Android/RootSmart.A!tr.dldr
Analysis
Android/RootSmart.A!tr.dldr is a Trojan which targets Android phones with
versions greater or equal than 2.3.4.
The malware has been reported in alternative Android chinese markets.
It trojans a legitimate phone settings application, named QuickSettings,
which is found in Google's Android Market.
Figure 1. Android/RootSmart looks like the genuine QuickSettings application. So far, it has only been reported in Chinese markets.
The malware downloads an exploit package, roots the phone, and downloads and
install subsequent malware, all without user's consent.
Technical Details
The malicious classes are located in the path com.google.android.smart. When the application is launched, the activity FcbakeLauncherActivitcy (misspelled like in the code) is started. This activity launches the main malicious service, McbainServicce, with the argument action.host_start.
The McbainService is the main malicious service. It processes various actions:
- action.host_start: marks the malware as started
- action.boot: set an alarm (1min) to check the phone is rooted
- action.shutdown
- action.screen_off
- action.install: start a thread named l that locates a local directory named "shells", and inside that directory locate two files named exploit and installapp. Make those file executable (chmod 755) and execute them.
- action.installed: starts a thread named u that finished the installation.
- action.check_live: checks the status of the application
- action.download_shells: start a thread named i, that downloads a file named shells.zip from a remote server, check its MD5 and unzip the file.
- action.exploid: same as action.install, except it starts a thread named f that looks for "shells" and "exploit".
- action.first_commit_localinfo
- action.second_commit_localinfo
- action.load_taskinfo: retrieve device's IMEI and posts the information to a remote server.
- action.download_apk: starts a thread named t that will download a package from a remote server and check its MD5
The decrypted URL is:
go.[CENSORED].com
The shells.zip file is downloaded from URL:
go.[CENSORED].com/androidService/resources/commons/shells.zipThe MD5 of this file is: 6bb75a2ec3e547cc5d2848dad213f6d3.
The subsequent APK is downloaded from URL:
go.[CENSORED].com/<app_download_url>where app_download_url is a field of the shared preferences file. The MD5 of this file is checked against app_file_md5 field, in the shared prefs.
The malware posts information to
go.[CENSORED].com/androidService/services/AndroidServicePosted information contains the following:
- IMEI
- IMSI
- TYPE_TEL, PACKAGE_ID, PACKAGE_LEVEL, VERSION_USER, PACKAGE_NAME: corresponds to the same fields in the preferences file.
- VERSION_OWN
Name1,Value1&Name2,Value2& ...
Shared preferences are stored in mms_localinfo.xml and mms_settings.xml:
# cat mms_localinfo.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="TYPE_TEL">sdk</string> <string name="IMEI">000000000000000</string> <string name="PID">9009022</string> <string name="VERSION_TEL">2.3.3</string> <string name="VERSION_OWN">1.4</string> <string name="IMSI">89014103211118510720</string> <string name="MNC">26</string> <string name="INSTALL_TYPE">1</string> <string name="MCC">31</string> <string name="PACKAGE_ID">1004</string> <string name="PACKAGE_LEVEL">1</string> <string name="VERSION_USER">??????</string> <string name="PACKAGE_NAME">com.google.android.smart</string> </map> # cat mms_settings.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <long name="first_start_time" value="1043225" /> <string name="pid">9009022</string> <string name="package_id">1004</string> <long name="last_check_live_time" value="1328868778001" /> <string name="install_type">1</string> <string name="imei">000000000000000</string> <long name="first_submit_localinfo_time" value="1328868609220" /> </map>
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-03-06 | 91.01181 |