The Latest in IT Security

Library File in Certain Android Apps Connects to C&C Servers

11
Jun
2012

We have uncovered certain Android apps (detected as ANDROIDOS_BOTPANDA.A) containing a malicious library file, which when executed, renders the infected device as a zombie device that connects to specific command and control (C&C) servers. What is also noteworthy about this file is that it hides its routines in the dynamic library, making it difficult to analyze.

The malicious library libvadgo contained in ANDROIDOS_BOTPANDA.A was developed via NDK and loaded using Java Native Interface. NDK is a toolset used by would be-Android developers in creating apps. ANDROIDOS_BOTPANDA.A contains the file com.airpuh.ad/UpdateCheck, which loads libvadgo library and calls the Java_com_airpuh_ad_UpdateCheck_dataInit function using the following code:

Based on our analysis, one of the noteworthy routines of Java_com_airpuh_ad_UpdateCheck_DataInit is it verifies whether an infected device is rooted by checking the file /system/xbin/su. If found, this file executes /system/xbin/su and then the commands below in /system/xbin/su:

Java_com_airpuh_ad_UpdateCheck_DataInit also executes .e[int_a]d file, which will be removed after several minutes. The first thing that .e[int_a] file does is to check the existence of /system/lib/libd1.so, replace files, and hook some important system commands [rm move mount ifconfig chown ] under system/xbin/ by creating corresponding files under system/bin/ to prevent detection and clean up. All of the created files are duplications of system/lib/lib1.so. It also modifies system/bin/svc by adding a malicious line into it so that the malicious can be launched automatically.

The .e[int_a]d file also performs the malware’s main routine, which is to communicate with C&C servers ad.{BLOCKED}ew.com ad.{BLOCKED}o8.com and ad.{BLOCKED}8.com through port 8511. These servers, however, were already down during our analysis thus we cannot confirm the exact commands that it performs on the infected device.

As mentioned previously, what makes this threat noteworthy is ANDROIDOS_BOTPANDA.A’s use of the dynamic library libvadgo.so. This type of malware hides its malicious routines in the said dynamic library, making it hard to analyze. It also kills certain processes, hooks important system commands, and replaces files to make detection and removal solutions difficult. If more Android malware use this technique in the future, delivering analysis and solutions will prove to be challenging for security experts.

This malware also runs specifically on rooted devices, thus it is likely that this may spread through third-party app stores. ANDROIDOS_BOTPANDA.A is another reason why users are advised to be cautious in downloading apps, specifically those from third-party app stores. To know more about how to better protect yourself from Android-OS specific threats, you may refer to our digital life e-guides below:

Leave a reply


Categories

TUESDAY, DECEMBER 10, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments