Data Security

Android Malware Promises Porn, but Roots Device and Installs Other Malware

Android malware is not unusual; we’ve even seen it pop up in Google’s Marketplace app on several occasions. Increasing in both sophistication and stealthiest, Android malware has mostly been a nuisance on third-party marketplaces, such as in China, where it continues to thrive.

Why third party marketplaces?

As Google’s Bouncer does a pretty good job at identifying malicious apps – for the most part – Android malware is usually harbored on third-party marketplaces. Most Android users sideload apps, mainly to avoid paying for premium apps or because they simply don’t have access to the official Google Play store.

Android leads the smartphone OS sales market share with over 76 percent in China alone, according to reports, and this translates into millions of users actively installing apps outside Google Play. Whether such apps are vetted is a matter of speculation, and this is one reason why most malware Is hosted on such marketplaces.

Android Matrix Trojan – Old Threat, New Tricks.

This type of malware has been reported for a while now, but recently it has been surfacing bundled with some new apps and featuring some new behavioral tricks.

Disguised as an app called VideoCharm, it lures users by saying that it enables them to view porn-related videos. However, it also repeatedly prompts the user to install other apps – sometimes even different versions of the same app – that are malicious. If you hit “Cancel,” the popup will disappear for a while, but it will show up again prompting the installation of other apps.

Content displayed by app

When the user starts the applications, the dropper with the MD5: 27ad60e62ff86534c0a9331e9451833d, decrypts the “s_p_tqvrzgtnzk” file from the “assets” folder of the application with the “1452760219951” key, resulting in a malicious apk file (for e.g. MD5: 78fbac978d9138651678eb63e7dfd998). This seems to be an extra layer of protection to avoid detection by security scanners.

Encrypted file and the decryption key

The app displays a list of porn videos from an attacker-controlled server, and downloads four zip files on the SD card, in the “sdcardijimupush.res” location.

What’s even more interesting is that the four zip files are used for rooting the host device (DevRoot2.zip, base_ge4.3.zip, base_lt4.3.zip, winkle.zip) so that it can manipulate system files and update its own app without asking for permission.

URLS pointing to zip files containing exploits

These four files contain system exploits for various Android distributions. If, for instance, it detects the Android API 18 or lower, it uses the dev_root, dev_root2, loss_4.3, or symlink-adbd packages. It also spots if the device is running Android API 18 and Android API 19 so it can use CVE-2015-3636, CVE-2015-1805 or larger4.3. The interesting part is that there are three other exploits, such as winkle, DevRoot2, and Huawei-Hisilicon. To this end, it’s safe to speculate that the attackers are targeting popular Android distributions, such as Lollypop, Jelly Bean and KitKat, in the hopes of infecting and rooting as many as possible.

List of exploits for rooting the device

Interestingly, when using the CVE-2015-3636 exploit it performs some additional validations of the device. It checks whether it runs in a virtual machine, whether it’s a 32 or 64 bit processor, and if it’s a Lenovo Android device. If so, it then deletes three “bin” files (“nac_server”, “nac_ue”, and “nds”).

While some of the installed apps are usually porn related, there’s the occasional exception where it downloads apps with cat images (see image below). However, most involve some sort of nudity and explicit content.

App that displays cat images

While the JSON pulled from the attacker-controlled server contains information about the name of each package to be downloaded, the URL from where to download it, and a unique ID, it’s noteworthy that not all security vendors detected some of these malicious packages, at the time of this analysis. Particularly, the v9_2016032401.apk was not detected by any security vendor.

JSON example with information on fetched packages

The malware also records its every activity in a log file (“root_trace”) that keeps a detailed record of which exploits were used in the rooting process and which one succeeded.

Takeaway

We all know that malware is constantly evolving – may it be for Android or PC – and this latest variation of the Android Matrix Trojan proves just that. It’s highly recommended that everyone should download and install amobile security solution that able to identify such threats, and make sure that all apps are downloaded from trusted sources (e.g. Google Play). Sideloading apps from third party marketplaces brigs forward security risks that could compromise your personal and private data.

Some Trojan.Matrix MD5 samples:

7a779f60cd0815d7bafb2bf8a5a1b90a

0de3e97341efb2e9e31aaac423d98e05

4568962381510c0e46004f647f86c883

ecc36b9d4a9904a545090bfc4266994c

86f188fcc7e9c6c1d09eae13127fdad6

818ccec49b0533e7822e89f69ee0f46a

9d02787ad7b85d844e003696c236330c

7de1ab79d321e7c684d747239f569a1b

5db04de338b58529921d66dad232c845

8731e6f812a9a006c1c56d073d0b27d2

 

Note: This article is based on technical information provided courtesy of Bitdefender Researchers Adina Mateescu and Alin Barbatei.

Source: .hotforsecurity.com

To Top

Pin It on Pinterest

Share This