Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Recently ZTE acknowledged the existence of a vulnerability in its Android-based smartphone Score M. The said vulnerability, if exploited, can allow attackers to operate with root privileges—a scenario that can mean an attacker will have complete control over the affected phone. We have taken some time to analyze this backdoor in order to help affected users remove it from their Score M handsets.

    This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.

    Upon execution, this backdoor checks the password provided against the password indicated in its code, “ztex1609523” and if verified correct, raises a system call [setuid] with ‘0’ as parameter. Note that since the backdoor has a setuid attribute, even if the user who launched the backdoor does not have root privilege, the system call can still execute successfully. Doing so also sets the backdoor’s EUID (effective UID) to 0, which also means a root privilege.

    The backdoor then launches the program /system/bin/sh to get a root shell.

    We then used strace to trace all the system calls this backdoor’s process made. As seen below, the backdoor was able to set itself as root and execute /system/bin/sh:

    Throughout these calls, the user never sees any prompt that the backdoor has gained root privilege or that any other command is being executed.

    Based on our analysis, it appears this root shell can only be used locally, because this backdoor didn’t open any socket or any other remote communication tunnel.

    However, we believe it can be used by other malicious applications to combine a remote root shell. The only thing the malicious app needs to do is provide a bash script to the backdoor, then the said script will be executed.

    For instance, if we write a shell script as seen below:

    Note that this script does nothing but print a line with several ‘L’s and print its id to announce its root privilege.

    Now we run the backdoor that has been provided our script as a parameter.

    From this screen shot we can see that our script runs successfully.
    We then use strace to print the system call log. See below:

    We can see that the arguments sent to function execve changed to our shell script.

    In conclusion, a malware can easily use this backdoor in combination with a remote backdoor or bot. The preinstalled backdoor need only receive an SMS command or connect to a remote C&C server to receive commands from a remote attacker, and then call the local backdoor with a certain shell script.

    If you own a ZTE Score M you can remove this backdoor by following these instructions:

    1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
    2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:
    3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
    4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
    5. Terminate the backdoor with ctrl+c.

    To keep your mobile device safe from malicious applications, make sure you have a trusty mobile security solution installed like the Mobile Security Personal Edition.

    To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

    Update as of May 26, 2012 3:31 AM PST Time

    Trend Micro detects this backdoor as ANDROIDOS_GAPUSSIN.CDC.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice