oldboot. b: the application of trojan hiding method combined with bootkit technology

Posted by tetley at 2020-03-16

Author: iriqium, Zhao Runze, Jiang Xuxian

More than a month ago, we found the world's first Trojan horse, oldboot [1], which uses bootkit technology on Android platform. The oldboot trojan is embedded in the boot partition of the ROM of the mobile phone by means of swiping the computer, etc. it can run in the early stage of Android system startup and carry out a series of malicious behaviors. Therefore, we are the first to release the oldboot Trojan killing tool in the world to help users detect and defend the oldboot Trojan.

Recently, we intercepted oldboot. B, a new variant of oldboot Trojan family. It uses bootkit technology and installs app silently like oldboot. A. In particular, oldboot. B uses a series of technologies to fight against the killing of anti-virus software and the analysis of virus analysts, mainly reflected in the addition of code encryption, anti uninstall, injection system process, uninstall or disable the process of anti-virus software, steganography and other functions. At the same time, the concealment of oldboot. B has been greatly enhanced. Many countermeasures technologies have been adopted. Some components have realized advanced features such as "no process", "no process and no file". For details, please refer to the countermeasures and trend analysis in the second part. For specific implementation of these functions, please refer to the code analysis in the first part. Many of these technologies used by oldboot. B are the first to appear on the Android platform. Whether at home or abroad, of all the Trojans on the Android platform, the technology used by the oldboot Trojan family has always been leading, and the oldboot family represents the trend of malware on the Android platform. It is easy to see from the analysis results that oldboot is a large family of Trojans with strict organization and clear division of labor. It is written by professional programmers and driven by commercial companies. In the continuous evolution, we have developed new killing tools, which can effectively detect, clear and defend this bootkit.

1、 Oldboot. B code analysis

At present, the most significant behavior of the oldboot family Trojan horse is to receive instructions from the server, download and install the app silently in the background without the user's permission, and make profits through the promotion cost of the app. When an Android device is infected with oldboot, users will often find some software and games that they have not installed in the system.

The new varieties of oldboot family discovered this time are closely related to the IMEI [chk] and other files (oldboot. A) we found before, both in code and function.

Figure 1: overview of oldboot. A

The above figure lists the related files of oldboot. A. as mentioned in the analysis report [1] we published earlier, imei_chkfile starts up by registering a service in init.rc. After running, it releases two other Trojan horse files, Google kernel.apk and libgoogle, which cooperate with each other to achieve malicious behavior. If you want to know more about them, please refer to Take the analysis report we published before [1].

Figure 2: overview of oldboot. B

The above figure describes the new variants of the oldboot Trojan we found recently. The main files of these new variants are self started in the same way as oldboot. A, that is, write yourself to initrd, register a service in init.rc, and then swipe it into the bootimg of the ROM of the mobile phone. They also have similar functions, such as continuously monitoring sockets, receiving instructions and executing them. In particular, the boot_tst file in the new variant releases a file named, part of which has the same code as the file in oldboot. A.

According to the independence of function, the new variety of oldboot Trojan can be roughly divided into four parts:

1、 This is a collection of files based on boot_tst, which is injected into the system_server process of Android system remotely. It continuously listens to the socket and executes the instructions sent. The related files include the following:

2、 The file collection mainly consists of meta CHK files, networking update configuration files, silently download and install the promoted android app, open the back door and execute remote instructions. The related files include the following:

3、 / SBIN / adb_server file, the PM file of Android system is replaced by this file to realize the function of anti unloading.

4、 The collection of files based on agentsysline, written in C + +, has a complex architecture. As a daemon, it has been running in the background, receiving instructions, unloading anti-virus software, deleting files, enabling or disabling network connections and other functions. The related files include the following:

(1) The part represented by boot_tst

Similar to Other Trojans in the oldboot family, boot_tst's boot start function is realized by modifying the boot configuration script init.rc. The following lines will be attached to the end of the init.rc file:

After boot_tst is run, the behavior logic is roughly as shown in the following figure:

Figure 3: execution flow of boot_tst

As shown in the figure above, the whole execution process is completed by two parts: the code in the boot ust process and the code injected into the system server process. After the remote injection operation is completed, the two parts of the code communicate through the socket.

The operation process of the code in the boot_tst process is basically as follows:

Figure 4: obtain the PID of the system? Server and inject the code

Figure 5: Code for remote injection

Figure 6: listening to the socket and executing the instructions sent

The commands received by the socket of adb6 can be divided into two groups. The related data structure is shown in the following figure:

Figure 7: instruction distribution data structure

The two groups of commands are:

The code of file is based on file of oldboot in the previous report. The obvious change is to use curl, cjson and other libraries to realize networking update and configuration file analysis.

The code injected into the system? Server process is executed from the export function hook? Thai? JRC? Init of the file. The main process is as follows:

Figure 8: load leejar.jar using dexclassloader and call the jar method

Figure 9: leejar creates a socket server listening instruction in the system server process

Figure 10: leejar connects to the socket server monitored by boot_tst and writes instructions

The boot ust process sends the following instructions to the socket server created by leejar in system server through socket:

(2) Parts represented by meta ABCD files

The self startup of meta chk is also realized by modifying init.rc script. One of the main differences between the two versions of meta chk is that one registers a socket named adb2 in init.rc, listens to the socket in the code, and the other creates a socket server in the code, listens to the local 23332 port.

The execution logic of meta ABCD is shown in the following figure:

Figure 11: execution flow of meta ABCD

As shown in the figure above, the main execution flow of meta ABCD is as follows:

Figure 12: start updatenoservice

Figure 13: checking the runtime path and deleting its own file

Figure 14: Download Trojan file and execute

Figure 15: Download and install apk

Figure 16: listening for socket and executing corresponding instructions

Interestingly, meta ABCD will also verify the RSA signature of the client app connected to the socket server. Only when the content of the signature file of the client app is consistent with the hard coded binary data in meta ABCD will the command be executed. Some anti-virus software or special killing tools use the method of "spear of the son, attack shield of the son". They directly call the functions provided by the Trojan horse to delete the Trojan horse. This verification mechanism makes it no longer feasible.

Figure 17: meta ABCD verifying client signature

(3) / SBIN / adb_server file

The ADB? Sever file replaces the / system / bin / PM file in Android system. It mainly hooks the PM uninstall command. If it is found that the uninstalled app is its promoted app, the uninstall operation is not performed, and the string "success" marked with success is output to cheat the user, so as to achieve the effect of anti unloading.

The ADB server also exists in the ramdisk in bootimg. Instead of being started by init.rc, it is copied and replaced by meta chk. The replacement process is shown in the following figure:

Figure 18: replacing the PM file of the system with ADB? Server

When the user or program calls the PM command, the actual executed file is ADB server. After the ADB server is started, it will carry out some necessary initialization, such as setting uid and GID as root, checking the environment variable LD library path, and checking whether the parent process is a shell process.

Figure 19: initialization check of ADB Dou server

Then, ADB server will check whether the subcommand is uninstall. If so, it will obtain the command parameter, that is, the package name to be uninstalled, and compare it with the package name in the built-in package name list of ADB server file one by one. If the built-in package name list contains the package to be uninstalled currently, it will directly return and output the deceptive string "success".

Figure 20: adb_server judges whether the subcommand parameter of PM is uninstall and outputs the deceptive string "success"

Figure 21: check whether the package name to be uninstalled is the app to be promoted

(4) Represented by agent sysline

According to the different incoming parameters, agentsysline can be used as a su like program to call the shell to execute various instructions with the root permission, but the Trojan horse author has not fully realized this part of the function and can not be used normally. Therefore, the main function of agentsysline is to run as a daemon service in the background all the time and receive the instructions received by the remote server or other local programs Order and execution.

Agentsysline is a multithreaded application program written in C + + language. The main functional modules are encapsulated by C + + classes, with excellent architecture design. Although the program itself has created up to 15 threads, the synchronization between threads and other operations are handled well. From the code, we can see that the Trojan writer is a Senior Linux developer.

The main functions of agentsysline are encapsulated in six C + + classes

The general relationship between these C + + classes is shown in the following figure:

Figure 22: behavior logic diagram of agent sysline

The main operation process of agent sysline is as follows:

The code of the whole running process is as follows:

Figure 23: code to run the agent line daemon

2、 Confrontation and trend

Compared with the oldboot samples found before, the new varieties of the oldboot Trojan horse family have changed in many aspects, especially in the three aspects of anti-virus software, virus analysis engineer and automatic analysis tool. The changes are particularly significant, mainly reflected in the following aspects:

Figure 24: uninstall 360 mobile guard and stop RPC server of mobile guard in agent sysline

Figure 25: Trojan configuration file hidden in the picture

3、 Association analysis

A domain name that meta chk will connect to is (invalid). Through 360 search, a simple search of this domain name can be found. Its IP is There are many similar domain names on this IP server. Through the cache of the search engine, we found that their titles are "zkl90". Therefore, we can basically determine that these domain names are meta chk's servers 。 With so many domain names, it takes a lot of human and financial resources to build a single component - meta ABCD. The scale of the production team behind the oldboot Trojan can be seen.

Figure 26: Homepage cache and domain name list of meta ABCD server

4、 Solutions

At present, we have released the world's first oldboot killing tool exclusively. The download address is:

This killing tool can scan Android devices deeply and accurately to determine whether there is oldboot and its variants. We have developed a new killing technology, which can effectively protect your mobile phone from the attack of the immortal Trojan horse.

If your device is not currently supported or the kill tool is not working properly on your phone, we suggest you:

5、 Discussion

As the first bootkit of Android platform, oldboot has symbolic significance. In the war of anti-virus software and Trojan horse, it has opened up a new battlefield and a new era.

One of the reasons for the rise of smart phones is the popularity of high-speed networks. Android phones, as the most popular smart phones in the market, are always connected with the network, which is the basic feature. The author of Android Trojan horse sees this trend, and is more and more inclined to save a lot of information on the network, and only provide basic app or Elf files for users' mobile phones Functions, such as network update configuration, such as executing any command with root permission, etc., are controlled by the C & C server of the Trojan horse. The oldboot Trojan horse family is a significant representative of this trend.

From the current discovery, oldboot is mainly used to install and promote app silently, which has highly flexible configurability. This can be seen from the following aspects: first of all, there are many domain names and servers where configuration files are located, and they are often replaced to ensure that they are always unblocked, so that oldboot Trojan can always be updated recently to meet the needs of promotion or To deal with the killing of anti-virus software; secondly, the configuration file is extremely complex, such as the link of downloaded app, the path and package name saved after downloading, etc. are configurable; thirdly, the oldboot Trojan considers a variety of unexpected situations, such as the server address is hijacked by the hosts file, such as the active defense of anti-virus software, etc., such as being uninstalled. Moreover, oldboot uses bootkit technology to directly brush the basic function modules into the bootimg of the ROM of Android mobile phone. When the Android operating system is started, it is started as a native service. This way makes the oldboot Trojan the lowest level in the pre installed software. Based on the above points, it can be said that the oldboot family Trojan horse achieves the acme in the function of maliciously promoting app.

The essential feature of oldboot trojan is that it is the first one in the world to adopt bootkit technology and has the function of remote control. According to the different instructions of the server, it can derive other behaviors at any time and transform into other types of Trojan, such as constructing false SMS for advertising promotion or fishing attack, etc. Driven by the interests, the oldboot family Trojan horse evolves very fast, constantly adjusting itself to cope with various situations. We will continue to pay close attention to its latest development and provide security protection programs.

6、 References