This malware binary is not a repackaged application as we have seen in the past. It masquerades as the game MADDEN NFL 12. The malware has three modules embedded into it: The main component is actually a dropper that drops a set of other components onto the compromised user device.

Figure 1: Android Malware Component

Upon installation, the malicious application drops these three malicious components:

• Header01.png: Rooting Exploit
• Footer01.png: IRCBot
• Border01.png: SMS Trojan

Figure 2: Files in asset folder of the main component

What’s It All About?

The files header01.png and footer01.png masquerade as PNG image files, although they are originally ELF files. Header01.png acts as a rooting exploit; we already discussed this in an earlier blog. The purpose of this component is to root the device and then elevate the device’s privilege. Once the device is rooted, footer01.png connects to a remote IRC channel. The final component, boarder01.png, acts as Trojan that sends SMS messages to premium numbers. The other *.png files in the package are just random image files to thwart hash-based detection. This can be seen in the details of the three components.

Main Dropper Component

The main dropper has a size of more than 5MB. The class file AndroidBotActivity is responsible for dropping the other three malicious components onto the device as well as for setting the highest permission to the directory in which it drops these component files. This Android manifest file gives us a vague idea of what this malware binary is capable of: Their package names and labels have been branded as com.android.bot and AndroidBotActivity.

Figure 3: Android manifest file of the main component

Figure 4: Malicious class file AndroidBotActivity dropper code

The malicious class file creates the directory /data/data/com.android.bot/files and drops the three component files, the root exploit, IRCBot, and SMS Trojan in the folder of the compromised device. It then gives chmod 777 permission to that directory. Each number in chmod represents the permissions given to different users such as owner, group, and others; here the malware binary sets the permission to chmod to 777 to give read, write, and execute permission for all users to this folder.

Figure 5 : Setting file permission to chmod 777

Root Exploit Component

The root exploit component is nothing new, as we have already discussed it in my previous blog. However, the malware authors have slightly modified the code. The root exploit component, in simple terms, roots the device to its highest privilege so that the attacker can gain admin privilege and can execute commands from a remote server. Once the device is rooted, it executes the IRCBot component file header01.png.

Figure 6: Code to execute the IRCBot component

IRCBot Component

This is basically a backdoor Trojan that acts as an IRCBot to connect to a remote server and receive and execute commands.

On analyzing this malware binary further, we find that once the system is rooted it sets a marker “1,” which means the system is already rooted. Thus the malware can skip attempting to exploit a device that is already rooted and also from again executing the file footer01.png.

Figure 7 : IRCBot component silently installs the SMS Trojan component

The malware then connects to the remote IRC server 199.68.<removed> and generates a random user name that is used to log into the remote IRC channel.

The malware joins the IRC channel #andros and waits for commands from the attacker.

Once it starts receiving commands from the remote site, it parses them and performs the actions. We found three commands:

• PRIVMSG #andros :[SH] – %s.
• PRIVMSG #andros :[ID] – %d
• PRIVMSG #andros :[EXIT] – exiting ordered.

SMS Trojan Component

The last component of the package is a regular SMS Trojan that sends SMS messages to premium numbers which charge the victim. This one also masquerade as a PNG image file but was originally an .apk file, an application package for Android. We have seen this type of premium SMS abuser many times in the past.

The difference in this malware binary when compared to others is, first, it retrieves the geo location of the SIM and based on the geo location it sends SMS to premium numbers corresponding to that geo location. This is carried out by the following snippet:

Figure 8: Snippet to get the geo location of the SIM

The Trojan sends SMS messages to the premium numbers if the SIM geo is found to be applicable.

Figure 9: Premium SMS numbers

The Trojan also has code to check the message body and sender of all SMS messages received. If the sender is found to be any of the numbers listed above, the malware aborts that message. This step is carried out by the abortBroadcast(); function.

The Trojan then broadcasts an SMS to a remote server along with the mobile number and the message body.

To sum it up, here is the flow diagram for this Android malware:

Figure 10: Flow diagram

Here’s an example of how dangerous this infection can be: If the victim receives a message from the bank that has a two-way authentication code, that message body–along with the mobile number–will be sent to the remote attacker, who can later compromise bank transactions. This alone tells us how serious this attack can be. However, we don’t know what the attackers do with this data, nor what their server-side code does.

In any case, this is a reminder that malware authors consider the Android platform their favorite mobile attack vector, and are coming up with new infection strategies to compromise users and their data. We expect this trend to continue thanks to the growing smart phone market as well as the continued increase of enterprise use, banking functionality, and other consumer usage.

We detect the main component of this malware as Android/Multi.dr, the root exploit component as Linux/Exploit-Lotoor.a, the IRCBot component as Android/IRCBot.a, and the SMS Trojan as Android/SMS.gen.

The malware binary is packaged with a legitimate application. In this case, the malicious exploit code comes with “Daily Beauties,” which showcases pictures of celebrities that are updated periodically. Attackers use this repacking approach to hide their malware within genuine applications, which users will download and install.

The following image represents the repacking a legit application with malicious code. These repackaged applications are made available in Android black markets and third-party markets.

                           Figure 1: Repackaged application

This malicious application requires the following user permissions:

Figure 2: User permissions required by the malicious application

From the preceding list of permissions requested by the malicious application, I was curious about two in particular.

• android.permission.MOUNT_UNMOUNT_FILESYSTEMS
• android.permission.WRITE_OWNER_DATA

Why would an application that displays pictures of celebrities require permission to write user data and mount/unmount file systems?

Upon opening the malicious application we see the names of celebrities, as shown in the below figure. The victims would see the pictures, but they wouldn’t see the malicious service running in the background.

Figure 3: A picture of the celebrity showcased by the application

So how does the exploit work? The malicious application has four files bundled along with the legit application. They can be found in the asset folder of the application package. The file names appear in Figure 4:

Figure 4: Malicious files in the asset folder of the Android application package

The file gbfm.png carries the exploit code; the others are script/shell files. all four masquerade as PNG image files, although they are originally ELF (gbfm.png, runme.png) and shell script (install.png, installsoft.png) files.

When the required services start, the malicious application renames the .png extension to .sh and executes the exploit as shell script.

Figure 5: Renaming the .png extension to .sh extension

The malicious application first checks for the version of the Android OS and then exploits it:

Figure 6: Malware checks for the Android OS version and executes the exploit

The malware next checks for the Unix user identifier of the currently running process and stores it. Then it triggers the exploit (gbfm.sh). If it’s successful, the malware will elevate the device to the root privilege.

When the device is successfully rooted, it will run the install.sh script, which will set the appropriate file permissions (chmod 4775) to the system partition and copies the shell from the bin folder /system/bin/sh to the folder created by the malicious application /system/xbin/appmaster. Thus the shell can be accessed whenever it wishes and the system partition is remounted.

Figure 7: Setting up the file permissions

After a while, the malware executes the installsoft.sh script, which silently downloads more APK files in the background and installs them by executing the “pm install” command in the root shell.

Figure 8: Installing APK files in the background

The malware retrieves the following information from the compromised device and sends that information to a remote site:

Figure 9: User information retrieved by the malicious file

The exploit will work only when the device has an SD card installed. If not, it will not run. McAfee products detect this malware in our latest DATs as Linux/Exploit-Lotoor.