Author: iriqium, Zhao Runze, Jiang Xuxian

More than a month ago, we found the world's first Trojan horse, oldboot [1], which uses bootkit technology on Android platform. The oldboot trojan is embedded in the boot partition of the ROM of the mobile phone by means of swiping the computer, etc. it can run in the early stage of Android system startup and carry out a series of malicious behaviors. Therefore, we are the first to release the oldboot Trojan killing tool in the world to help users detect and defend the oldboot Trojan.

Recently, we intercepted oldboot. B, a new variant of oldboot Trojan family. It uses bootkit technology and installs app silently like oldboot. A. In particular, oldboot. B uses a series of technologies to fight against the killing of anti-virus software and the analysis of virus analysts, mainly reflected in the addition of code encryption, anti uninstall, injection system process, uninstall or disable the process of anti-virus software, steganography and other functions. At the same time, the concealment of oldboot. B has been greatly enhanced. Many countermeasures technologies have been adopted. Some components have realized advanced features such as "no process", "no process and no file". For details, please refer to the countermeasures and trend analysis in the second part. For specific implementation of these functions, please refer to the code analysis in the first part. Many of these technologies used by oldboot. B are the first to appear on the Android platform. Whether at home or abroad, of all the Trojans on the Android platform, the technology used by the oldboot Trojan family has always been leading, and the oldboot family represents the trend of malware on the Android platform. It is easy to see from the analysis results that oldboot is a large family of Trojans with strict organization and clear division of labor. It is written by professional programmers and driven by commercial companies. In the continuous evolution, we have developed new killing tools, which can effectively detect, clear and defend this bootkit.

1、 Oldboot. B code analysis

At present, the most significant behavior of the oldboot family Trojan horse is to receive instructions from the server, download and install the app silently in the background without the user's permission, and make profits through the promotion cost of the app. When an Android device is infected with oldboot, users will often find some software and games that they have not installed in the system.

The new varieties of oldboot family discovered this time are closely related to the IMEI [chk] and other files (oldboot. A) we found before, both in code and function.

Figure 1: overview of oldboot. A

The above figure lists the related files of oldboot. A. as mentioned in the analysis report [1] we published earlier, imei_chkfile starts up by registering a service in init.rc. After running, it releases two other Trojan horse files, Google kernel.apk and libgoogle kernel.so, which cooperate with each other to achieve malicious behavior. If you want to know more about them, please refer to Take the analysis report we published before [1].

Figure 2: overview of oldboot. B

The above figure describes the new variants of the oldboot Trojan we found recently. The main files of these new variants are self started in the same way as oldboot. A, that is, write yourself to initrd, register a service in init.rc, and then swipe it into the bootimg of the ROM of the mobile phone. They also have similar functions, such as continuously monitoring sockets, receiving instructions and executing them. In particular, the boot_tst file in the new variant releases a file named leecore.so, part of which has the same code as the libgooglekernel.so file in oldboot. A.

According to the independence of function, the new variety of oldboot Trojan can be roughly divided into four parts:

1、 This is a collection of files based on boot_tst, which is injected into the system_server process of Android system remotely. It continuously listens to the socket and executes the instructions sent. The related files include the following:

• /Init.rc Android boot configuration file, modified by oldboot to enable automatic startup
• /SBIN / boot_tst an executable file in ELF format
• /Data / system / usagestats / leecore.so an elf format DLL file
• /Data / system / usagestats / leejrc.so an elf format DLL file
• /Data / system / usagestats / leejar.jar a jar format module

2、 The file collection mainly consists of meta CHK files, networking update configuration files, silently download and install the promoted android app, open the back door and execute remote instructions. The related files include the following:

• /Init.rc Android boot configuration file, modified by oldboot to enable automatic startup
• /SBIN / meta ABCD executable in ELF format
• /SBIN / meta ABCD (V2 we found two versions of this file) executable files in ELF format
• /Executable file in SBIN / ADB · meta elf format
• /System / etc /. Gprs.xml encrypted configuration file with hidden attributes

3、 / SBIN / adb_server file, the PM file of Android system is replaced by this file to realize the function of anti unloading.

4、 The collection of files based on agentsysline, written in C + +, has a complex architecture. As a daemon, it has been running in the background, receiving instructions, unloading anti-virus software, deleting files, enabling or disabling network connections and other functions. The related files include the following:

• /Init.rc Android boot configuration file, modified by oldboot to enable automatic startup
• /SBIN / agentsysline an executable file in ELF format

（1） The part represented by boot_tst

Similar to Other Trojans in the oldboot family, boot_tst's boot start function is realized by modifying the boot configuration script init.rc. The following lines will be attached to the end of the init.rc file:

After boot_tst is run, the behavior logic is roughly as shown in the following figure:

Figure 3: execution flow of boot_tst

As shown in the figure above, the whole execution process is completed by two parts: the code in the boot ust process and the code injected into the system server process. After the remote injection operation is completed, the two parts of the code communicate through the socket.

The operation process of the code in the boot_tst process is basically as follows:

• Release the embedded ELF file as / data / system / usagestats / leecore.so, and load it. It is worth noting that after releasing and loading the so file, leecore.so will be deleted, and the user will not see the file in the file system.
• Calling the export function of leecore.so main
• Release the embedded ELF file as / data / system / usagestats / leejrc.so
• Inject / data / system / usagestats / leejrc.so into the system server process of Android system

Figure 4: obtain the PID of the system? Server and inject the code

Figure 5: Code for remote injection

• Obtain the port number of socket-adb6-registered in init.rc, continuously monitor the port, perform corresponding operations according to the instructions sent, and return the operation results. The code implementation is shown in the following figure:

Figure 6: listening to the socket and executing the instructions sent

The commands received by the socket of adb6 can be divided into two groups. The related data structure is shown in the following figure:

Figure 7: instruction distribution data structure

The two groups of commands are:

• CMDS receives an array of CMD commands to execute and executes all commands with root privileges.
• Netcmd receives the control command from the leejar.jar module in the system server to open and close the network, acquire and release the wakelock and other functions.

The code of leecore.so file is based on libgooglekernel.so file of oldboot in the previous report. The obvious change is to use curl, cjson and other libraries to realize networking update and configuration file analysis.

The code injected into the system? Server process is executed from the export function hook? Thai? JRC? Init of the leejrc.so file. The main process is as follows:

• Release the embedded jar file as / data / system / usagestats / leejar.jar
• Use dexclassloader to load leejar.jar into the system server process
• Call the static method leejrcinit of leee.main.main class in Lee jar.jar

Figure 8: load leejar.jar using dexclassloader and call the jar method

• Leejrcinit will create a socket server to listen to port 9096 locally, receive and execute the instruction sent by boot_tst, and then return the execution result of the instruction by connecting socket – adb6 – monitored by boot_tst.

Figure 9: leejar creates a socket server listening instruction in the system server process

Figure 10: leejar connects to the socket server monitored by boot_tst and writes instructions

The boot ust process sends the following instructions to the socket server created by leejar in system server through socket:

• OpenNetwork
• CloseNetwork
• GetVerCode
• getCurNetworkType
• getAppInstallPath
• getSDCardAvaildSize
• getSystemAvaildSize
• IsSafeMode
• Unzip
• GetSysInfo
• sendLauncherMsg
• acquireWakeLock
• releaseWakeLock

（2） Parts represented by meta ABCD files

The self startup of meta chk is also realized by modifying init.rc script. One of the main differences between the two versions of meta chk is that one registers a socket named adb2 in init.rc, listens to the socket in the code, and the other creates a socket server in the code, listens to the local 23332 port.

The execution logic of meta ABCD is shown in the following figure:

Figure 11: execution flow of meta ABCD

As shown in the figure above, the main execution flow of meta ABCD is as follows:

• Call the command am startservice to start the updatenoservice service service.

Figure 12: start updatenoservice

• Detect whether the execution path of meta chk is / SBIN / meta chk, and if not, do not execute malicious functions.
• Deleting the file / SBIN / meta ABCD makes it impossible for users and anti-virus software to read and write this file at all, which effectively avoids killing and realizes the "file Free Trojan" on Android. Meta ABCD is located in ramdisk. Deleting this file will not have any impact on the subsequent running of the Trojan and every boot, so it is a very practical skill to enhance the concealment of Trojan.

Figure 13: checking the runtime path and deleting its own file

• Release the embedded zip file as / system / lib / libkey.so, then use the open-source minzip library to extract the zip file, extract the axel file, copy it as / SBIN / adb_meta file, and add readable and executable attributes to it. /SBIN / adb_meta (also known as Axel) is an open-source multi-threaded download tool similar to WGet / curl (project homepage: http://axel.alioth.debian.org/), which is used by meta_chk to download files from the server.
• Load the configuration file / system / etc /. Gprs.xml for later code use. /The system / etc /. Gprs.xml file is an encrypted configuration file. At present, the file size of the version we found is 12508 bytes. Its format is user-defined and has a lot of fields. It starts with "AZD". The stored configuration includes at least the following: A. domain name of Trojan C & C server B. package name of antivirus software to be disabled C The package name of the app to be promoted, and the local saving path after downloading D. whether to clear the browser cache E. whether to modify the browser home page, and the modified home page address F. list of commands to be executed g. time when the last malicious act triggered

• Check the content of the / system / etc / hosts file, and determine whether some domain names that may be used to promote the app, such as zkl90.com, 177.net, 188.net, are hijacked. If hijacked, use the content of the default hosts file (127.0.0.1 localhost) to cover all the contents of the hosts file, so as to ensure the normal implementation of the subsequent download operation.
• Call the ADB meta (Axel) tool to download the virus file to / system / lib / libdowntemp.so, and then rename it to / system / bin / chk. After adding the executable properties, run the / system / bin / chk file.

Figure 14: Download Trojan file and execute

• Update the configuration file online, and overwrite the locally saved / system / etc /. Gprs.xml file.
• Download the APK file and install it silently. In order to ensure that the downloaded app can be installed normally, meta chk will call PM disable to shut down three antivirus software, namely 360 mobile phone guard, Tencent mobile phone manager and Kingsoft mobile phone poison bully, and then call pm after the app is installed Enable starts them, and also uses SQLite to directly modify the settings.db database file of the "Settings" Application of Android system, to ensure that the "unknown source" application is allowed to be installed.

Figure 15: Download and install apk

• Create a thread, listen to the socket in the thread and execute instructions from other programs. There are five kinds of commands that can be received by meta chk. Among them, opengprs and closegprs are to open and close the network connection of the mobile phone. Setdb directly modifies the database file to change various options in the "Settings" Application of Android mobile phone. Check? C = is used to execute any command with root authority and return the execution result of the command.

Figure 16: listening for socket and executing corresponding instructions

Interestingly, meta ABCD will also verify the RSA signature of the client app connected to the socket server. Only when the content of the signature file of the client app is consistent with the hard coded binary data in meta ABCD will the command be executed. Some anti-virus software or special killing tools use the method of "spear of the son, attack shield of the son". They directly call the functions provided by the Trojan horse to delete the Trojan horse. This verification mechanism makes it no longer feasible.

Figure 17: meta ABCD verifying client signature

（3） / SBIN / adb_server file

The ADB? Sever file replaces the / system / bin / PM file in Android system. It mainly hooks the PM uninstall command. If it is found that the uninstalled app is its promoted app, the uninstall operation is not performed, and the string "success" marked with success is output to cheat the user, so as to achieve the effect of anti unloading.

The ADB server also exists in the ramdisk in bootimg. Instead of being started by init.rc, it is copied and replaced by meta chk. The replacement process is shown in the following figure:

Figure 18: replacing the PM file of the system with ADB? Server

When the user or program calls the PM command, the actual executed file is ADB server. After the ADB server is started, it will carry out some necessary initialization, such as setting uid and GID as root, checking the environment variable LD library path, and checking whether the parent process is a shell process.

Figure 19: initialization check of ADB Dou server

Then, ADB server will check whether the subcommand is uninstall. If so, it will obtain the command parameter, that is, the package name to be uninstalled, and compare it with the package name in the built-in package name list of ADB server file one by one. If the built-in package name list contains the package to be uninstalled currently, it will directly return and output the deceptive string "success".

Figure 20: adb_server judges whether the subcommand parameter of PM is uninstall and outputs the deceptive string "success"

Figure 21: check whether the package name to be uninstalled is the app to be promoted

（4） Represented by agent sysline

According to the different incoming parameters, agentsysline can be used as a su like program to call the shell to execute various instructions with the root permission, but the Trojan horse author has not fully realized this part of the function and can not be used normally. Therefore, the main function of agentsysline is to run as a daemon service in the background all the time and receive the instructions received by the remote server or other local programs Order and execution.

Agentsysline is a multithreaded application program written in C + + language. The main functional modules are encapsulated by C + + classes, with excellent architecture design. Although the program itself has created up to 15 threads, the synchronization between threads and other operations are handled well. From the code, we can see that the Trojan writer is a Senior Linux developer.

The main functions of agentsysline are encapsulated in six C + + classes

• Frame single instance class, representing the runtime of the program
• Netmanager and tcpsession realize network connection function
• Socketcmdmanager creates a socket and sends and receives data. The received instructions are passed to cmdhandler for execution
• Cmdhandler receives instructions from socketcmdmanager, parses and creates new threads to execute these instructions
• Logger single instance class to realize the log function of the program

The general relationship between these C + + classes is shown in the following figure:

Figure 22: behavior logic diagram of agent sysline

The main operation process of agent sysline is as follows:

• Initialize, set the resource limit and signal handler, and write your PID to the file / data / system / sys.server.id.
• Call socketcmdmanager to create socket server, initialize, and listen continuously
• Call netmanager to connect to the network and update the configuration file
• Unless the singal handler receives the signal and sets the flag bit bterminate to 1, this operation will continue to loop indefinitely - call the socketcmdmanager to receive and execute the instructions, and the supported instructions are shown in the figure above.
• If receiving the stop signal, call the destructor of each class and exit.

The code of the whole running process is as follows:

Figure 23: code to run the agent line daemon

2、 Confrontation and trend

Compared with the oldboot samples found before, the new varieties of the oldboot Trojan horse family have changed in many aspects, especially in the three aspects of anti-virus software, virus analysis engineer and automatic analysis tool. The changes are particularly significant, mainly reflected in the following aspects:

• The concealment of oldboot Trojans has been greatly enhanced. On the one hand, after starting the meta chk process, it will delete its own files in the file system and only keep the process. At present, the popular Android anti-virus software does not support process memory scanning, and of course, it cannot find or delete the oldboot Trojan that resides in the memory. On the other hand, the boot file uses remote code injection technology to inject a so file and a jar file into sy This kind of injection technology is relatively mature on Android platform. We can expect that the author of oldboot Trojan will definitely connect these two technologies to realize a Trojan without process and file. Maybe there is such a Trojan now, but we haven't found it yet.
• The code of ELF file of oldboot trojan is no longer clear at a glance, but is encrypted, decrypted before execution at runtime. At the same time, almost all strings used in the program are encrypted, and the configuration file is also encrypted. The extensive use of these anti disassembly technologies hinders the analysis process of virus analysis engineers, and greatly increases the time required for analysis.
• The oldboot Trojan uses some measures, such as adding some meaningless code, randomly triggering some behaviors, etc., to fight against dynamic analysis.
• The oldboot Trojan will check some environment properties when it is running, for example, meta chk will check the execution path. If it is not the expected path, it will refuse to execute, and it will also check the SIM card information. If there is no SIM card, it will not perform some behaviors. These run-time checks will make some sandbox or emulator fail to detect malicious behavior, resulting in false positives.
• Oldboot Trojan will detect the existence of anti-virus software, or uninstall the anti-virus software, or stop the anti-virus software and then start it, the latter way is more hidden, making the user unaware. In particular, the author of agent sysline may consider that 360 is the largest security company in China and 360 mobile guard is the mobile security software with the largest market share in China. Therefore, only the code of uninstalling 360 mobile guard is added in the code, which is a huge challenge for 360 security engineers.

Figure 24: uninstall 360 mobile guard and stop RPC server of mobile guard in agent sysline

• The oldboot Trojan uses techniques such as steganography to hide itself. Steganography is a powerful information hiding technology, which used to act as a liaison in the 9 / 11 terrorist attacks in the United States. We found that the file downloaded by the meta chk network update is a picture from the appearance. After some analysis, we found that the configuration file of the Trojan horse is hidden in the picture, which contains the command that the Trojan horse will execute and other information.

Figure 25: Trojan configuration file hidden in the picture

• The architecture design of oldboot trojan is relatively complex, with high flexibility. Many behaviors can be configured and controlled from the Trojan C & C server. Sometimes, this control can achieve very fine granularity, and there are many things that can be done. The configuration file of meta ⑺ chk can obviously prove this. The size of this configuration file is 12508 bytes, several Almost every byte has a different meaning. It is very difficult to analyze this kind of remote control Trojan completely, because the instructions issued by the Trojan C & C server are different, and the behaviors triggered by the Trojan are also different.

3、 Association analysis

A domain name that meta chk will connect to is az.o65.org (invalid). Through 360 search, a simple search of this domain name can be found. Its IP is 61.160.248.67. There are many similar domain names on this IP server. Through the cache of the search engine, we found that their titles are "zkl90". Therefore, we can basically determine that these domain names are meta chk's servers 。 With so many domain names, it takes a lot of human and financial resources to build a single component - meta ABCD. The scale of the production team behind the oldboot Trojan can be seen.

Figure 26: Homepage cache and domain name list of meta ABCD server az.o65.org

4、 Solutions

At present, we have released the world's first oldboot killing tool exclusively. The download address is:

http://msoftdl.360.cn/mobilesafe/shouji360/360safesis/OldbootKiller_v2.apk

This killing tool can scan Android devices deeply and accurately to determine whether there is oldboot and its variants. We have developed a new killing technology, which can effectively protect your mobile phone from the attack of the immortal Trojan horse.

If your device is not currently supported or the kill tool is not working properly on your phone, we suggest you:

• Regularly check the update of the kill tool, and we will gradually enhance the defense ability of the kill tool;
• After the special killing tool detects oldboot, report the model information and samples to us, which can help us develop the killing code for your model faster and better;

• Join our oldboot technical support QQ group, feedback more information to us, and get technical guidance from our emergency response engineer;
• You can rewrite the mobile phone to the system ROM officially provided by the device manufacturer. After the mobile phone is completely swiped, oldboot should have been cleared;
• Since only mobile devices that have been tampered with the system will be infected with oldboot, if oldboot is detected with our special killing tool, you can also directly contact the mobile phone dealer to negotiate after-sales matters.
• Install 360 mobile phone security guard, enable cloud killing function, and resist the associated threat brought by oldboot.

5、 Discussion

As the first bootkit of Android platform, oldboot has symbolic significance. In the war of anti-virus software and Trojan horse, it has opened up a new battlefield and a new era.

One of the reasons for the rise of smart phones is the popularity of high-speed networks. Android phones, as the most popular smart phones in the market, are always connected with the network, which is the basic feature. The author of Android Trojan horse sees this trend, and is more and more inclined to save a lot of information on the network, and only provide basic app or Elf files for users' mobile phones Functions, such as network update configuration, such as executing any command with root permission, etc., are controlled by the C & C server of the Trojan horse. The oldboot Trojan horse family is a significant representative of this trend.

From the current discovery, oldboot is mainly used to install and promote app silently, which has highly flexible configurability. This can be seen from the following aspects: first of all, there are many domain names and servers where configuration files are located, and they are often replaced to ensure that they are always unblocked, so that oldboot Trojan can always be updated recently to meet the needs of promotion or To deal with the killing of anti-virus software; secondly, the configuration file is extremely complex, such as the link of downloaded app, the path and package name saved after downloading, etc. are configurable; thirdly, the oldboot Trojan considers a variety of unexpected situations, such as the server address is hijacked by the hosts file, such as the active defense of anti-virus software, etc., such as being uninstalled. Moreover, oldboot uses bootkit technology to directly brush the basic function modules into the bootimg of the ROM of Android mobile phone. When the Android operating system is started, it is started as a native service. This way makes the oldboot Trojan the lowest level in the pre installed software. Based on the above points, it can be said that the oldboot family Trojan horse achieves the acme in the function of maliciously promoting app.

The essential feature of oldboot trojan is that it is the first one in the world to adopt bootkit technology and has the function of remote control. According to the different instructions of the server, it can derive other behaviors at any time and transform into other types of Trojan, such as constructing false SMS for advertising promotion or fishing attack, etc. Driven by the interests, the oldboot family Trojan horse evolves very fast, constantly adjusting itself to cope with various situations. We will continue to pay close attention to its latest development and provide security protection programs.

6、 References

• Oldboot: the first bootkit on Android platform by Xiao Zihang, Dong Qing, Zhang Hao, Jiang Xuxian http://blogs.360.cn/360mobile/2014/01/18/oldboot-the-first-bootkit-on-android.cn/