The AVG MobilationT research team analyzed the Trojan version found in 3rd party application stores purporting to be the popular, legitimate Android application ‘Angry Birds Space’ from Google Play.
In addition to sharing a similar name and icon to the legitimate application, the Trojan version is fully functional so users that install it might believe it is the legitimate application and will be not aware of its malicious activities.
Its malicious functionality contains usage of GingerBreak exploit, C&C communication, botnet functionality, modification of files and more.
When the application is installed on an Android device the user can see the following icon:
After pressing on the icon we can see that the game is played as seen in the legitimate application:
The malware package is called ‘ com.rovio.new.ads’.
This fact by itself is suspicious as the Angry Birds applications family, released by Rovio, its creators have the following structures:
As can be seen, the package name of the malware is not compatible with the structure of the applications released by Rovio.
The malware requests the following permissions:
Those permissions allow the malware to take the following actions:
- Allow applications to access information about networks
- Allow an application to write to external storage
- Allow applications to access information about Wi-Fi networks
- Allow an application to access coarse (e.g., Cell-ID, WiFi) location
- Allow applications to open network sockets.
- Allow read only access to phone state.
- Allow an application to read the low-level system log files.
The payload of the malware can be found hidden inside seemingly harmless JPG image file named ‘mylogo’ found in assets folder inside the APK:
Inside the image two malicious ELF files can be found as seen in the print screens below:
The malware uses the ‘UpdateCheck’ service declared in the AndroidManifest.xml file:
This service can be seen in the ‘running services’ tab after the game is activated:
The service takes care of handling the ELF file hidden in the image mentioned above and related to the exploitation process:
For example in the picture above we can see the malware using the IMEI of the device (‘getDeviceId’), ‘chmod’ command that changes the file system mode and the ‘exec’ command which executes the specified command and its arguments in a separate native process.
Usage of encryption in the ELF files
Inside ELF#1 we could spot encrypted strings:
Those strings can be decrypted to the following:
Inside ELF#2 we could spot encrypted strings:
Those strings can be decrypted to the following:
/system/bin/am start -n
/system/bin/pm install -r
/system/bin/am start -a android.intent.action.VIEW -d
This can help us to identify functionality of the working of the Trojan.
Command & Control (C&C):
The malware has bot payload capabilities and functionality to connect few remote C&C servers.
As seen in the decrypted strings above, we could spot Command & Control servers:
‘Whois Search’ information about one of the domains can be seen below:
Notice it has been active since January 2012.
Those servers can be used to contact the Trojan, send commands and more.
Setting system property to ‘0’
When it is executed it sets system property to ‘0’ so that only one instance of the malware is able to run on the device (‘r0.bot.run’).
Changing of files:
As mentioned the malware is able to change and modify libraries used by the operating system.
Here we can see files that have been modified by the malware:
‘/system/bin/svc’ is changed.
Below on the left side of the image you can see the result after it was infected:
‘/system/bin/svc’ is a script that starts the android services framework.
The malware wants its workings to start early (execute whenever the device starts) than what is defined in ‘svc.jar’.
‘system/etc/init.d/’ is changed.
Below on the left side of the image you can see the result after it was infected (10overclock):
The init.d directory contains a number of start/stop scripts for various services on your system – for example containing initialization and termination scripts for changing init states.
In order to control any of the scripts in init.d manually you have to have root (or sudo) access hence the malware using an exploit to root the device.
‘/system/bin/vold’ is changed.
Note that GingerBreak exploit uses a vulnerability in which the VOLD daemon explicitly trusts messages received from PF_NETLINK sockets.
This allows execution of arbitrary code from user level processes to gain root.
‘/system/bin/debuggered’ is changed.
The debuggered process is a crash handler that used to capture process crash events, and save off individual crash reports, as well as to record information about the overall crash history of a device.
We could take out from the two ELFs the exports functions.
Below you can see what can be taken out.
Exports functions from ELF#1:
Exports functions from ELF#2:
Export functions are functions that a module exposes to other modules.
As can be seen there are commands and definitions (for example get IMEI of the device, start application networking and more).
The GingerBreak exploit, used by the malware, gains root privileges.
Once the device is rooted the malware have power to do what it wants and able to download and install additional components from remote website.
Leave a reply