McAfee Labs, Mobile Security

Trojan Hides in ROM of Chinese Android Devices

1
By on Apr 02, 2014

In China, some mobile phone geeks like to refresh their Android machines with images from the Internet. For some mobile phone dealers, this makes good business. They can earn extra money from refreshing phone ROMs for those users who want to erase a lot of useless applications in the original ROMs.

However, making an Android ROM image is not very difficult, which makes refreshing Android devices dangerous. Once malware has been added to an image, it is hard to get rid of it.

Last week, McAfee Labs acquired a sample found in some Android images from China. Among other interesting behavior, it downloads JavaScript code from a control server, and runs the code within WebView. McAfee Labs detects this threat as Android/Huigezi.A.

Android/Huigezi.A runs at boot up, and when SMS messages come in and calls go out. It runs as a service in the background, and poses as a system service. Once started, it sets up a timer to restart itself every 30 minutes.

 

Service runs background

Malware “service” running in the background.

The malware sends sensitive information–IMEI, IMSI and OS version–to a remote server, and get a response string in JSON format. The string contains nonstandard Base64-encoded JavaScript code. The malware injects the code to a piece of HTML, and writes it to a file under “/data/data/com.android.systemservice/cache/webviewCache/” on the device. The filename is the integer value of the current time.

 

Post sensitive information to C&C server

Posting sensitive information to the control server.

The following image shows one of the HTML files being injected with the malicious encoded JavaScript.

 

Artificially html with encoded javascript

HTML altered by the encoded JavaScript.

The decoded JavaScript:

 

Decoded javascript code

Decoded JavaScript.

Android/Huigezi.A sets up the binding of classes with a JavaScript interface for the HTML, and loads the HTML in the WebView client. The functions in the dex file will be executed by the JavaScript in the HTML.

 

Add javascript interface

Adding a JavaScript interface.

The payloads of this malware depend on the JavaScript downloaded from the control server. According to its code, the malware can take the following actions:

  • Send SMS messages
  • Post sensitive information–IMEI, IMSI, device model name, phone number, carrier name–to remote server
  • Download some install packages and install them silently
  • Retrieve SMS messages and store them to a hash map
  • Set up SMS messages to be blocked
  • Download a dex file, and load the class in it
  • Create a shell for the remote server

 

Create shell

Creating a shell.

Android/Huigezi.A is very different than other mobile Trojans. It is more flexible for hackers to launch attacks and harder for victims to become aware of its presence. Most important: It could hide in an Android image. Users probably need to refresh their ROM images, or get root privileges and uninstall the malware with command tools, not easy task for most people.

One Comment on “Trojan Hides in ROM of Chinese Android Devices

  • I don’t think the name "Android/Huigezi.A" is suitable for this sample, since Huigezi is the Chinese name of a famous Windows trojan family Hupigon and this sample hasn’t any relation with the Hupigon.

    Or maybe you refered Qihoo’s blog post about this malware — they firstly named this sample as "Huigezi", which is also unsuitable as my own opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>