Mobile VirusAndroid/RomRoot.A!tr
Analysis
Android/RomRoot.A!tr targets Android mobile devices. It comes in the form of
a ROM Management utility (in particular to root one's device) but
conceals the fact it sends private information to remote servers.
This sample is detected as malicious for two reasons:
- The alleged ROM updates are downloaded from remote web sites, and could possibly contain malicious payload.
- The sample intentionally conceals the URLs it contacts to send out information.
The malware contacts those URLs:
http://CENSOREDjiao.cn/driver2/gethot.json http://CENSOREDjiao.cn/driver2/getsoftorgame.json http://CENSOREDjiao.cn/driver2/gamesort.json http://CENSOREDjiao.cn/driver2/getneedsoft.json http://CENSOREDaji.cn/rom_list.jsonIn particular, the following fields are added to the URL:
- pkg=pj.ishuaji: this is the package name
- mac=XXX: your MAC address
- imsi=XXXX: your IMSI
The JSON answers from the server are stored in /data/data/pj.ishuaji/app_cache.
All those addresses are loaded as byte arrays in the code, so that they don't technically appear in the Dalvik Executable as (searchable) strings.
j = new String(new byte[] { 99, 105, 100 });
r = new String(new byte[] { 100, 101, 118 });
The malware creates 3 directories on the SDCard:
/sdcard/ishuaji/apk /sdcard/ishuaji/rom /sdcard/ishuaji/tmpThere is also a SQLite database for downloaded APKs in /data/data/pj/ishuaji/databases/greenbean.
CREATE TABLE downloadAPK (id LONG PRIMARY KEY,name TEXT,pkg TEXT, url TEXT,icon TEXT,time LONG,size LONG,sizeLoaded LONG,state INTEGER);
Finally, note that the sample embeds the "rage against the cage" exploit, as a raw resource in the package. The sample attempts to root the device using that exploit if the device is not rooted yet. The rooting takes place in the subclasses of pj.ishuaji.brush.flashRom.
This malware aims Chinese end-users.
AndroidOS_ROOTCAGE.B (TrendMicro), Andr/DroidRt-A (Sophos), Exploit:Android/DroidRooter.B (F-Secure)
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| FortiADC | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2019-04-12 | 67.75300 |
Modified
|