three generations of "elder trojan horse" find out the "big drug lord" behind it

Posted by trammel at 2020-03-29

Author: 360android analysis team

1、 * tip of iceberg**

Recently, many users' Android phones have "inexplicably" appeared "flashlight", "calendar" and other applications, and can not be uninstalled without root. Even if you get root permission to uninstall, it will appear again soon. According to 360 Internet Security Center, there are more than one million infected users.

2、 Founder

After a large number of user feedback and 360 Internet Security Center's detailed analysis and investigation, we found that the originator was the latest variety of "fakedebuggerd" family, which replaced the original / system / bin / debuggerd of the system, started up, stayed in the background for a long time, stole user information and malicious promotion software. We named it fakedebuggerd. C.

(1) Behavior flow chart of * * fakedebuggerd. C * *

(2) Specific behavior analysis of * * fakedebuggerd.c * *

1. initialization

After startup, create directories in / sdcard and / data directory respectively, / sdcard / SYSV / and / data /. 3Q /, which are used to save communication data and operation information with the server

2. Replace system files

First, fakedebuggerd. C creates an empty file, / system / bin /. CW, to determine whether / system needs to be remounted.

Second, rename / system / bin / debuggerd to / system / bin / debuggerd? Teamon

Then, find the corresponding image file, copy the image file to / system / bin /, and rename it debuggerd. Wait until the original debuggerd process is finished, and the system will restart the debuggerd process automatically. At this time, fakedebuggerd. C is restarted

3. Upload online and steal privacy

Read the / data /. 3Q / RC file. This file is used to save information related to downloading elf, MD5 file, download address, etc. Obtain network information (network type, network name), call iPhone subinfo (service call iPhone subinfo 1) service, obtain SIM card information (mobile phone system, deviceid, IMEI), obtain mobile phone firmware information (MAC address, CPU information, mobile phone system version)

Get SIM information:

Get mac address:

Other information (for example: nettype - network type, netextra - network name, andrsdk - system API):

4. Download and install silently

(1) Configuration table of networking acquisition instructions

Before decryption

After decryption

(2) ELF file downloaded silently, Download Directory: data /. 3Q / LD /. Default file name: aplo [MD5]

(3) Determine whether the system has installed the embedded apk

(4) Release the APK file named * psd.apk from the downloaded ELF file to the / system / APP / directory to complete the installation

(5) Modify the permissions of / system / APP / * psd.apk to 420.

5. clear the trace

(1) Delete the file in / data /. 3Q / LD /

(2) Hide own processes. FakeDebuggerd.C derives a sub process from the fork () after the system starts, and the sub process attempts to execute the debuggerd_deamon file (the system's original debuggerd file). After the successful start, the subprocess exits normally; if the start fails, the subprocess becomes a "zombie process". At this time, two debuggerds will be seen in the system process list, then fakedebuggerd. C will replace the corresponding process name in / proc / PID / CmdLine (from debuggerd to kworker / 0I: 2h: 1J), and check the process list again. The previous two debuggerds will become one debuggerd and one kworker / 0I: 2h: 1J

Before change:

After change:

(3) Write back the file modification time to avoid file changes.

3、 Come to the surface

We can't help but wonder, where does fakedebuggerd. C come from? Is it impossible to appear without any reason? Analysis from the infected model range is not a Trojan with ROM, so it must be released through APK. We have passed a series of user feedback tests to wait for the reappearance, "the culprit" has finally surfaced - "power saving expert".

(1) "Power saving expert" analysis:

1. The software uses dexguard tool, class name and string are encrypted with high confusion to resist static analysis

2. Release the seed.jar file at runtime. The actual content of the released file is stored in several Java classes of "power saving expert" in the form of byte array. The following is a partial segment of one of the arrays:

Code for splicing combination:

Release jar file

3. Load the run method of com.core.seed.seedthread running seed.jar in reflection mode

(2) * * seed.jar * * analysis

1. Seed.jar operation flow chart

The run method of triggers seed.jar to release and decrypt the resource file under seed.jarres. Among them, goldbean and YY1 are jar packages, green bean, S2, S4 and logo.jpg are elf files, seedapp is version related text information, logo.jpg is fakedebuggerd. C.

3. Take advantage of the vulnerability and run logo.jpg

Goldbean, green bean, YY1, S2 and S4 are multiple vulnerability files, including framaroot, towelroot and other known Android vulnerabilities.

Using the jar package authorization process (goldbean or YY1 file)

The whole process is completed by executing the shell command "export Android ﹣ data = 1; export classpath = / path /; app ﹣ process 1 com. TJ. Goldbean. App 1 'RES / logo. Jpg – setup ID tag'". Path is the path of seed jar package, ID is the command number, and tag is the caller of seed.jar, who passes in through seedthread.settag.

If the command is executed successfully, the main method of will be called.

The towelroot() method loads the so file of jar package (goldbean / YY1) to perform the power lifting operation. After the power lifting is successful, directly start the debuggerd file by running the shell command 'RES / logo. Jpg – setup ID tag'.

Using the elf authorization process (green bean, S2 or S4 file)

For example:

Start the ELF file directly through the shell command to claim the right, "RES / logo. Jpg – setup Id2 tag" is passed to the corresponding ELF file as a parameter, and choose whether to execute debuggerd according to the claim result in the ELF file. One form of order is as follows:

cat res/logo.jpg –setup id2 tag > $FilesDir/tmp

res/$ELF $FilesDir/tmp

(where $elf is the ELF file path.)

After the authorization is completed, start fakedebuggerd. C to run.

(3) "Calendar" and "flashlight" analysis

1. Through the analysis of "flashlight", it is found that it will silently download and install the promoted software in the background networking

2. The analysis of "calendar" shows that it contains an advertising plug-in "TJ". The advertising plug-in will push advertisements through the notice bar, and will create multiple shortcuts for software promotion

In addition, we also found that "TJ" will download the encrypted seed.jar file from the specified server. After decryption, we also call the run method of com.core.seed.seedthread to load and run.

4、 * back to the source**

From the above analysis, we can see that loading and running the malicious file seed.jar will infect fakedebuggerd.c. seed.jar will spread from Java code release and "TJ" advertising online download by pretending to be common software. We find that the total number of samples of these two types has reached more than 1000, which is the reason why fakedebuggerd.c has such a high infection.

Common software for camouflage:

List of software embedded with "TJ" advertisement:

At the same time, we trace the early version of seed.jar file. Through comparative analysis, we find that its main functions have not changed, and its "evolution" is mainly to fight against analysis, so it has changed a lot.

(1) From linetype to mesh

The original seed.jar and its derivative mlgb.jar are combined into one, and a set of communication mechanism is realized to complicate the execution process and increase the difficulty of analysis. The old version of seed.jar releases mlgb.jar, and then mlgb.jar performs the operation of releasing resource file rights. The whole process is almost linear, and the idea is clear; however, a set of complex communication mechanism is implemented in the new version, which has evolved into a communication network, which can be realized by comparing the package structure of the new and old versions.

(2) From "streaking" to "disfigurement"

Another change of the new version compared with the old version is serious confusion and encryption of sensitive strings. It implements an encryption algorithm for each key class. These algorithms are similar but depend on the implementation of specific classes, which makes analysts unable to decrypt uniformly, which greatly increases the difficulty of static analysis.

5、 * * continuous plant introduction**

Interestingly, in the analysis of fakedebuggerd.c's entire transmission and infection process, we led out another malicious Trojan family Trojan. Dropper. Android. Fakeinfo. A, which used malicious samples as the medium to carry out promotion and propagation in turn. We take the promotion of "power saving expert" as an example to illustrate the whole operation diagram, involving the following software:

L tampered "Yuehui" (Trojan. Dropper. Android. Fakeinfo. A)


L System

l AndroidRoot

L system

(1) * * * * propagation diagram

(2) * * Trojan. Dropper. Android. Fakeinfo. A * * malicious behavior analysis

Overview: release the encrypted vulnerability exploit file and malicious APK package, and obtain the root permission by using the vulnerability. After the malicious APK package and system to the / system / APP directory, restart the mobile phone automatically to complete the installation.

The vulnerability exploits files and malicious APK packets through double-layer encryption. First, the info.mp4 file in assets directory is decrypted through Standard DES algorithm, and the key is a1f6r: tu9q8.

Secondly, the decrypted zip package is also encrypted. The key is 6f95r: t29q1

Among them, root 000 is actually the APK package of the system. On androidrtservice.apk is the APK package of Other root 001-008 files are used to obtain root permissions for the known files that have been leaked.

(3) * * "com. Android. Provider. Confirm * *" behavior analysis

Overview: the Trojan will upload the list of software in the mobile phone in the background, obtain the cloud control instructions, execute the download, silent installation, silent uninstallation, pop up the notice bar and start the specified application behavior.

1. Cloud control instruction analysis. We found that there are three types of cloud control instructions, namely "[down]", "[uninstall]" and "[notification]", which represent download, uninstall and push notifications respectively. Each instruction returned by the server is divided by "[-]", which is divided into parts of each instruction.

(1) [down]: including the software ID, MD5, package name or component service name, download address and other information to be downloaded;

(2) [uninstall]: contains the package name information to be uninstalled;

(3) [notification]: it contains the notification column ID, package name or component service name, notification column content and other information

When we analyze the test, we get two different instruction forms returned by the "[down]" instruction



2. Execute PM install – r for silent installation according to the instruction content

3. Execute PM uninstall according to the instruction content to uninstall

4. Simulate the operation of the specified software through the command line according to the instructions. Start the component service name in the cloud control instruction through am startservice

5. Push notice bar

During the actual dynamic debugging, we found that the downloaded and installed software controls the change through the content returned by the server. What we actually saw were: "game hall", "inner joke", "billiards master", "Android root" (Android root with different package names). After downloading, these software was installed in the data / APP directory silently.

The main behavior of the downloaded "Android root" is basically the same as that of the tampered "Yuehui". It is also to release the local APK file to the system / bin directory after taking advantage of the known vulnerability, and then restart the phone to complete the installation. The difference is that only one APK file is released, and the APK released includes "power saving expert", "child care treasure", etc.

(4) Analysis of "system * *" malicious behavior**

Overview: background download, silent installation, uninstall specified applications; modify APN settings of mobile phone

Receive multiple system broadcasts to start core services. Obtain the list of applications to be installed from the control server, download automatically in the background, install silently, and uninstall the application within the specified time after the installation is completed and running.

Receive the instructions from the server to update the database content, obtain the information of the applications to be installed from the database, download and install these applications.

Download application

Install the application and fix the corresponding value in the database.

Read the data in the database and uninstall the specified application.

When receiving the ﹣ WAP or ﹣ net broadcast, select the APN configuration of the corresponding operator according to the IMSI number

The main malicious behaviors of "system" and "com. Android. Provider. Confirm" are similar. They download and install the specified application through server control, and can receive instructions to uninstall. The main difference is that "com. Android. Provider. Confirm" will start the service of the installed application, while "system" will start the activity of the installed application.

(5) * * "system" malicious behavior analysis**

Overview: after running, the malicious subpackages will be decrypted, released and loaded. The subpackages will privately send SMS to subscribe to the payment service and intercept the SMS with specified keywords, causing economic losses to users.

The main package will create a service. The main function of the service is to decrypt under the main package assets directory. The decrypted file is a jar package, which is loaded through dexclassloader. Package name:

Start method of running subpackages after loading

After the subpackage is running, it will get the server instruction online, which contains the specified keywords to be intercepted and the mobile phone number to be sent.

Blocking keywords include:

6、 * solutions**

At present, it is only possible to use 360 computer version of mobile first aid kit and Presbyterian Trojan killing tool. Once mobile users find that there are many "flashlight", "calendar" and other applications in their mobile phones, and the mobile phone charges are abnormal, they must use 360 mobile first aid kit and Presbyterian Trojan killing tool as soon as possible to remove the three generations of "Presbyterian Trojan".

Download address of mobile first aid kit:

Download address:

7、 * summary**

It can be seen from the fakedebuggerd.c, a family of malicious Trojans we found this time, that compared with the fakedebuggerd.a [1] and fakedebuggerd.b [2] found before, it has diversified promotion channels, more difficult to find, more difficult to clear, more means of confrontation, and uses professional means to counter analysis and security detection.

360 Internet security center recommends:

(1) For * * app * * developers: when embedding ads, they should carefully screen to avoid embedding malicious ad plug-ins, which will bring unnecessary losses to their own software and users;

(2) For advertisers: to strengthen the promotion of software review efforts, not to spread malware to leave a chance to take advantage of.

(3) For ordinary users: please download and install app applications through regular channels. Meanwhile, install professional security software and start security monitoring. Pay attention to the usage of your own phone charges and traffic. If any abnormality is found, report it to the operator and 360 Internet Security Center in time.

Related reading links: