In Android world, sometimes you can’t stop malware from “serving”
you, especially when the “service” is actually a malicious Android
class running in the background and controlled by a remote access tool
(RAT). Recently, FireEye mobile security researchers have discovered
such a malware that pretends to be a “Google Service Framework” and
kills an anti-virus application as well as takes other malicious actions.
In the past, we’ve seen Android malware that execute privacy leakage,
banking credential theft, or remote access separately, but this sample
takes Android malware to a new level by combining all of those
activities into one app. In addition, we found the hacker has designed
a framework to conduct bank hijacking and is actively developing
towards this goal. We suspect in the near future there will be a batch
of bank hijacking malware once the framework is completed. Right now,
eight Korean banks are recognized by the attacker, yet the hacker can
quickly expand to new banks with just 30 minutes of work.
Although the IP addresses we have captured don’t reveal who the
attacker is, as the computer of the IP might be a victim as well, we
have found from the UI that both the malware developer and the victims
are Korean speakers.
[caption id="attachment_5810" align="alignnone"
width="545"] href="/content/dam/legacy/blog/2014/06/structure.png"> class=" wp-image-5810 landscape-med"
alt="Fig. 1. The structure of the HijackRAT malware."
src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/structure.png"
width="545" height="349" /> Fig. 1. The structure of the
HijackRAT malware.[/caption]
The package name of this new RAT malware is “com.ll” and appears as
“Google Service Framework” with the default Android icon. Android
users can’t remove the app unless they deactivate its administrative
privileges in “Settings.” So far, the Virus Total score of the sample
is only five positive detections out of 54 AV vendors [1]. Such new
malware is published quickly partly because the CNC server, which the
hacker uses, changes so rapidly.
[caption id="attachment_5812" align="alignnone"
width="548"] href="/content/dam/legacy/blog/2014/06/VT5.png"> class=" wp-image-5812 landscape-med"
src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/VT5.png"
width="548" height="187" /> Fig. 2. The Virus Total detection
of the malware sample. [1][/caption]
[caption id="attachment_5813" align="alignnone"
width="549"] href="/content/dam/legacy/blog/2014/06/removeicon.png"> class="size-full wp-image-5813 landscape-med"
src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/removeicon.png"
width="549" height="326" /> Fig. 3. The fake “Google Service
Framework” icon in home screen.[/caption]
A few seconds after the malicious app is installed, the “Google
Services” icon appears on the home screen. When the icon is clicked,
the app asks for administrative privilege. Once activated, the
uninstallation option is disabled and a new service named “GS” is
started as shown below. The icon will show "App isn't
installed." when the user tries to click it again and removes
itself from the home screen.
[caption id="attachment_5815" align="alignnone"
width="548"] href="/content/dam/legacy/blog/2014/06/service.png"> class=" wp-image-5815 landscape-med"
alt="Fig. 4. The background service of the malware. "
src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/service.png"
width="548" height="326" /> Fig. 4. The background service of
the malware.[/caption]
The malware has plenty of malicious actions, which the RAT can
command, as shown below.
Within a few minutes, the app connects with the CNC server and begins
to receive a task list from it:
The content is encoded by Base64 RFC 2045. It is a JSONObject with
content: {"task": {"0": 0}}, when decoded. The
server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if
it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
is named after the device ID and the UUID generated by the CNC server.
The code below shows how the URL of the HTTP GET request is constructed:
- "UPLOAD PRIVACY DETAILS"
The task list shown above will trigger the first malicious action of
“Upload Phone Detail.” When executed, the user’s private information
will be uploaded to the server using HTTP POST request. The
information contains phone number, device ID, and contact lists as
shown below in the network packet of the request:
When decoded, the content in the red and blue part of the PCap are
shown below respectively:
1. The red part:
2. The blue part:
The contact list shown above is already highly sensitive, yet,
if the user has installed some banking applications, the malware
will scan for them too.
In a testing device, we installed the eight Korean bank apps as
shown below:
[caption id="attachment_5822" align="alignnone"
width="274"] href="/content/dam/legacy/blog/2014/06/8banks.png"> class=" wp-image-5822 portrait-sm"
alt="Fig. 5. The eight banking apps. "
src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/8banks.png"
width="274" height="487" /> Fig. 5. The eight banking apps.[/caption]
When this was done, we found the value of
“banklist” in the PCap is no longer listed as N/A anymore:
The “banklist” entry in the PCap is filled with the short names
of the banks that we installed. There is a map of the short names
and package names of the eight banking apps installed on the phone:
The map of the banks is stored in a database and used in another
malicious action controlled by the CNC server too.
- "POP WINDOW"
In this malicious action, the CNC server sends a command to
replace the existing bank apps. The eight banking apps require the
installation of “com.ahnlab.v3mobileplus,” which is a popular
anti-virus application available on Google Play. In order evade any
detections, the malware kills the anti-virus application before
manipulating the bank apps. In the code as shown below, Conf.LV is
the “com.ahnlab.v3mobileplus” being killed.
Then, the malware app parses the banking apps that the user has
installed on the Android device and stores them in the database
under /data/data/com.ll/database/simple_pref. The red block below
shows the bank list stored in the database:
Once the corresponding command is sent from the RAT, the
resolvePopWindow() method will be called and the device will pop a
Window with the message: “The new version has been released. Please
use after reinstallation.”
The malware will then try to download an app, named after
“update” and the bank’s short name from the CNC server,
simultaneously uninstalling the real, original bank app.
In the code shown above, “mpath” contains the CNC server IP
(103.228.65.101) and path (determined by the RAT); “mbkname” is the
bank name retrieved from the SQL lite database. The fake APK (e.g.
"updateBH.apk") is downloaded from the CNC server, however
we don’t know what the fake apps look like because during the research
the command for this malicious action was not executed from the RAT.
Yet the source of the “update*.apk” is definitely not certified by the
banks and might be harmful to the Android user.
- "UPDATE"
When the command to “update” is sent from the RAT, a similar app –
“update.apk” is downloaded from the CNC server and installed in the
Android phone:
- "UPLOAD SMS"
When the command to upload SMS is received from the RAT, the SMS of
the Android phone will be uploaded to the CNC server. The SMS has been
stored in the database once received:
Then the SMS is read from the database and uploaded to the CNC server
once the command is received:
- "SEND SMS"
Similarly, when the sending SMS command is received, the contact list
is sent through SMS.
- "BANK HIJACK"
Interesting enough, we found a partially finished method called “Bank
Hijack.” The code below partially shows how the BankHijack method
works. The malware reads the short bank name, e.g. “NH”, and then
keeps installing the updateNH.apk from the CNC server until it’s of
the newest version.
So far the part after the installation of the fake app is not
finished yet. We believe the hacker is having some problems finishing
the function temporarily.
As shown above, the hacker has designed and prepared for the
framework of a more malicious command from the CNC server once the
hijack methods are finished. Given the unique nature of how this app
works, including its ability to pull down multiple levels of personal
information and impersonate banking apps, a more robust mobile banking
threat could be on the horizon.
REFERENCE
__________________________________________________
[1] https://www.virustotal.com/intelligence