{"id":8275,"date":"2017-07-09T06:40:12","date_gmt":"2017-07-09T14:40:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/09\/news-2049\/"},"modified":"2017-07-09T06:40:12","modified_gmt":"2017-07-09T14:40:12","slug":"news-2049","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/09\/news-2049\/","title":{"rendered":"Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part III"},"content":{"rendered":"

Credit to Author: Kai Lu| Date: Sun, 09 Jul 2017 14:00:00 +0000<\/strong><\/p>\n

\n

In this final blog in the Rootnik series we will finish our analysis of this new variant. Read Part 2 here<\/a><\/p>\n

Let’s start by looking into the script shell rsh.<\/p>\n

Analysis of the script shell<\/h2>\n

Through our investigation we are able to see how the script shell works:<\/p>\n

    \n
  1. First, it writes the content of the file .ir into \/system\/etc\/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed.<\/li>\n<\/ol>\n

    \"\"<\/p>\n

    The following is the content of the file .ir.<\/p>\n

    \"\"<\/p>\n

      \n
    1. Next, it writes some files into the folder files\/.snow\/, and into the system folders \/system\/bin\/ and \/system\/xbin\/.<\/li>\n<\/ol>\n

      \"\"<\/p>\n

        \n
      1. It then installs six system apps in the folder \/system\/priv-app\/.<\/li>\n<\/ol>\n

        \"\"<\/p>\n

          \n
        1. It then generates busybox into the folder \/system\/bin\/, .rainin into the folder \/system\/xbin\/, and library libsoon.so into the folder \/system\/lib\/.<\/li>\n<\/ol>\n

          \"\"<\/p>\n

            \n
          1. It then replaces the Android system’s executable file debuggerd.<\/li>\n<\/ol>\n

            \"\"<\/p>\n

            The following is the content of the file .dg.<\/p>\n

            \"\"<\/p>\n

              \n
            1. Next, it executes some executable files in the folder \/system\/bin\/ and \/system\/xbin\/ and then generates a new device policy file.<\/li>\n<\/ol>\n

              \"\"<\/p>\n

              The following is the content of the file a.xml.<\/p>\n

              \"\"<\/p>\n

              I next analyzed the ELF file .rainin in the folder \/system\/xbin\/. It’s used to inject the library libsoon.so into the processes vold, netd, as well as zygote.<\/p>\n

              \"\"<\/p>\n

              Figure 1.  The function injecting libsoon.so in process<\/p>\n

              The following is the key code snippet in the function  sub_94C8(int a1, const char *a2, char *a3, char *a4).<\/p>\n

              \"\"<\/p>\n

              Figure 2. The key code snippet in the function  sub_94C8<\/p>\n

              The following is the log file after executing the ELF file \/system\/xbin\/.rainin<\/p>\n

              \"\"<\/p>\n

              Figure 3. The log file after executing \/system\/xbin\/.rainin<\/p>\n

              When the .so injection is successful, it can invoke the function solib_entry in libsoon.so.<\/p>\n

              \"\"<\/p>\n

              Figure 4. The function solib_entry in libsoon.so<\/p>\n

              The definition of the function checkInstallRecoveryEtc() is shown below.<\/p>\n

              \"\"<\/p>\n

              Figure 5. The function checkInstallRecoveryEtc()<\/p>\n

              It checks the mode of some binary files as well as some installed apps. It then restores InstallRecovery script, and checks to see if the SU daemon is running. Finally, it checks to see if the app “com.fly.me.ssp.be” has been installed. If not, it could run this app.<\/p>\n

              The ELF file \/system\/bin\/.author is a su binary. The following is its usage:<\/p>\n

              \"\"<\/p>\n

              Figure 6. The usage of \/system\/bin\/.author<\/p>\n

              Looking into the installed apps<\/h2>\n

              As shown in Tables 1 and 2 in Part II of this blog series, the malware app is able to launch some activities in the installed app. Combining them with the installed apps in script shell rsh, we have listed these installed apps as follows:<\/p>\n

              \"\"<\/p>\n

              Table 1. The list of installed apps<\/p>\n

              From column labeled  “Detection” you can see that Fortinet’s AV engine has detected and identified them as malware.<\/p>\n

              You can also see that most of them were installed in the system app folder \/system\/priv-app\/. The other two apps were installed in the folder \/data\/app\/ through the command “pm install”.<\/p>\n

              The APK files listed in Table 1 can be generated by two methods: via http request and by being hard-coded. Regardless of whether the hard-coded or http request method is used, the data generated is decrypted. The two decryption algorithms used are shown in the Appendix at the end of this blog.<\/p>\n

              Additionally, we also found that more apps (including, but not limited to the following) had been installed in the folder \/system\/priv-app\/.<\/p>\n

              \"\"<\/p>\n

              Figure 7. Apps installed in folder \/system\/priv-app\/ by the malware<\/p>\n

              We also found that a large number of apps (including, but not limited to the following) had been installed in the folder \/data\/app\/.<\/p>\n

              \"\"<\/p>\n

              Figure 8. Apps installed in folder \/data\/app\/ by the malware<\/p>\n

              Malicious Behaviors Observed<\/h2>\n

              The Rootnik malware performed a number of malicious behaviors. These include, but are not limited to the following:<\/p>\n

                \n
              1. App and ad promotion<\/u><\/li>\n<\/ol>\n

                In addition to gaining root privileges on the device, the rootnik malware promotes apps and ads to generate revenue for its creator. Its app and ad promotion is especially aggressive and annoying to the user. The following are some screenshots of its app promotion:<\/p>\n

                \"\"<\/p>\n

                Figure 9. The screenshots of app promotion<\/p>\n

                  \n
                1. Normal and silent app installation<\/u><\/li>\n<\/ol>\n

                  The following is the screenshot of normal app installation and silent app installation.<\/p>\n

                  \"\"<\/p>\n

                  Figure 10. The screenshots of normal and silent app installations<\/p>\n

                    \n
                  1. Push notifications<\/u><\/strong><\/li>\n<\/ol>\n

                    The malware pushes a notification and induces the user to click it.<\/p>\n

                    \"\"<\/p>\n

                    Figure 11. Push notification<\/strong><\/p>\n

                      \n
                    1. Sends SMS messages <\/u><\/li>\n<\/ol>\n

                      The malware can send SMS messages to aspecific subscription number and then delete it in the SMS box. It can also send an SMS message through adb command.<\/p>\n

                        \n
                      1. Downloads files<\/u><\/li>\n<\/ol>\n

                        We found that many files and folders were also downloaded in folder \/sdcard\/. They include apk files, pictures, log files, etc. These files are generated by the installed apps, and some of them perform malicious behaviors.<\/p>\n

                        \"\"<\/p>\n

                        Figure 12. Files and folders dropped into folder \/sdcard\/<\/p>\n

                        Workflow of Rootnik<\/h2>\n

                        Finally, I drew the following workflow diagram of how the new Android Rootnik variant works.<\/p>\n

                        \"\"<\/p>\n

                        Figure 13. An overview of the Android Rootnik malware’s workflow<\/p>\n

                        Solution<\/h2>\n

                        The malware sample is detected by Fortinet Antivirus signature Android\/Rootnik.AE!tr.<\/p>\n

                        The traffic communicating with remote C2 server can be detected by Fortinet IPS signature Android.Rootnik.Malware.C2.<\/p>\n

                        Summary<\/h2>\n

                        From the analysis, we can see that this new Rootnik variant is able to disguise itself as a legal app. The developer of the malware app was able to repackage a legal app from Google Play and insert malicious codes into it. This disguise can trick even careful users.<\/p>\n

                        Additionally, this new variant is rather powerful and uses advanced anti-debugging techniques to prevent reversing engineering, as well as different types of encryption for files and strings. The malware also uses some open-sourced Android root exploit tools and the MTK root scheme from dashi root tool to gain root access on the Android device. The root exploits can be downloaded from a remote http server. It’s also easy for the developer to update the root scheme of this malware and extend its functionality. Finally, after successfully gaining root privileges on the device, the rootnik malware can perform a variety of malicious operations, including app and ad promotion, silent app installation, and pushing notifications and sending SMS messages, etc. <\/p>\n

                        Appendix<\/h2>\n

                        Rootnik Malware Sample<\/strong><\/p>\n

                        Package Name:  net.gotsun.android.wifi_configuration<\/p>\n

                        SHA256:  42e2e975edc9972c37bfc13742cd83e43eca3d708e5ea087a0a1fcaf63cbae09<\/p>\n

                        Additional APK files dropped into system partition by Rootnik malware<\/strong><\/p>\n

                        Package Name: com.para.android.power<\/p>\n

                        SHA256: 80e4c74758207df2cf495c4afcfb6aa7e8bd3b67443a7804f43ccc21f9d5b167<\/p>\n

                        Package Name: com.facebook.application<\/p>\n

                        SHA256: e512260cb90aa2bc915d53bd9003a0452a856c1e9694c023baf8de6bd6b7e2ae<\/p>\n

                        Package Name: com.android.service.power.on<\/p>\n

                        SHA256: 1a4534ce4b89bdace361ad6c26e75c06e44d95004a87e8ab990982d5f54c6135<\/p>\n

                        Package Name: com.android.fk.json.tool<\/p>\n

                        SHA256: 2d4caa4a5e26e2cfdb217d9d41c206746b5ff0c0a095d7c2e4858f233d6625c3<\/p>\n

                        Package Name: com.fly.me.ssp.be<\/p>\n

                        SHA256: e72e49fca9a0e3a6de8168f40fc9e4b28c8baf27d00a73127263541c7022cd71<\/p>\n

                        Package Name: org.app.info.grate<\/p>\n

                        SHA256: 9604f15fb36abf47566269b9c741bc41112dd66c4b06febf21980c2d6e581637<\/p>\n

                        Package Name: com.android.tools.receiver<\/p>\n

                        SHA256: 843603e582f0453acce0de8b9443c5a9e2c551ddbab7c9aa480ce44da47c5ab0<\/p>\n

                        Package Name: com.android.upon.hash<\/p>\n

                        SHA256: 6834bd13f87d6dbb67210838ec7c44e33bb65342091634d614a2868164089125<\/p>\n

                        Package Name: com.setting.dysdtool<\/p>\n

                        SHA256: e5f727bca0b9900bcc3124e9df6d83b32df1306acfaeb40551b2b47746a36959<\/p>\n

                        Package Name: com.sang.you.mima.yuanhou<\/p>\n

                        SHA256: 9f74ab6a92848fcc7861f9fc00b0db3260db0809bc16c519fbcdf644030c72a8<\/p>\n

                        Package Name: com.music.cloud.app.player<\/p>\n

                        SHA256: e48dfb52676a66ee83221fe517408e56dff1fbcf4ee2392d18a8aa31cdcedc9b<\/p>\n

                        Package Name: com.android.shopping.eupdate<\/p>\n

                        SHA256: 7a27c887c26e068ca28188574b6d731587360f24bcd03033b01e42afb16585e5<\/p>\n

                        C2 Servers<\/strong><\/p>\n

                        api[.]gadmobs.com<\/p>\n

                        t[.]eqqsl.com<\/p>\n

                        t[.]pkqqsl.com<\/p>\n

                        t[.]plsskq.com<\/p>\n

                        t[.]wqctkq.com<\/p>\n

                        gp[.]miaoxia123.com<\/p>\n

                        sh[.]pencilli.com<\/p>\n

                        down[.]zigyfdeb.com<\/p>\n

                        down[.]smykttum.com<\/p>\n

                        sys[.]appsolo.net<\/p>\n

                        sys[.]gadmobs.com<\/p>\n

                        sys[.]iappzone.net<\/p>\n

                        sys[.]alowcar.com<\/p>\n

                        The decryption program for the hard-coded method<\/strong><\/p>\n