Mobile Virus

Android/RootSmart.A!tr.dldr

Analysis

Android/RootSmart.A!tr.dldr is a Trojan which targets Android phones with versions greater or equal than 2.3.4.
The malware has been reported in alternative Android chinese markets. It trojans a legitimate phone settings application, named QuickSettings, which is found in Google's Android Market.

Figure 1. Android/RootSmart looks like the genuine QuickSettings application. So far, it has only been reported in Chinese markets.
The malware downloads an exploit package, roots the phone, and downloads and install subsequent malware, all without user's consent.


Technical Details


The malicious classes are located in the path com.google.android.smart. When the application is launched, the activity FcbakeLauncherActivitcy (misspelled like in the code) is started. This activity launches the main malicious service, McbainServicce, with the argument action.host_start.
The McbainService is the main malicious service. It processes various actions:
  • action.host_start: marks the malware as started
  • action.boot: set an alarm (1min) to check the phone is rooted
  • action.shutdown
  • action.screen_off
  • action.install: start a thread named l that locates a local directory named "shells", and inside that directory locate two files named exploit and installapp. Make those file executable (chmod 755) and execute them.
  • action.installed: starts a thread named u that finished the installation.
  • action.check_live: checks the status of the application
  • action.download_shells: start a thread named i, that downloads a file named shells.zip from a remote server, check its MD5 and unzip the file.
  • action.exploid: same as action.install, except it starts a thread named f that looks for "shells" and "exploit".
  • action.first_commit_localinfo
  • action.second_commit_localinfo
  • action.load_taskinfo: retrieve device's IMEI and posts the information to a remote server.
  • action.download_apk: starts a thread named t that will download a package from a remote server and check its MD5
All files are downloaded from a remote server whose host name is encrypted and hidden in a raw resource (data_3). The encryption algorithm is AES, and the key is generated randomly out of a pseudo-random generator based on SHA1 and seeded with the package_id parameter.
The decrypted URL is:
go.[CENSORED].com

The shells.zip file is downloaded from URL:
go.[CENSORED].com/androidService/resources/commons/shells.zip
The MD5 of this file is: 6bb75a2ec3e547cc5d2848dad213f6d3.
The subsequent APK is downloaded from URL:
go.[CENSORED].com/<app_download_url>
where app_download_url is a field of the shared preferences file. The MD5 of this file is checked against app_file_md5 field, in the shared prefs.
The malware posts information to
go.[CENSORED].com/androidService/services/AndroidService
Posted information contains the following:
  • IMEI
  • IMSI
  • TYPE_TEL, PACKAGE_ID, PACKAGE_LEVEL, VERSION_USER, PACKAGE_NAME: corresponds to the same fields in the preferences file.
  • VERSION_OWN
Those fields are posted using the following format:
Name1,Value1&Name2,Value2& ...

Shared preferences are stored in mms_localinfo.xml and mms_settings.xml:
# cat mms_localinfo.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="TYPE_TEL">sdk</string>
<string name="IMEI">000000000000000</string>
<string name="PID">9009022</string>
<string name="VERSION_TEL">2.3.3</string>
<string name="VERSION_OWN">1.4</string>
<string name="IMSI">89014103211118510720</string>
<string name="MNC">26</string>
<string name="INSTALL_TYPE">1</string>
<string name="MCC">31</string>
<string name="PACKAGE_ID">1004</string>
<string name="PACKAGE_LEVEL">1</string>
<string name="VERSION_USER">??????</string>
<string name="PACKAGE_NAME">com.google.android.smart</string>
</map>
# cat mms_settings.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<long name="first_start_time" value="1043225" />
<string name="pid">9009022</string>
<string name="package_id">1004</string>
<long name="last_check_live_time" value="1328868778001" />
<string name="install_type">1</string>
<string name="imei">000000000000000</string>
<long name="first_submit_localinfo_time" value="1328868609220" />
</map>

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.