Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Weichao Sun (Mobile Threats Analyst)




    Just days after reports of a supposed Android botnet spam run surfaced, we found a Yahoo! Android app vulnerability, which when exploited, allows an attacker to send spammed messages using the compromised Yahoo! account.

    First Spam Run via Android Botnet?

    Last week, several messages were found peddling fake pharma sites or contain links leading to phishing sites. What made this spam different, however, was the use of the “Sent from Yahoo! Mail on Android” in the message signature and the “androidMobile” value mentioned in the Message-ID field. Based on reports, the IP addresses indicated in these messages were assigned to network operators and were located in developing countries.

    Given these evidences, some experts surmised that the spammers may have used Android devices compromised with malicious apps. Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.

    Just recently, another possible scenario was proposed. Certain security researchers theorized the possibility of spammers taking advantage of a Yahoo! Android app vulnerability to compromise a mobile device and spam users with messages.

    Spammers May Exploit Yahoo! Mail Android Vulnerability

    Regardless of how these messages were sent, attackers exploiting a Yahoo! Android vulnerability to compromise a Yahoo! Mail account and send spam is a possibility. In fact, we recently uncovered a vulnerability in Yahoo! Android mail client, which can allow an attacker to gain access to a user’s Yahoo! Mail cookie. This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.

    Currently, we are coordinating with Yahoo! about this particular bug. We will also be posting a separate blog entry for our technical analysis of the vulnerability.

    However spammed messages are sent, users should still be wary of spam as they pose certain risk. Users who click the links are lead to fake pharmaceutical sites offering bogus products or phishing pages asking users to divulge sensitive information. Thus, users must never download or click links contained in dubious-looking messages.

    Trend Micro protects users from this threat via Smart Protection Network™, which blocks these messages. Mobile users can benefit from Trend Micro Mobile Security Personal Edition, which detects malicious Android apps.

    Android users must avoid downloading apps from third-party app stores, as this increases the risk of downloading malware disguised as Android apps. To know more about how to protect your devices, you may read the following Digital Life e-Guides specific to Android users.

     
    Posted in Mobile, Social, Vulnerabilities | Comments Off



    Early this month, we reported about a technique used by an Android malware detected as ANDROIDOS_BOTPANDA.A, which involved modifications to the affected device that make the malware hard to remove. To help affected users, we’ve released a special tool that reverts modifications done by ANDROIDOS_BOTPANDA.A, and ultimately removes the said malware from the system. The said tool, called the BotPanda Cleaner, is now available for download in Google Play.

    48 Utility Apps Contain libvadgo

    Upon further probing, we’ve found 55 malicious files packaged as 48 separate utility apps that contain libvadgo, 28 of which are still available online. Users may typically encounter these on third-party app stores and can be downloaded for free. Based on the estimated number of downloads, these apps have at least 31,000 downloads so far.

    Below are some of these apps repackaged with the malicious library file:

    App Name Package Name
    FMR Memory Cleaner com.fantasmosoft.new
    SuperSU eu.chainfire.newsupersu
    签名点ME com.qianming.new
    Move2SD Enabler com.iozhu.zyl
    Chainfire3D eu.chainfire.new
    Squats com.northpark.newsquats
    无线探测器 net.szym.barnacle
    Sit Ups com.northpark.new
    程序隐藏器 ccn.andflyt.new
    Screenshot UX com.nyzv.shotux

     

    Once installed, these apps function properly and do not overtly exhibit any unusual behavior to users. In reality, these are Trojanized apps modified to include malicious code and libvadgo, repackaged and then distributed by malicious developers.

    ANDROIDOS_BOTPANDA Noteworthy Behavior

    To make removal and cleanup difficult, ANDROIDOS_BOTPANDA.A replaces files, hooks important system commands, and kills certain processes in the infected device. What’s more, the malicious behavior is low level, different from most mobile malware that use Android SDK. In the near future, it is likely that we might see more malicious and Trojanized apps employing this trick, making analysis problematic for security researchers.

    ANDROIDOS_BOTPANDA.A through libvadgo, communicates with malicious C&C servers controlled by possible malicious users. This enables the remote user to perform commands onto the device without the user’s knowledge, which includes stealing information.

    Based on our analysis, the malware was found to run on rooted device. By running on rooted device, the malware and malicious user easily gain root privileges to an infected device. The diagram below gives an overview of the noteworthy behavior of ANDROIDOS_BOTPANDA.A.

    For mobile devices already installed with ANDROIDOS_BOTPANDA.A, merely detecting and deleting the Trojanized app may not address the changes already done by the malware.

    Trend Micro Fix Tool for ANDROIDOS_BOTPANDA.A

    Trend Micro has released a fix tool called BotPanda Cleaner to remove the excess files and restore modifications created by ANDROIDOS_BOTPANDA.A. This fix tool specifically runs on Android OS devices, particularly on Android 2.3 and Android 4.0. It needs root privilege in order to properly reverse the effects of the malware, which runs only when the device is rooted. On its own, the tool will not root the device.

    To be more specific, this tool performs the following:

    1. Scans all files under every package install directory to find file libvadgo
    2. Checks whether system files were modified by the malware
    3. Checks existence of other files generated by the malware
    4. Shows the result to user based on the above 3 steps
    5. Advises user to choose Delete to remove the infected apps and files and reboot the device after clean up.

    If user clicks the Delete button:

    1. Removes all files generated by virus under /system/bin/ and /system/lib
    2. Removes all apps that contain libvadgo.
    3. Recovers two files modified by the virus /system/bin/svc and /system/build.prop

    As an added precaution, users are advised to be cautious before downloading any app, specially those coming from third-party app stores. To help users decide what’s safe, Mobile Security Personal Edition detects apps that contain this malicious lib file.

    To know more about how to enjoy your mobille devices safely and securely, you may refer to our comprehensive Digital Life e-guides below:

    Below is our infographic about the current Android OS threat landscape.

     
    Posted in Malware, Mobile | Comments Off



    We have uncovered certain Android apps (detected as ANDROIDOS_BOTPANDA.A) containing a malicious library file, which when executed, renders the infected device as a zombie device that connects to specific command and control (C&C) servers. What is also noteworthy about this file is that it hides its routines in the dynamic library, making it difficult to analyze.

    The malicious library libvadgo contained in ANDROIDOS_BOTPANDA.A was developed via NDK and loaded using Java Native Interface. NDK is a toolset used by would be-Android developers in creating apps. ANDROIDOS_BOTPANDA.A contains the file com.airpuh.ad/UpdateCheck, which loads libvadgo library and calls the Java_com_airpuh_ad_UpdateCheck_dataInit function using the following code:

    Based on our analysis, one of the noteworthy routines of Java_com_airpuh_ad_UpdateCheck_DataInit is it verifies whether an infected device is rooted by checking the file /system/xbin/su. If found, this file executes /system/xbin/su and then the commands below in /system/xbin/su:

    Java_com_airpuh_ad_UpdateCheck_DataInit also executes .e[int_a]d file, which will be removed after several minutes. The first thing that .e[int_a] file does is to check the existence of /system/lib/libd1.so, replace files, and hook some important system commands [rm move mount ifconfig chown ] under system/xbin/ by creating corresponding files under system/bin/ to prevent detection and clean up. All of the created files are duplications of system/lib/lib1.so. It also modifies system/bin/svc by adding a malicious line into it so that the malicious can be launched automatically.

    The .e[int_a]d file also performs the malware’s main routine, which is to communicate with C&C servers ad.{BLOCKED}ew.com ad.{BLOCKED}o8.com and ad.{BLOCKED}8.com through port 8511. These servers, however, were already down during our analysis thus we cannot confirm the exact commands that it performs on the infected device.

    As mentioned previously, what makes this threat noteworthy is ANDROIDOS_BOTPANDA.A’s use of the dynamic library libvadgo.so. This type of malware hides its malicious routines in the said dynamic library, making it hard to analyze. It also kills certain processes, hooks important system commands, and replaces files to make detection and removal solutions difficult. If more Android malware use this technique in the future, delivering analysis and solutions will prove to be challenging for security experts.

    This malware also runs specifically on rooted devices, thus it is likely that this may spread through third-party app stores. ANDROIDOS_BOTPANDA.A is another reason why users are advised to be cautious in downloading apps, specifically those from third-party app stores. To know more about how to better protect yourself from Android-OS specific threats, you may refer to our digital life e-guides below:

    Updates as of June 12, 2012 3:15 AM PST time

    Trend Micro protects users from this threat via Mobile Security Personal Edition, which detects the apps that contain this malicious library file.

    To determine if a device is infected, users should look at the application’s files, in particular this folder path system/lib and check for the file libd1.so. Also users can look at svc file in the folder path /system/bin and check if it contains line /system/bin/ifconfig to determine if device is infected.

     
    Posted in Malware, Mobile | Comments Off



    Recently ZTE acknowledged the existence of a vulnerability in its Android-based smartphone Score M. The said vulnerability, if exploited, can allow attackers to operate with root privileges—a scenario that can mean an attacker will have complete control over the affected phone. We have taken some time to analyze this backdoor in order to help affected users remove it from their Score M handsets.

    This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.

    Upon execution, this backdoor checks the password provided against the password indicated in its code, “ztex1609523” and if verified correct, raises a system call [setuid] with ‘0’ as parameter. Note that since the backdoor has a setuid attribute, even if the user who launched the backdoor does not have root privilege, the system call can still execute successfully. Doing so also sets the backdoor’s EUID (effective UID) to 0, which also means a root privilege.

    The backdoor then launches the program /system/bin/sh to get a root shell.

    We then used strace to trace all the system calls this backdoor’s process made. As seen below, the backdoor was able to set itself as root and execute /system/bin/sh:

    Throughout these calls, the user never sees any prompt that the backdoor has gained root privilege or that any other command is being executed.

    Based on our analysis, it appears this root shell can only be used locally, because this backdoor didn’t open any socket or any other remote communication tunnel.

    However, we believe it can be used by other malicious applications to combine a remote root shell. The only thing the malicious app needs to do is provide a bash script to the backdoor, then the said script will be executed.

    For instance, if we write a shell script as seen below:

    Note that this script does nothing but print a line with several ‘L’s and print its id to announce its root privilege.

    Now we run the backdoor that has been provided our script as a parameter.

    From this screen shot we can see that our script runs successfully.
    We then use strace to print the system call log. See below:

    We can see that the arguments sent to function execve changed to our shell script.

    In conclusion, a malware can easily use this backdoor in combination with a remote backdoor or bot. The preinstalled backdoor need only receive an SMS command or connect to a remote C&C server to receive commands from a remote attacker, and then call the local backdoor with a certain shell script.

    If you own a ZTE Score M you can remove this backdoor by following these instructions:

    1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
    2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:
    3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
    4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
    5. Terminate the backdoor with ctrl+c.

    To keep your mobile device safe from malicious applications, make sure you have a trusty mobile security solution installed like the Mobile Security Personal Edition.

    To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

    Update as of May 26, 2012 3:31 AM PST Time

    Trend Micro detects this backdoor as ANDROIDOS_GAPUSSIN.CDC.

     
    Posted in Malware, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice