AnalysisAndroid/RootSmart.A!tr.dldr is a Trojan which targets Android phones with versions greater or equal than 2.3.4.
The malware has been reported in alternative Android chinese markets. It trojans a legitimate phone settings application, named QuickSettings, which is found in Google's Android Market.
Figure 1. Android/RootSmart looks like the genuine QuickSettings application. So far, it has only been reported in Chinese markets.
The malware downloads an exploit package, roots the phone, and downloads and install subsequent malware, all without user's consent.
The malicious classes are located in the path com.google.android.smart. When the application is launched, the activity FcbakeLauncherActivitcy (misspelled like in the code) is started. This activity launches the main malicious service, McbainServicce, with the argument action.host_start.
The McbainService is the main malicious service. It processes various actions:
- action.host_start: marks the malware as started
- action.boot: set an alarm (1min) to check the phone is rooted
- action.install: start a thread named l that locates a local directory named "shells", and inside that directory locate two files named exploit and installapp. Make those file executable (chmod 755) and execute them.
- action.installed: starts a thread named u that finished the installation.
- action.check_live: checks the status of the application
- action.download_shells: start a thread named i, that downloads a file named shells.zip from a remote server, check its MD5 and unzip the file.
- action.exploid: same as action.install, except it starts a thread named f that looks for "shells" and "exploit".
- action.load_taskinfo: retrieve device's IMEI and posts the information to a remote server.
- action.download_apk: starts a thread named t that will download a package from a remote server and check its MD5
The decrypted URL is:
The shells.zip file is downloaded from URL:
go.[CENSORED].com/androidService/resources/commons/shells.zipThe MD5 of this file is: 6bb75a2ec3e547cc5d2848dad213f6d3.
The subsequent APK is downloaded from URL:
go.[CENSORED].com/<app_download_url>where app_download_url is a field of the shared preferences file. The MD5 of this file is checked against app_file_md5 field, in the shared prefs.
The malware posts information to
go.[CENSORED].com/androidService/services/AndroidServicePosted information contains the following:
- TYPE_TEL, PACKAGE_ID, PACKAGE_LEVEL, VERSION_USER, PACKAGE_NAME: corresponds to the same fields in the preferences file.
Shared preferences are stored in mms_localinfo.xml and mms_settings.xml:
# cat mms_localinfo.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="TYPE_TEL">sdk</string> <string name="IMEI">000000000000000</string> <string name="PID">9009022</string> <string name="VERSION_TEL">2.3.3</string> <string name="VERSION_OWN">1.4</string> <string name="IMSI">89014103211118510720</string> <string name="MNC">26</string> <string name="INSTALL_TYPE">1</string> <string name="MCC">31</string> <string name="PACKAGE_ID">1004</string> <string name="PACKAGE_LEVEL">1</string> <string name="VERSION_USER">??????</string> <string name="PACKAGE_NAME">com.google.android.smart</string> </map> # cat mms_settings.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <long name="first_start_time" value="1043225" /> <string name="pid">9009022</string> <string name="package_id">1004</string> <long name="last_check_live_time" value="1328868778001" /> <string name="install_type">1</string> <string name="imei">000000000000000</string> <long name="first_submit_localinfo_time" value="1328868609220" /> </map>
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.