As a “Crypto Girl” should, I wish to report that the latest Android malware, Android/DroidKungFu, uses AES encryption.
It is certainly not the first time Android malware use cryptographic encryption – we have already seen use of DES in Android/Geinimi or Android/HongTouTou – but this would appear to be the first use of AES on Android (AES has already been reported in Symbian malware such as SymbOS/InSpirit).
In Android/DroidKungFu, the malware uses AES to encrypt the two exploits it uses:
- CVE-2009-1185: packaged as gjsvro. located in the malware’s assets
- CVE-2010-EASY (rage against the cage): named ratc, in the malware’s assets
We can’t really figure out why the malware authors specifically used AES, as a simple XOR on the exploits would have bypassed hash-based AV-signatures (signatures based on a hash of those executables). Is it just because there’s an AES class available?
The malware decrypts the files using a hard-coded key in a malicious utility class (named Utils):
private static byte[] defPassword = { 70, 117, 99, 107, 95, 115, 69, 120,
121, 45, 97, 76, 108, 33, 80, 119 };
To decrypt the exploits, we can write some Java source code that reads the encrypted assets, decrypts it with AES using the hard-coded key, and dumps the decrypted data.
The decryption routine can be copy-pasted from a disassembly of the malware:
public static byte[] decrypt(byte[] paramArrayOfByte)
throws Exception {
byte[] arrayOfByte = defPassword;
SecretKeySpec localSecretKeySpec = new SecretKeySpec(arrayOfByte, "AES");
Cipher localCipher = Cipher.getInstance("AES");
localCipher.init(2, localSecretKeySpec);
return localCipher.doFinal(paramArrayOfByte);
}
Then, reading the asset and dumping the output is just a matter of using the Java FileInput/OutputStream
and ByteArrayInput/OutputStream classes.
ByteArrayOutputStream bout = new ByteArrayOutputStream();
FileInputStream fin = new FileInputStream(filename);
int c;
while ((c = fin.read()) != -1) {
bout.write(c);
}
bout.close();
fin.close();
byte [] decrypted = decrypt(bout.toByteArray());
ByteArrayInputStream bin = new ByteArrayInputStream(decrypted);
String outputfilename = filename + ".decrypt";
FileOutputStream fout = new FileOutputStream(outputfilename);
while ((c = bin.read()) != -1) {
fout.write(c);
}
fout.close();
bin.close();
A quick look to the strings shows the assets are decrypted successfully:
$ strings ratc.decrypted ... /system/lib/proc/%d/cmdline/sbin/adb [*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C [*] checking NPROC limit ... [-] getrlimit...
Stay tuned!
– the Crypto Girl
Leave a reply
