOk
OKNOLOCK
INSTOK
RUNOK
DELOK
URLOK
This can help us to identify functionality of the working of the Trojan.
Command & Control (C&C):
The malware has bot payload capabilities and functionality to connect few remote C&C servers.
As seen in the decrypted strings above, we could spot Command & Control servers:
http://ad.pandanew.com:8511/search/
http://ad.phonego8.com:8511/search/
http://ad.my968.com:8511/search/
‘Whois Search’ information about one of the domains can be seen below:
Notice it has been active since January 2012.
Those servers can be used to contact the Trojan, send commands and more.
Setting system property to ‘0’
When it is executed it sets system property to ‘0’ so that only one instance of the malware is able to run on the device (‘r0.bot.run’).
Changing of files:
As mentioned the malware is able to change and modify libraries used by the operating system.
Here we can see files that have been modified by the malware:
/system/bin/Svc:
‘/system/bin/svc’ is changed.
Below on the left side of the image you can see the result after it was infected:
‘/system/bin/svc’ is a script that starts the android services framework.
The malware wants its workings to start early (execute whenever the device starts) than what is defined in ‘svc.jar’.
/system/etc/Inid.d:
‘system/etc/init.d/’ is changed.
Below on the left side of the image you can see the result after it was infected (10overclock):
The init.d directory contains a number of start/stop scripts for various services on your system – for example containing initialization and termination scripts for changing init states.
In order to control any of the scripts in init.d manually you have to have root (or sudo) access hence the malware using an exploit to root the device.
/system/bin/vold:
‘/system/bin/vold’ is changed.
Note that GingerBreak exploit uses a vulnerability in which the VOLD daemon explicitly trusts messages received from PF_NETLINK sockets.
This allows execution of arbitrary code from user level processes to gain root.
/system/bin/debuggered:
‘/system/bin/debuggered’ is changed.
The debuggered process is a crash handler that used to capture process crash events, and save off individual crash reports, as well as to record information about the overall crash history of a device.
Exports:
We could take out from the two ELFs the exports functions.
Below you can see what can be taken out.
Exports functions from ELF#1:
Exports functions from ELF#2:
start 00009F70
e2attr_flags_value 0000D6D4
e2attr_flags_sname 0000D708
__data_start 0000EF2C
PROP_RUNNING_FLAG 0000EF40
PROP_RUNNING_VAL 0000EF4C
PROP_RUNNING_CH 0000EF58
PROP_RUNNING_ID 0000EF64
PROP_IMEI 0000EF70
PROP_ANDROIDID 0000EF7C
PROP_BRAND 0000EF8C
PROP_MODEL 0000EFA0
PROP_SDKVERSION 0000EFB4
PROP_OPERATOR 0000EFCC
DEFAULT_PROP_FILE 0000EFE8
BUILD_PROP_FILE 0000F000
MY_PROG_FILE 0000F014
MY_CFG_FILE 0000F02C
RUNNING_NAME 0000F044
__LOG_FILE 0000F054
__LOG_FILE_BAK 0000F070
START_APP 0000F08C
PM_UNINSTALL 0000F0A4
PM_INSTALL 0000F0C0
AM_START 0000F0DC
SYS_BIN_CP 0000F114
SYS_BIN_CAT 0000F124
SYS_XBIN_CP 0000F134
SYS_APP_DIR 0000F144
SYS_BIN_DIR 0000F150
BROWSER_CFG_FILE 0000F15C
SERVER_ADDR1 0000F1AC
SERVER_ADDR2 0000F1D0
SERVER_ADDR3 0000F1F4
URL_GETID 0000F218
URL_GETTASK 0000F220
URL_REPORT 0000F228
DEFAULT_CHANNEL 0000F230
CURRENT_VERSION 0000F238
CHATTR 0000F240
ROM_BIN_RILD 0000F248
ROM_BIN_PM 0000F25C
ROM_FRAMEWORK_SVC 0000F26C
TARGET_DAEMON_1 0000F288
TARGET_DAEMON_2 0000F2A0
TARGET_DAEMON_DIR 0000F2B4
TARGET_CMD_1 0000F2C8
TARGET_CMD_2 0000F2D8
TARGET_CMD_3 0000F2EC
TARGET_CMD_4 0000F300
TARGET_CMD_5 0000F318
BOOT_INIT_DIR 0000F32C
BOOT_SVC_FILE 0000F340
BOOT_MAGIC 0000F350
BOOT_TEMP_FILE 0000F368
FILE_CMD_1 0000F378
FILE_CMD_2 0000F37C
FILE_CMD_3 0000F384
FILE_CMD_4 0000F38C
FILE_CMD_5 0000F398
FILE_CMD_6 0000F3A0
FILE_CMD_7 0000F3AC
FILE_CMD_8 0000F3B4
FILE_CMD_9 0000F3C0
FILE_CMD_10 0000F3C8
XBIN_DIR 0000F3D4
TOOLBOX 0000F3E4
SELF_EXE 0000F3F8
C_ARG 0000F408
C_SYS 0000F40C
C_STARTDOWN 0000F410
C_DOWNNET 0000F41C
C_DOWNSYS 0000F424
C_DOWNOK 0000F42C
C_OKNOLOCK 0000F434
C_INSTOK 0000F440
C_RUNOK 0000F448
C_DELOK 0000F450
C_URLOK 0000F458
http_port 0000F460
http_server 0000F568
http_proxy_server 0000F56C
http_proxy_port 0000F570
Export functions are functions that a module exposes to other modules.
As can be seen there are commands and definitions (for example get IMEI of the device, start application networking and more).
Potential damage
The GingerBreak exploit, used by the malware, gains root privileges.
Once the device is rooted the malware have power to do what it wants and able to download and install additional components from remote website.
Leave a reply
